CyberWire Daily - Zealot and Monero mining. Bitfinex DDoS. Triton/Trisis shows risks of committing safety and control to the same systems. Bitcoin crime. M&A news. Hair of the dog.
Episode Date: December 18, 2017In today's podcast, we hear how the Zealot campaign uses ShadowBrokers' exploits to install a Monero miner on victim systems. Bitfinex suffers another DDoS attack as Bitcoin valuations remain ...high. Triton attack on industrial safety systems shows the risk of mixing control with safety. Exposed database of California voters investigated. Thales will buy Gemalto. Johannes Ullrich from SANS and the Internet Storm Center podcast, on scammers profiteering from natural disasters. And suffering from social media hangover? Try a little hair of the dog that bit you (say social media vendors). Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Zellit uses Shadow Brokers' exploits to install a Monero miner on victim systems.
Bitfinex suffers another DDoS attack as Bitcoin valuations remain high.
The Triton attack on industrial safety systems shows the risk of mixing control with safety.
An exposed database of California voters is investigated.
Thales will buy Gemalto. And are you suffering from a social media hangover?
Try a little hair of the dog that bit you.
a little hair of the dog that bit you.
I'm Dave Bittner with your CyberWire summary for Monday, December 18, 2017.
Researchers at F5 Networks report a Monero mining campaign, Zealot, which is exploiting the same Apache Struts vulnerability disclosed in March that was subsequently used to breach
Equifax.
It's also deploying EternalBlue and EternalSynergy exploits the Shadow Brokers leaked earlier this year,
saying they were taken from NSA.
According to F5's research blog, Zealot exploits not only the Apache Struts vulnerability,
but also the.NET nuke vulnerability disclosed back in June.
The name Zealot comes from the zip file that holds the Python scripts expressing the Shadow
Broker's exploits, which is itself named after a character in the StarCraft game.
Zealot seems to be a multi-stage attack used in campaigns against both Windows and Linux
systems.
F5 calls the payload highly obfuscated and a sophisticated multi-staged attack with lateral movement capabilities.
Unlike other campaigns that use tools the shadow brokers claim to have stolen from NSA, like NotPetya and WannaCry,
Zealot is unusual in that it propagates within a network.
It delivers its payload on internal networks through web application vulnerabilities.
F5 doesn't offer an attribution,
but they do say the sophistication they're seeing
indicates that Zealot is being run by threat actors
who are far more capable than the common run of bot herders.
The point of the whole effort appears to be installation of mule malware
that mines Monero cryptocurrency,
much prized by criminals for its high degree of anonymity.
What should you do about it?
Patch the vulnerabilities being exploited.
There are fixes available for all of them.
Alternative currencies continue to receive other criminal attention.
Cryptocurrency exchange Bitfinex sustained another large distributed denial-of-service campaign yesterday,
piling on top of the one it suffered last Tuesday.
Customers are unhappy that their ability to trade cryptocurrency is impeded,
but the good news, such as it is,
seems to be that at least their wallets aren't being emptied.
The Lazarus Group, widely regarded as a threat actor
controlled by the North Korean state,
is continuing its pursuit of Bitcoin theft and fraud
as a way of redressing the heavily sanctioned country's financial shortfalls.
Some researchers report signs of a similar increase in Russian criminals' interests in the cryptocurrency.
The alternative currency appears to be attractive in part because of the opportunities it presents for money laundering.
Trading of Bitcoin futures on the CME, the largest futures exchange in the world, opened with Bitcoin priced at $20,650.
By midday today, there'd been a sell-off with Bitcoin trading at above $18,500.
Most observers seem to think the fall-off represents a temporary blip, certainly not a trend that will probably send criminals in pursuit of other bigger game.
Security experts continue to mull the significance of the Triton hack, also called Trisis, that
hit a Middle Eastern energy sector industrial plant last week.
The attack is generally seen as particularly disturbing in that it was designed to manipulate
industrial safety systems.
Control Global's Unfettered blog has a number of interesting points to make.
First, there are some noteworthy similarities to Stuxnet
in apparent goals and approach, not in code or attribution to any particular threat actor.
Yet Stuxnet happened seven years ago, and Triton still came as a surprise to many.
Second, according to industrial control system security expert Joe Weiss, who blogs at Control
Global, commingling control and safety systems results in a loss of safety.
The plant Triton attacked escaped catastrophic damage because it was saved by its, quote,
hardwired analog safety systems, end quote.
