In today's podcast, we hear that LeakedSource is down, maybe for good. DoubleFlag seems to be selling bogus data on the black market. (And where, we ask, is the Ripper review? If you can't trust a criminal, who can you trust these days? Sad.) Fancy Bear is back—actually, she never really left—now snuffling at British and German networks. Saudi Arabia remains on Shamoon alert. The Dridex banking Trojan has reappeared, in an improved version. Dale Drew from Level 3 Communications shares findings on the Asia Pacific region. Vince Crisler from Dark Cubed puts Grizzly Steppe in perspective. And tech support scammers get scammed—don't try this at home.
Dave Bittner: [00:00:03:16] LeakedSource is down, maybe for good. DoubleFlag seems to be selling bogus data on the black market, and where, we ask, is the Ripper review? Fancy Bear is back - actually, she never really left - now snuffling at British and German networks. Saudi Arabia remains on Shamoon alert. The Dridex banking Trojan has reappeared in an improved version. And tech support scammers get scammed - don't try this at home.
Dave Bittner: [00:00:35:23] It's time to take a moment to tell you about our sponsor, CyberSecJobs. If you're an information security professional seeking your next career, or your first career, check our CyberSecJobs dot com and find your future. CyberSecJobs is a veteran owned career site and job fair company for information security professionals and students. Jobseekers can create a profile, upload their resume, and search and apply for 1000s of jobs; and it's great for recruiters too. If you're an employer looking to source information security professionals, contact CyberSecJobs about their flexible recruitment packages designed to meet your needs. To learn more visit CyberSecJobs dot com. We thank CyberSecJobs for sponsoring our show.
Dave Bittner: [00:01:29:20] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner, in Baltimore, with your CyberWire summary for Friday, January 27th, 2017.
Dave Bittner: [00:01:39:07] LeakedSource, gray market purveyors of access to stolen passwords, is down, possibly for good. Someone with the handle "LTD" claiming to be in a position to know said yesterday, on an online forum, that LeakedSource had been raided by US authorities, shut down and gone for good. The US Justice Department has primly declined to comment, but the word on the virtual street is that the Feds took them down.
Dave Bittner: [00:02:04:00] LeakedSource had specialized in finding and selling stolen credentials they've discovered in various Dark Web dumps. One of the bigger breaches whose results they scooped up involved Twitter, with 32 million accounts, Dailymotion, with 85 and a half million records, and Weebly with 43 million accounts. LeakedSource had been much criticized for their trade, people generally believed they should have quietly notified victims, as opposed to cracking passwords and making them available for anyone. But journalists and others have made more-or-less reluctant use of LeakedSource in their reporting.
Dave Bittner: [00:02:38:10] More evidence of the lack of honor among thieves emerges at week's end. DoubleFlag, the criminal group who's been selling data stolen from large Chinese ISPs, claims to have stolen data on 126 million individuals from U.S. Cellular. And, of course, they'll sell the data to you. But U.S. Cellular tells HackRead they've investigated, and DoubleFlag's wares are bogus: there's been no breach, and it's all a lot of hooey. Is DoubleFlag about to get a bad review on Ripper?
Dave Bittner: [00:03:07:11] SecureWorks reports that Fancy Bear, the Russian GRU outfit famous for compromising the U.S. Democratic Party's National Committee last spring, has been found in a British television network, un-named for legal considerations. Fancy Bear established persistence in July 2015 and wasn't detected for a year, which is interesting given Fancy Bear's relative noisiness compared to its sibling Cozy Bear. As happened with the DNC, Fancy Bear seems most interested in email, and not only business email, but also email exchanged among reporters and producers working on stories. SecureWorks believes Fancy Bear got into the network back in July of 2015, and stayed undetected for a good 12 months. Such quiet persistence is interesting because Fancy Bear has the reputation of being pretty noisy. Her cousin, Cozy Bear is the quiet one, which seems right given that they're respectively the GRU, that's Russian military intelligence, the equivalent of the U.S. DIA and NSA; and the FSB, which is the KGB's successor organization.
Dave Bittner: [00:04:09:00] German authorities are also seeing an increase in activity that looks like Fancy Bear's. This pawing at media and political targets strikes many observers as battlespace preparation for this year's round of national elections in Europe.
