In today's podcast we hear that a Swiss chemical agent forensic lab has seen Sandworm phishing attempts. Facebook kicks thirty-one "inauthentic" accounts from its platform: they seem to have been engaged in influence operations, possibly Russian. Attribution remains difficult. NSO Group's Pegasus spyware found in Amnesty International phone. SamSam ransomware exacts a high cost. Yale realizes it was breached about ten years ago. Google allegedly prepares a censor-engine for Chinese web searchers. Craig Williams from Cisco’s Talos unit, describing his team and the work they do. Guest is Thomas Hofmann from Flashpoint on ransomware and online extortion.
Dave Bittner: [00:00:00] Hey, everybody, just wanted to give you a quick update on some of the progress we've been making with our Patreon funding. One of our goals was to be able to provide transcripts for all of our podcasts. Beginning with last week's research Saturday show - that was the one on the BabaYaga malware - we have been publishing full transcripts. We're starting to work our way through our back catalogue to create transcripts for those shows as well, so we appreciate all of your support on Patreon. You can learn more at patreon.com/thecyberwire.
Dave Bittner: [00:00:33] Reddit has been hacked. The U.S. DOJ collars three Ukrainians alleged to be card stealers. Facebook kicks 31 inauthentic accounts from its platform. They seem to have been engaged in influence operations, possibly Russian - attribution remains difficult. NSO Group's Pegasus spyware has been found in Amnesty International phones. SamSam ransomware exacts a high cost. Yale realizes it was breached about 10 years ago. And Google allegedly prepares a sensor engine for Chinese web searchers.
Dave Bittner: [00:01:12] Now I'd like to share some words about our sponsor Cylance. AI stands for artificial intelligence, of course, but nowadays, it also means all image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminators. It's a tool that trains on data to develop useful algorithms, and like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit threatvector.cylance.com and check out the report "Security: Using AI for Evil." That's threatvector.cylance.com. We're happy to say that their products protect our systems here at The CyberWire, and we thank Cylance for sponsoring our show. Major funding for The CyberWire podcast is provided by Cylance.
Dave Bittner: [00:02:12] From The CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 1, 2018. We've got a couple of breaking stories as we publish today. First, Reddit has announced that between June 14 and 18 of this year, an attacker compromised a few employee accounts and gained access to backup data, source code and logs. Specifically, they downloaded an archived backup of all Reddit data from 2017 and before, including account credentials, email addresses and public and private messages. Also grabbed were emailed digests sent by Reddit in June 2018, as well as Reddit source code and other internal files. Reddit is working with law enforcement and is reaching out to users who may have been affected.
Dave Bittner: [00:03:02] The other breaking news story today comes from the U.S. Department of Justice, who announced the arrest and indictment of three Ukrainian nationals who are alleged to be members of the notorious cybercrime group Fin7. The DOJ claims Fin7 are responsible for attacks on over 100 U.S. organizations, stealing more than 15 million credit card records from companies like Chipotle, Chilis, Arby's, Red Robin and Jason's Deli. The Seattle cyber task force of the FBI and the U.S. Attorney's Office for the Western District of Washington led the investigation and coordinated with law enforcement agencies in Poland, Germany and Spain.
Dave Bittner: [00:03:42] Facebook has ejected 32 questionable accounts from its platform for engaging in what Facebook characterized as inauthentic behavior. There's some evidence that the accounts are connected with the Internet Research Agency, the St. Petersburg troll farm implicated in earlier influence operations. There's a degree of ambiguity in the evidence, but one interesting note is that one of the pages taken down appeared briefly but clearly to be under the control of the Internet Research Agency. This round of influence would seem to be aimed at inflaming the alt-left against the alt-right, which makes perfect sense if the goal is disruption and chaos.
Dave Bittner: [00:04:22] The inauthentic pages were up and operating between March 2017 and this past May, during which period they accumulated some 290,000 followers. A representative recent message aimed at getting people to confront and resist fascism with the effort organized under the slogan No Unite The Right 2 - DC. The reference is to a planned fringe alt-right event under organization for Washington. Facebook is reticent about connecting the campaign to Russia or any other nation-state, and they do note correctly that while it looks like the old familiar St. Petersburg troll farm, it could certainly be the work of copycats.
Dave Bittner: [00:05:04] Facebook CSO John Stamos (ph) put it this way in a lengthy post on the company's blog yesterday. Quote, "after we named the IRA, we expected the organization to evolve. The set of actors we see now might be the IRA with improved capabilities, or it could be a separate group. This is one of the fundamental limitations of attribution. Offensive organizations improve their techniques once they've been uncovered, and it is wishful thinking to believe that we will always be able to identify persistent actors with high confidence," end quote. Facebook has notified followers and recipients of the inauthentic messaging that they've been hoodwinked. The Atlantic Council is analyzing the incident and expects to issue a longer report soon.
Dave Bittner: [00:05:49] Amnesty International says that at least one of its people had their phone infected with NSO Group's Pegasus spyware tool. Pegasus has been used by a number of governments to monitor dissent. The University of Toronto's Citizen Lab has confirmed the infection. The targets in this case appear to be Saudi dissidents. NSO Group has long been in bad odor with privacy advocates, NGOs and people who don't want their phones surveilled. The Israeli company was involved in M&A talks last month, but its prospective partners grew skittish and withdrew.
