CyberWire Daily - WikiLeaks and the ShadowBrokers are both back. Catphishing the French elections. Pyongyang's Bitcoin miners. Malware notes, industry news, and a rundown of the Pwnie Awards.
Episode Date: July 28, 2017In today's podcast, we learn that WikiLeaks has dumped Vault7 documents attributed to the CIA. Russian catphish are said to have nibbled at French President Macron's campaign. North Korea mines ...Bitcoin. Malware warnings include a banking Trojan and two malicious Android apps. NotPetya's effect on TNT is said to have hit small businesses hard. MedSec has no regrets, and says it would short St. Jude again. The Pwnie Awards have been given at Black Hat. Justin Harvey from Accenture on recent waves of auto-propagating malware. Edna Conway from Cisco on third party risks. And the ShadowBrokers are back. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's campaign. North Korea mines Bitcoin.
Malware warnings include a banking trojan and two malicious Android apps.
NotPetya's effect on TNT is said to have hit small businesses hard.
MedSec has no regrets and said it would short St. Jude again.
The Pony Awards have been given at Black Hat.
Cisco's Edna Conway guides us through third-party risk.
And the shadow brokers are back.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, July 28, 2017.
WikiLeaks dumped another round of alleged CIA hacking documents from Vault 7 late yesterday.
round of alleged CIA hacking documents from Vault 7 late yesterday. They describe three tools,
Achilles, which backdoors Mac OS X disk images, CP, a stealthy Mac OS rootkit, and Eris,
a Linux implant. WikiLeaks says the tools are associated with an agency project called Imperial.
We heard yesterday about Mia Ash, a catfish used by Iranian intelligence and security services to socially engineer targets in the oil and gas industry.
Today, there are reports of other fictitious persona used in espionage.
Investigators say that Russian intelligence services sought to spy on French elections by posing as Facebook friends of successful presidential candidate Emmanuel Macron. Facebook, which has briefed U.S. congressional investigators, says it noticed about two dozen bogus identities posing as friends of friends of Emmanuel Macron.
The goal was intelligence development. The agency believed responsible was Russia's GRU,
also known as Fancy Bear. Russia has consistently denied attempting to influence the French elections.
North Korea is reported to have undertaken a large-scale Bitcoin mining operation.
This is consistent with the DPRK's exploitation of the Internet
for whatever financial gain it offers.
In this case, at least, Bitcoin mining is no crime,
but Pyongyang has been connected to online crime in the past, most prominently through the Lazarus Group.
In malware news, Flashpoint warns that Nikors is now delivering the TrickBot banking trojan.
And Sophos warns of two SMS-stealing malicious apps in the Play Store.
Both are by New.App.
One represents itself as an App store shortcut, the other as
Skincare Magazine. As always, choose your apps with care. NotPetya continues to have a ripple
effect on business. Small enterprises are said to be particularly affected by service disruptions
the campaign inflicted on FedEx subsidiary TNT. In industry news, Perimeter X raised $23 million
in a Series B round, and Raytheon says not to expect a Forcepoint initial public offering.
Raytheon asserts that it's in the cybersecurity business for the long haul and has no intention
of moving on from Forcepoint. More calls for special prosecutors are heard in the U.S.,
this time from the Republican side of Congress,
asking for investigation of security breaches by the FBI
and former Secretary of State Clinton.
Now we'll take a quick look back at the week in Vegas,
where Black Hat, DEF CON, and B-Sides all convened,
giving the cyber shivers even to the hard-boiled denizens of Sin City.
At the conference, MedSec CEO Justine Bone spoke and was unrepentant in her advocacy of vulnerability research-driven stock shorting
as a legitimate business model for security companies.
Bone's company was involved in shorting St. Jude medical stock when MedSec gained knowledge of an undisclosed vulnerability in St. Jude products.
The incident was controversial at the time.
Many thought MedSec was ghoulishly trifling with people's health.
Bone sees it as a legitimate short and says she'd do it again.
The Pony Awards were passed out at Black Hat, recognizing the good, the bad, and the ugly.
Here's a quick rundown of some of the major honors.
Best server-side bug went to the Equation Group, honored for CVE-2017-0143, 0144, and 0145.
The best client-side bug, the independent parallel discoverers of CVE-2017-0199, which was a Microsoft OLE export.
2017-0199, which was a Microsoft OLE export.