Weiss offered this as a lesson learned from the Triton attack, quote, there are control system suppliers that provide integrated control and safety systems
with no guidance to the end users about the mixing of control and safety. There should be
no sharing of sensors, actuators, and or HMIs by safety and non-safety systems,
or you have effectively lost safety. End quote.
A database of the MongoDB variety of California voters was found exposed online and compromised by attackers late last week.
The data appears to have been compiled by some third party,
not the state of California,
which says the state's systems and data are secure.
California is investigating.
After turning down an offer from Atos last week,
Gemalto has agreed to be acquired by Talis for a reported sum of nearly $4.5 billion, with a B.
Talis will roll its own recently reorganized digital business into Gemalto,
with that combined business keeping the Gemalto name.
The acquisition is said by the Financial Times to create a top three digital security player.
The purchase is expected to close in the second half of 2018.
And finally, do you find yourself just passively consuming social media content?
Click, scroll, scroll, scroll, click, click, click, like that?
There's research out from several sources, including the University of California, San Diego, and Yale,
that suggests social media may impair mental health.
It seems that Facebook and so forth can lead to, as the Times of London puts it,
depression, low self-esteem, and feelings of isolation, particularly among the young.
Thus, your tween child seems a dull dog.
And why?
Because the kid down the block is Facebooking away from Disney World, while your child is
still stuck in Rosada or Nutley or Overland Park or Smethwick or wherever.
And so your child might suffer low moods.
Facebook has begun to engage with this research.
The company's director of research commented,
In general, when people spend a lot of time passively consuming information,
reading but not interacting with people,
they report feeling worse afterward.
End quote.
But there's hope.
Sure, maybe just reading Facebook may impair mental health,
but you don't have to just read.
That's for chumps anyway.
You should post and talk more on, wait for it, Facebook. So maybe take a little of the hair of the dog that bit you, friends.
sellers, Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora Thank you. ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak. January 24, only on Disney+. executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Johannes Ulrich. He's from the SANS Technology Institute, and he's also the host of the ISC Stormcast podcast. Johannes, welcome back.
You know, when we have natural disasters here in the United States, FEMA comes in,
and they provide important assistance,
but sometimes the bad guys take advantage of that help.
Yes, and this is something that sort of came to my attention living in Jacksonville, Florida,
which was affected by some of these recent storms. And apparently what's happening is there is all
this information out there from various data breaches, whether it's Equifax or
others, that essentially include your name, your address, your social security number,
your phone number, and basically identifying information like this. Turns out, that's all
you need to file a claim with FEMA. So in the past, what we have seen, for example,
after natural disasters is simple
donation scams where someone set up a website claiming to be a charity asking for donations.
But we don't really see that as much anymore. I think people got a little bit wiser about this
and less likely going to fall for it. Also, law enforcement got pretty active in trying to shut
down these sites.
On the other hand, we have this flood of personal information that the bad guys now are trying to monetize. In the past, they have filed fake tax returns, for example. But what's new now is these
FEMA claims. Essentially, FEMA, the way it works is it's a little bit of an honor system here.
FEMA tries to get the money to the individuals as quickly as possible. So quite often
when you file a claim, you get the money before FEMA really
has a chance to look at all the details. They give you the money and then
follow up with you later whether or not this was fraudulent or not.
And that's, of course, a real problem if someone files
a claim on your behalf using your personal information without you ever being affected and filing a claim.
Now this claim becomes fraudulent, and you're the victim twice here.
First of all, your personal information was stolen, but now you also have to prove that you didn't file that claim.
But now you also have to prove that you didn't file that claim.
And I suppose if the bad folks file a claim on your behalf before you do, and then you go to file a legitimate complaint, that'll get in the way of you getting the money that you really need.
Correct. And that, for example, has happened with tax returns, where you file your tax return and the IRS tells you, hey, you already filed one. So you can't file two.
That's a simple check they can do.
And similar things, of course, are going to happen with FEMA, where your legitimate claim is being held up because of the fraudulent claim.
Also, of course, FEMA, on the other hand, has to be more careful now. And I believe in particular in Puerto Rico, for example, that has caused delays
in processing of claims because some of the information, the address or so, wasn't quite
correct with what FEMA had because they're trying now to be more careful. But that's the real
difficult balance they have to find. How quickly are they going to hand the money to people that
really need it? And how careful are they going to be in actually checking these claims when they're submitted?
Yeah, it's a real shame taking advantage of people when they're at their worst and when they need help the most.
Yeah.
All right, Johannes Ulrich, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.