Best Practices for Applying Threat Intelligence

Threat intelligence is one of the most talked about areas of information security today, but how do you actually use it? Learn best practices for applying threat intelligence with Recorded Future's latest white paper. Download your free copy now.

The week that was.

Information operations come to the fore in cyberspace, as authorities look for ways on countering inspiration and disinformation, whether peddled by extremists or intelligence services. In cybercrime, enterprises grapple with newly commodified forms of ransomware.

A lone wolf turns out to be a known wolf, and a member of a pack at that.

ISIS was quick to claim responsibility online for the murderous suicide bombing in Manchester this past Monday. The killer was, they say, "a soldier of the Caliphate," and his example is being held up for emulation. Apparently the bomber had been fingered to security services as dangerous, but the reports were insufficient to prompt police to interdict the attack (Times of London). Since Monday several associates of the terrorist have been taken into custody, and it appears he was operating as part of an ISIS network (Times of London).

In hearings Tuesday before the US Senate, NSA Director Rogers gave clear (if properly veiled) assurance that the US was conducting extensive cyber operations against ISIS (Washington Post).

Implications of the Manchester bombing for counterterror law and policy.

In the UK, the Manchester bombings stiffen HM Government to do something about the widespread availability of strong encryption, so the most prominent dead-enders in the backdoor side of the cryptowars now seem to be in Downing Street (Computing).

In the US, a bill introduced into the House calls for an investigation into terrorist use of Bitcoin and other cryptocurrencies (Financial Regulation News). It appears to be motivated more by a priori possibility than specific evidence (Motherboard). The House did address one aspect of information security by passing a bill that would foster IT modernization and support development of cyber standards (Inside CyberSecurity). The PATCH Act, another newly introduced bill, would, its supporters say, help avert future WannaCrys by reforming the Vulnerability Equities Process (CFO). And there appears to be renewed support for a return to marque and reprisal in cyberspace, as the House considers a "hack back law," the Active Cyber Defense Certainty Act (Graham Cluley). Observers are skeptical, and the ACDC bill was undergoing revision throughout the week (Threatpost).

How leaky are the intelligence services?

When the week began, observers were mulling the latest dump of WikiLeaks' Vault7, released on May 19th. This tranche contained an alleged CIA tool, the "Athena" implant, said to be able to infect any Windows system from XP through Windows 10 (ZDNet). This leak came on top of the ShadowBrokers' earlier release of "EternalBlue," which the Brokers said (and Microsoft publicly agreed, so this isn't just hacktivist gasconade) was a set of Equation Group tools illicitly obtained from NSA. So NSA has come in for a share of blame for WannaCry (CNBC). There were also reports of a very successful Chinese rollup of US intelligence assets in that country between 2010 and 2012 (New York Times). And, finally, the UK is said to be quite furious with the US for the way in which anonymous sources within the US Intelligence Community apparently told the press things about the Manchester bombing that, in the UK's view, would have been better left unsaid. (That's not just Prime Minister May's view, either: President Trump seems to agree.)

Doxing turns to disinformation.

The University of Toronto's Citizen Lab, investigating the doxing of a Russian journalist who's been a frequent critic of the Moscow regime, made an unsettling discovery (Wired). The journalist's emails had been tampered with, corrupted into disinformation designed to present the opposition in the worst possible light. Earlier influence operations generally associated with Russian intelligence services, notably the email hacks that affected the US Democratic National Committee and France's En Marche political movement, seem not to have altered the emails they stole. In the case of En Marche, the emails weren't particularly discreditable and had a negligible effect on the election. In the US, of course, the contents of the emails were embarrassing, doubly so as they arrived at a time of controversy over candidate Clinton's IT practices during her tenure as Secretary of State.

But in neither case were the emails thought to have been fabrications. That seems to have changed: doxing is now converging with disinformation. Citizen Lab also found that the campaign was active in nearly forty other countries, where it's prospecting sensitive and high-level targets (Ars Techica). 

Ransomware is now becoming the underworld's preferred commodity crimeware.