The best privilege escalation bug, the many who worked on Drammer, the Rohammer attack on mobile platforms. Best
cryptographic attack, researchers at Google and CWI for breaking
SHA-1. The best backdoor, the envelope please and the
pony went to ME-Doc, the Ukrainian accounting software at the bottom of
NotPetya. For best
branding, Atlassian took the honors here for branding, and in the opinion of the judges,
over-hyping, the ghost-butt vulnerability. The award for most epic fail was a squeaker,
but the honors finally went to Australia's Prime Minister Malcolm Turnbull, who's picked up the
fallen backdoor dead-end banner from former U.S. FBI
Director Comey. When asked whether the laws of mathematics would make proposed crypto restrictions
unfeasible, Prime Minister Turnbull is said to have replied, well, the laws of Australia prevail
in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only
law that applies in Australia is the law of Australia.
Mr. Turnbull nosed out The Intercept, nominated for the way they inadvertently exposed a source,
an essay leaker reality winner.
Brutal Kangaroo was unavailable for comment, mates.
Epic Ownage was a shared award, going to both WannaCry, tentatively credited as North Korea,
and The Shadow Brokers, unambiguously credited as Russia. Straight up Russia.
The shadow brokers resurfaced yesterday, as if on cue, saying that they'd sent their exploits of
the month to subscribers and that they were raising their prices. Membership in their club
will now set you back 500 ZEC in the Zcash cryptocurrency the shadow brokers prefer, which comes to about $88,400 in U.S. greenbacks.
Details of what they're releasing as we speak are not yet public, being known to the shadow brokers and whatever subscribers or hostile attackers the shadow brokers may have attracted.
or hostile attackers the shadow brokers may have attracted.
The brokers might have raised their prices,
but they haven't budged from their stylish diction,
although we do detect a trace of Borat in this week's communique.
Hello, the peoples!
July is being good month for the shadow brokers' monthly data dump service.
Make great benefit to the shadow brokers, they say.
They go on, solicitous as always of their customers.
If you making subscription payment in July, do not be worrying.
TSB got your payment.
TSB no longer sending confirmation emails.
If you not yet making subscription payment is still being days left in July, do not be missing out.
So hop to it, peoples.
Or don't.
Calling all sellers. peoples. Or don't. with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when
it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000
companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black
Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Joining me once again is Justin Harvey. He's the Global Incident Response Leader at Accenture.
Justin, welcome back.
You know, we've had these recent WannaCry attacks and the Petya Not Petya attack,
and one of the components of these is this notion of auto-propagating malware.
Bring us up to date here.
Is this something new, or has this been around for a while?
It's been around for a while.
It's been around for a while. The auto-propagation aspects of these new versions of malware are really taking advantage of organizations because they're just simply not equipped to handle
something that spreads like wildfire. For the last decade, I feel like companies have been focusing on preventing intellectual property theft and preventing data leaving.
And with targeted attacks and adversaries, they're going from machine to machine to machine in a straight line.
and ransomware are taking advantage of some of the latest vulnerabilities that have been released through shadow brokers and shotgunning or scanning multiple networks and then utilizing
credentials and or these vulnerabilities to tree out through organizations.
I find that companies are really ill-equipped to prevent that because they have
a soft inside. They build up these really high walls. They put in the necessary preventative
controls to stop the majority of attacks. But when these attacks are actually getting a foothold,
they are causing a lot of damage because networks are not being segmented. There's not a
lot of preventative controls that would normally be found in the perimeter that are being used
inside the enterprise. So with this sort of serving as a wake-up call, what kind of recommendations
do you have for people to better protect themselves against it? Well, I think it falls into a few areas.
The first is to adopt proactive preventative controls within the enterprise.
This could be a controversial statement, but I believe in more network segmentation,
even across what we would call client networks.
So you plug in your laptop into the company Wi-Fi, or you plug it into the
wall through an Ethernet. To date, companies have said, we need networks to talk to each other to
utilize file sharing, things like that inside the enterprise. But what we're also seeing is that
these latest versions of ransomware and destructive malware are taking advantage of that same sort of features and functionality
for productivity. Unfortunately, I think that companies need to start adopting more firewalling
and intrusion detection and prevention between these client networks. Another couple areas that
companies can do, keeping up with the latest threats as they're going across social media. So using what
we in the industry call open source threat intelligence. So when these start to hit the
wire, you know about it faster than everyone else. And those precious hours could really
catapult or help better prepare your enterprise. And the last thing that I would want to mention is we are spending more time with our clients
instead of doing incident response planning, creating incident response plans,
we've pivoted to creating crisis management plans.