Dave Bittner: [00:04:22:08] Diplomatic sources in Russia's London embassy dismiss the allegations as Western nostalgia for the Cold War. ThreatConnect has devoted some attention to fleshing out the indicators of compromise by Fancy Bear that appeared in the U.S. Intelligence Community's GRIZZLY STEPPE report. ThreatConnect's observations are interesting, and a reminder of the distinction between evidence and intelligence.
Dave Bittner: [00:04:45:05] Saudi worries about Shamoon persist. Intel Security has an overview of their current research into Shamoon 2's details, and Wapack Lab reports signs that the malware is turning up in the shipping industry as well.
Dave Bittner: [00:04:58:16] The well-known banking Trojan Dridex is back, and Flashpoint says the malware now employs a new user account control bypass method. It's now trickier and more evasive. See Flashpoint's report for the details.
Dave Bittner: [00:05:11:21] And, finally, you know the Microsoft Support Scam? Not, we hasten to note, affiliated with Microsoft in any way? It's also known as the Helpdesk Scam. Someone calls you and says, over the call center boiler room background noise, that they're from Microsoft Support, and that your computer's infected with a virus, and that you should give them your password so they can fix your machine. Well, they recently called Ars Technica, which decided to play some virtual whack-a-mole with them. The caller said he was from the technical support center, and that they were going to help him speed up his computer by purging junk files that they'd detected. The Ars staffer kept the guy on the line for two hours, feigning cluelessness and recording their scam on a virtual machine.
Dave Bittner: [00:05:53:06] He wrote about it in Ars Technica in an article called: You took so much time to joke me. Read the whole thing, and in the meantime remind your trusting friends and family that no one from the technical support center is going to call them - ever.
Dave Bittner: [00:06:10:18] Time for a message from our sponsor, E8 Security. You know, all week I've been asking you a question; say it with me now. Do you fear the unknown? Lots of people do of course. The cackling skeleton, the ghost of the Red Baron, stuff like that. But we're not talking about those, we're talking about real threats - unknown unknowns lurking in your networks. The people at E8 have a white paper on hunting the unknowns with machine learning and big data analytics that go beyond the old school legacy signature matching and human watch standing. Go to E8 Security dot com slash dhr and download their free white paper: Detect Hunt Respond. It describes a fresh approach to the old problem of recognizing and containing a threat that no-one has ever seen before. But known unknowns, like the No Face Zombie or the Feline Creature, they're nothing compared to the unknown unknowns out there in the wild. See what E8's got to say about them. E8 Security dot com slash dhr and check out that white paper. We thank E8 for sponsoring our show.
Dave Bittner: [00:07:13:22] Joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications. Dale, your group recently put out a paper outlining some of the threats that you all are seeing from the Asia Pacific region. What can you tell us about that.
Dale Drew: [00:07:26:18] We've been trying to get a lot more focused on the cause and effect piece of threat intelligence, and so we're doing a lot more focus on particular regions and particular actors. So, as an example, we did an analysis on Asia-Pac, and tried to uncover some data to determine if Asia-Pac is acting in a way different to any other region. I'd say that we track about eight million malware victims per day in Asia-Pac, and that's versus about 28 million in the U.S. So, there's pretty much a rolling average of eight million compromised victims on a daily basis within Asia-Pac. The other interesting thing is is that China has the second most malware victims per day in Asia-Pac, and so from an infrastructure perspective, most compromises occur because of phishing attempts, right? Where a bad guy sends an email to a victim, have them click on the email, and then they become a malware victim as a result.
Dale Drew: [00:08:33:05] So it shows you not only how compromisable the infrastructure itself is, because of the lack of patching practices and things like that, but also how susceptible the end users are from still clicking on those emails that end up getting them compromised.
Dave Bittner: [00:08:48:20] What do you see in terms of rate of growth of these attacks? Is the Asia Pacific region growing faster than the rest of the world?
Dale Drew: [00:08:57:10] I would say that the Asia Pacific region is growing at a little bit of a faster rate than say the United States, which is right now the largest set of compromised machines. But, as an example, some specific regions in Asia-Pac; the Philippines as an example, that rate has doubled quarter over quarter. We largely think that's because of accessibility and use of IoT devices in the Philippines. Asia-Pac in general is growing at a fairly small rate, not as fast as the U.S. but some regions, like the Philippines, are absolutely doubling in size every quarter.
Dave Bittner: [00:09:44:01] How does this all align with populations versus available connectivity, compared to places like the United States?