The stolen "EternalBlue" exploits had been used beginning May 12th to deliver "WannaCry" ransomware to a very large number of targets worldwide. WannaCry was in some respects ineptly crafted, and so its effects had already been attenuated by the time it reached North America, but it did some damage in China (home to much pirated and unpatched Windows software), Russia (ditto, Business Insider), and the UK (not pirated, but still older and unpatched, The Guardian). WannaCry infestations slowed this week, and remediations are now available, but there are signs of an attempted revival as botnets assail the domain that sinkholed the ransomware (Wired). Preliminary circumstantial attribution continues to focus on North Korea (Reuters). Symantec in particular is saying it's "highly likely" that WannaCry is a North Korean operation (Ars TechnicaCyberScoop). They cite similarities with Lazarus Group code. Pyongyang of course dismisses the accusations as "ridiculous." Symantec's attribution has come under criticism for its circumstantial nature (Chitwan Online), and for its allegedly selective reading of the circumstances (ICIT), but it still seems to be the most plausible theory out there. The North Korean regime is famously cash-strapped, and their situation has deteriorated as Chinese sanctions begin to bite harder.

The DPRK seems increasingly willing to finance itself with cybercrime. WannaCry appears to have been relatively inept ransomware, taking in a paltry $70,000, which is little enough in comparison to the scale of what amounts to a cyber pandemic. Damage to the global economy, of course, exceeds the amount paid in ransom by several orders of magnitude (NOVA). There are concerns, however, that EternalBlue and other exploits published by the ShadowBrokers are rapidly being weaponized, and that the apparent botch the extortionists made of WannaCry's payment system will serve as misdirection for other, more persistent, more serious attacks (Bleeping Computer).

Other strains of ransomware continue to circulate (Bleeping Computer). (XData is giving enterprises in Ukraine fits, and shows signs of being about to break out into Europe as a whole.) Much of it is commodity crimeware, and some observers think ransomware has now succeeded carding as the principal form of cybercrime in the wild.

SentinelOne reports a new ransomware strain, "Widia," interesting in that it looks like early-stage commodity-level crimeware. Widia asks for a credit card payment as opposed to customary Bitcoin, but it seems more scareware than crytptoransomware—it throws up a screen that says your files are encrypted, but actually they're not. SentinelOne thinks the authors will eventually add the malicious encryption they now lack.

Backdoors, bugs, RATS, and stolen exploits.

Cyphort and other security researchers report that EternalBlue, the exploits that enabled WannaCry, are now also being used to distribute a remote-access Trojan (Infosecurity Magazine). The RAT appears to be establishing persistence in networks whence it could stage future operations. Unlike WannaCry, it's not ransomware and it's not a worm; it looks like espionage.

A major bug in Samba, the widely used Linux file-sharing software, was also disclosed and patched this week. The vulnerability was seven years old, and sysadmins are urged to look closely at their enterprise for possible vulnerabilities (Computing).

A look ahead.

So here are questions for the coming week. Are authorities any closer to identifying the sources of WikiLeaks' Vault7, or to fingering the ShadowBrokers? Was China's counterespionage success against US agents (tragic success, we add, since there appear to have been some executions) due to penetration of sensitive US networks, careless US tradecraft on the ground, a mole somewhere inside the IC, or some mix of all three? WiIl signs that EternalBlue and other Equation Group exploits being used to stage further, more serious attacks than WannaCry be borne out? And, finally, the ShadowBrokers promised to make a great many more Equation Group tools available beginning in the first week of June. It's a subscription service, a kind of exploit-of-the-month club (Apps for PC Daily). Observers await developments.

 

This CyberWire look back at the Week that Was discusses events affecting Australia, China, Czech Republic, European Union, France, Democratic Peoples Republic of Korea, New Zealand, Nigeria, Philippines, Russia, Syria, United Kingdom, United States, and Vietnam.

THE CYBERWIRE
Compiled and published by the CyberWire editorial staff. Views and assertions in source articles are those of the authors, not CyberWire, Inc.