So in the event of a cyber attack, what can these organizations do quicker
and more efficiently when there's a large cyber attack?
So can they shut down their networks faster?
Can they get the word out to their employees not to connect them to the network?
Do they have out-of-band communication because voice over IP is down and so on?
All right. Good advice as always.
Justin Harvey, thanks for joining us. with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
My guest today is Edna Conway.
She's the Chief Security Officer of the Global Value Chain at Cisco.
She joins us to share her thoughts on
third-party risk, effective ways to approach and handle it, and what the security community needs
to do in the future to do a better job of protecting ourselves and our customers.
For me, I think what we focus on as the critical third-party security risks are thinking comprehensively. So think about physical security,
logical or operational security, Dave, and then security technology. And if you start to think
comprehensively, it gets you to a great place. And that great place says, I need to worry about
three or four fundamental risks or threats. I need to worry about tainted solutions or services,
counterfeit solutions or services. The misuse of intellectual property could also cause harm.
And then finally, I need to worry about the information security breach that may occur
at that third party's site or technology that may have an impact on me.
So all of a sudden, you can start to parse it down these four paths.
Is it accurate to say that for a lot of people when it comes to third party risk, it's that
a big part of it is the fear of the unknown unknown?
You know, they don't have control necessarily of what's going on with those third parties.
I think it's a great observation.
I think the first step, to be honest with you, is the first unknown is figure out who the key players are in your third party ecosystem and understand what they deliver.
Are you going to know to the nth degree?
Probably not.
But starting with an understanding of who the key players are is the first step.
So I think once you figure out who you're playing with in your sandbox and who that we is,
the next step really is to develop what I like to call a flexible security architecture.
What you can do is really start to then identify what your key areas of concern are.
We've identified what I call 11 domains of security.
And not everything actually applies to everyone.
But as you begin to think about your domain areas
and connect them with the third-party ecosystem
and what they do for you,
all of a sudden what becomes apparent
is certain things apply to certain third parties depending on the nature of the product or service that they afford for you. All of a sudden, what becomes apparent is certain things apply to certain third parties, depending on the nature of the product or service that they afford to you,
how they interact with you. So that architecture really becomes the foundation of getting your
arms around that ecosystem and understanding more deeply what's going on, but doing it in
an operationally efficient way.
As you look towards the future, look towards the horizon, what kinds of things do you think have to change in order for people to do a better job with this?
I think we need to converge on a couple of international standards, to be quite frank.
We're still seeing a proliferation of standards, Dave, that in all
honesty, sometimes are very thinly veiled trade barriers cloaked under the title of security.
But the reality is we are going to be and we are well on our way to being one connected world.
We've seen that recently with just with WannaCry and NETIA. The reality of that
means how can we narrow down to a feasible set of items in a standard that the world adheres to
and try and lift off some of the geographic variation to the optimum extent possible
so that we can align in a better way. So that's a public
private partnership challenge, number one. Number two, some of the things that we can do are just
basic, right? I mean, the future is going to be that ransomware is going to continue to proliferate.
I think that's pretty clear to us. Remember, we have different types of threat actors, right? And those who are
motivated economically are going to continue to target those from whom they can maximize their
economic return. So understanding that you are under attack at all times and making sure you
don't have weak backup practices, that you are not updating readily.
And more importantly, understanding that you need one unified, simplified architecture
so that you don't have some of the problems with what is often referred to as best of breed in multiple vendors.
Sometimes simplification actually equals a higher degree of fidelity,
right? So those are the three areas that I would say I would look to for the future in terms of
that question that you asked. But mostly, I think I want to finish with one last thought, Dave.
Yeah. Automation. So where we can automate, and you and I were chatting before we began about the wonders of artificial intelligence and its ramifications on our security and mankind in general, right?
The reality of automation is it can catch certain things to the extent we can begin to add the human factor into the way in which we approach security, which is new.
Add the human element.
Expand on that. All of this technology and all of our security efforts exist to serve us because
these devices and this communication is human communication. I think that will be a new way
for us to embed the human factor into secure development life cycles. We have plenty of international standards and STL models out there.
I'm not sure we've really embraced the human element yet, sitting side by side with automation.
Our thanks to Edna Conway for joining us.
She's the Chief Security Officer of the Global Value Chain at Cisco.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI
and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.