Dale Drew: [00:09:52:09] It tends to be a direct correlation of population as well as density of infrastructure. We are seeing a definite change in that trend, where it used to be, predominantly, if you were hosting infrastructure; the country who was hosting the most infrastructure, was the most compromisable. And that's why the U.S. was always on the top of the charts, because data center environment; you know, critical infrastructure like DNS infrastructure and hosting providers, being at the top of that list in the U.S., that trend is changing. Now it's turning into end users who are operating things like IoT, and the ability for those end users to click on phishing email. And so we're seeing a lot more compromisable systems, based not on where business hosted infrastructure is, but where the consumers are.
Dale Drew: [00:10:45:22] And so that's why you're seeing these enormous explosion in trends in these other countries like Brazil, Taiwan, China and the Philippines, because the end users are discovering that by compromising those IoT devices, whether they're routers or cameras, they can compromise many more devices and have a much larger impact on being able to use those devices for malicious purposes.
Dave Bittner: [00:11:13:24] Dale Drew, thanks for joining us.
Dave Bittner: [00:11:20:20] Time for a message from our sponsor, Netsparker. Web applications can have a lot of vulnerabilities, you know that - you're listening to this podcast. And of course every enterprise wants to protect its websites. But if you have a security team you know how easy it is for them to waste time culling out false positives. You need to check out Netsparker. Their technology not only automatically finds vulnerabilities in web applications, but it automatically exploits them too, and even presents a proof of exploit. Netsparker Cloud scales easily. You can use it to automatically scan thousands of websites in just a few hours. Learn more at Netsparker dot com, but don't take their word for it, go to Netsparker dot com slash cyberwire for a free 30 day, fully functional trial of Netsparker Desktop or Cloud. Scan your websites with Netsparker for a month, no strings attached. We thank Netsparker for sponsoring our show.
Dave Bittner: [00:12:22:17] My guest today is Vince Crisler. He is CEO of Dark Cubed, a start-up cyber security company looking to make their mark with an easily deployed cost-conscious cyber security platform. Mr Crisler also served as Director of Information Assurance for the White House's Executive Office of the President and was responsible for the creation of the first ever cyber security operation center to protect White House networks. We began our conversation talking about the U.S. DHS's GRIZZLY STEPPE report, attributing compromises to Russian threat activity.
Vince Crisler: [00:12:53:24] What really interested me was looking at the IT's that were released, and there were about 876 of them in that document, and to see what we could learn from the information that was released about the threat actors and about the infrastructure that they were using. The first step was looking at that analysis was just what sort of infrastructure are those IP addresses related to? And that was a quick and simple execute and reverse DNS look-up on all those IP's, and then parch that out onto a graph analysis where we're able to look at the top level domain: dot com, dot net, dot eu. Looking down at the domain, and then looking down at the sub-domains, and relating those all together. TOR exit nodes sorts of information, which caused me to jump very quickly into looking at the DAN TOR Nodes UK lists, and doing a mash-up to see how many of those IP's actually were showing up as TOR nodes, which ended up being right around 25%; as I reported and as other people have reported.
Vince Crisler: [00:13:32:22] We were able to see there the influence of some of the on-line hosting providers, and also in a lot of those reverse DNS entries, I started to see a lot of TOR exit nodes sorts of information, which caused me to jump very quickly into looking at the DAN TOR Nodes UK lists, and doing a mash-up to see how many of those IP's actually were showing up as TOR nodes, which ended up being right around 25%; as I reported and as other people have reported.
Dave Bittner: [00:14:01:12] What's the insight to be gained from that percentage of TOR nodes?
Vince Crisler: [00:14:05:06] I think there are a couple of really important takeaways for me in that high level analysis, and that is: in 2017, there's a lot of really cheap, easy to use virtualized infrastructure out there. Services like Scaleway and Digital Ocean will let people send up a server within minutes, and they can attack targets at will. And then they can take that infrastructure down, and then the next day somebody else is using that IP for something completely legitimate. So the key concern for me is, we've had a big focus over the last five years or so on information sharing within our community. Time matters now. So this IP address was known to be bad during these couple of minutes, but before or after that it doesn't matter anymore. Unless we figure out how to solve that problem we end up with this problem, and these cyber indicators that I'm calling noise.
Vince Crisler: [00:14:52:01] We saw it with the Vermont power utility where, when you search for those indicators on your system you gets hits, and you're like, "Oh no, we've been hit by the Russians." And then you actually look back through, and you say "No, this was actually something different." And so how do we get that noise out of the system? I'm really passionate about this noise issue because everybody assumes that companies around the world have analysts sitting at a table that are looking at these shared indicators that are saying, "Okay, this is good, this is bad." But the reality is, only the largest of the large companies have teams of analysts that can do that work and can manage to do those false positives. Everybody else is kind of left at the mercy of trying to trust that data, and when they can't trust that data it actually causes more harm than good.
Dave Bittner: [00:15:33:14] Do you think there's an issue with chasing shiny objects, you know, as opposed to basic blocking and tackling?
Vince Crisler: [00:15:41:05] Absolutely. Again, just like there are a lot of products out there that are focused on really hard problems, that do a great job - I'm not disparaging these problems because they do a great job of addressing very sophisticated threats. This creates the shiny object problem, where it's: you need to do these five things, you need to do these ten things, you need to do these 15 or 20 security controls. But the problem with boiling down cyber security risk into the top five, top ten, top 20 is, every company is different, and if you just say these top 20 things are the most important to focus on, and you're going to manage 80% of your risk, the adversaries are just going to move to something else, and the companies will spend all their time, money and energy kind of solving a risk when the adversary just moves around them.
Vince Crisler: [00:16:34:16] This isn't about just putting a technology control in place; this is about managing risk to a company, and that's not necessary a core IT function. Us IT folks are good at solving problems with technology, but we also create other problems and we miss things.
Dave Bittner: [00:16:50:15] I'm going to switch gears a little bit; I'm curious about your experience in the White House.
Vince Crisler: [00:16:55:13] It was quite an interesting experience. I got there in probably September of 07, and I was there through March of 09, so it's a little over eight years ago that I started. I got to go through an amazing but traumatic experience called Presidential Transition, which a lot of folks are going through right now. There are so many things that happen behind the scenes that people don't realize, and this is the largest peaceful transfer of power in the world, and it's a pretty phenomenal event to watch. But from a technology perspective, if you think about every IT system that's at the White House; whether it is the system that's storing the President's diary, to email, to file stores - and everything is subject to records requirements under the Federal Records Act or Presidential Records Act - and for those things that are subject to the Presidential Records Act, which are all political appointees information, that has to be off the network by the time the Inauguration happens.
Dave Bittner: [00:17:58:23] Were you blazing a trail there?
Vince Crisler: [00:18:04:01] Yeah, and I think what's really fascinating to me about Presidential transitions, and the last couple; when we think about eight year time caps, if you think about the technology advancements that happen in eight years. So when President Bush took over from President Clinton, there was Lotus Notes in place and there was limited mobile capability. Then you fast forward eight years and everybody's on Blackberries, and you're talking web apps and all of the advancement that happened in just eight years. To see that change that happens in those eight year increments is incredible. The stuff that the folks for the Obama Administration are dealing with now, with social media engagement and all of the other online applications and data stores that have to be archived and backed up, because it's a part of our American history story, it's just incredible to see that speed of change and technology that happens.
Dave Bittner: [00:18:56:06] That's Vince Crisler from Dark Cubed.
Dave Bittner: [00:19:03:19] That's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit The CyberWire dot com. Thanks to all of our sponsors who make the CyberWire possible, especially our sustaining sponsor, Cylance. Find out how they can help protect your network at Cylance dot com. And a reminder that if you just can't get enough cyber security news here, I do a regular security segment on the Grumpy Old Geeks podcast. Word to the wise, the Grumpy Old Geeks is not a family show, there is salty language, but you may very well consider that a feature, not a bug.
Dave Bittner: [00:19:33:24] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our Social media editor is Jennifer Eiben, our technical editor is Chris Russell, and our executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening. Have a great weekend everybody.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
CyberSecJobs is a veteran-owned career site and job fair company for information security professionals and students. To support the information security community CyberSecJobs manages hiring events, provides resume reviews, or offers other career services at CyberTexas, many BSides events, Women in Cybersecurity, CyberMaryland and more. Learn more at cybersecjobs.com.
DETECT. HUNT. RESPOND. Your data + security analytics will help you prevent your next security incident. Find out how. E8 Security.
The false positive free web application security scanner. Simply point it at your website and it automatically discovers flaws that leave you dangerously exposed. Learn more at netsparker.com