Dave Bittner: [00:06:25] SophosLabs reported that ransomware payments to the controllers of SamSam ransomware have now amounted to $6 million. SamSam has acquired the reputation of being difficult to uproot and recover from. It's the same ransomware responsible for causing so much trouble in the city of Atlanta, which is still slogging through its recovery from the infestation it sustained on March 22. Of course, having a plan to respond to a ransomware attack and practicing that plan can make all the difference in the world. We spoke with Thomas Hofmann, vice president of intelligence at Flashpoint, who shared his perspective on how companies could respond to ransomware and extortion.
Thomas Hofmann: [00:07:06] I would really divide it into two different types of responses we've seen. We've seen responses from organizations who have heavily invested in their defenses and cybersecurity, and they have robust programs to educate their employees. They have response plans that they have tested and have prepared. So when incidents do occur, you see a much more methodical approach and response. While it still is an emergency situation, and every situation is unique, we see that the companies who have heavily invested and prepared are better able to coordinate their responses.
Thomas Hofmann: [00:07:50] On the other extreme, I think, is where, unfortunately, many organizations who do not have the budgets or do not have the resources dedicated to invest in their security and invest in their employee training, when they encounter these situations, it's a little bit more chaotic and developing response plans on the fly that can sometimes from the outside seem uncoordinated or ill-prepared. And that's something that I don't think is unique to ransomware per se but more for cybersecurity incidents in general. Those are typically the two types of responses that we see from organizations.
Dave Bittner: [00:08:30] Now, we see the common advice from both law enforcement and security folks is, don't pay the ransom; we don't want to put money into this criminal economy. From a practical point of view, is that the way it always plays out? Are there occasions where the most practical thing to do is to roll the dice and pay the ransom and see if you get your data back?
Thomas Hofmann: [00:08:52] Yeah. This is really where our new response and readiness program comes in. You're absolutely right. The U.S. government - FBI in particular - what they say is they don't recommend organizations pay ransoms. But they also acknowledge that there are situations where there are systems that are so critical that any downtime is just not something that can be tolerated. And when organizations are confronted with this type of situation, the calculus really changes with how you respond and whether you want to attempt to obtain the unlock keys through a ransom payment. We've seen organizations on both sides.
Thomas Hofmann: [00:09:40] We've worked with some organizations as we worked through a response where ultimately, they decided that paying is not the right way to go, and just going through normal recovery efforts and rebuilding systems is their preferred path. And then other organizations, the ransom demands, it's something that they have pursued in an attempt to acquire information for the unlock codes or to prevent information from being exposed.
Thomas Hofmann: [00:10:09] So it really is organizationally dependent, what systems are compromised or encrypted, and really, the individual company, how critical it is to recovering the systems in the most expedient manner possible. So this is really what makes each one of these responses very unique because there are so many different factors that go into how you want to respond and the ultimate decision to pay ransom. And this is something that we here at Flashpoint have helped many customers work through - those really tough decisions.
Dave Bittner: [00:10:47] Now, do you ever run across people who have found themselves victims of ransomware who thought they were prepared? Are there any common mistakes that folks make when they think they're better off than they are?
Thomas Hofmann: [00:10:58] Ironically, some of the organizations that do have robust programs and do have teams that are prepared, sometimes during their responses, they attempt to engage some of these actors. And if that's not something the organization has - that experience or that expertise in how you actually engage in some of these illicit communities and the proper ways, the unwritten code of conduct, if you will - that sometimes these organizations inadvertently reveal too much about the situation and tip the hands of the true impact that the organization is experiencing to those threat actors, and it can complicate a responsive if it's not well planned out.
Dave Bittner: [00:11:42] That's Thomas Hofmann from Flashpoint.
Dave Bittner: [00:11:46] The U.S. Department of Homeland Security this week announced a new program to share information on cyber risks between government and the private sector. U.S. Cyber Command is also interested in deepening its partnership with the private sector as its commander, General Nakasone, who also directs NSA, noted this week. And everyone is up for cooperation. Eugene Kaspersky has an op-ed in The Guardian in which he observes with some justice that, with respect to cybercrime, we are all in this together.
Dave Bittner: [00:12:17] Taking a quick look at our CyberWire event tracker. The second Billington Automotive Cybersecurity Summit is coming up this week, August 3. That's in Detroit, Mich. Coming up at Black Hat, the folks at XM Cyber would like you to meet them at Booth IC 2233. Also at Black Hat, the folks at Terbium Labs want to teach you more about your organization's data exposure on the dark web. They'll be booth 370. Clearedjobs.net and Cybersecjobs are taking part in the CyberTexas Job Fair. That's August 14 in San Antonio, Texas. The Wombat Wisdom Conference from Wombat Security takes place September 18 through the 20 in Pittsburgh, Pa. And the (ISC)2 Security Congress of North America for 2018, that's taking place October 8 through the 10 in New Orleans, La. You can find out more about all these events by visiting our CyberWire event tracker at thecyberwire.com/events.
Dave Bittner: [00:13:15] Yale University has realized that it was subjected to a data breach in 2008 and 2009. They don't know who did it, and they think it's now impossible to find the perps. But the university is advising victims to protect their identity. Documents leaked from Google indicate that the company is working on a version of its search engine that will be tailored to meet the censorship requirements of the Chinese government by blocking problematic searches and sources. Among the sources likely to be blocked are the BBC and Wikipedia. Much ironic commentary is circulating online about what it might mean to not be evil.
Dave Bittner: [00:13:59] And now, a word from our sponsor ObserveIT. What in the world could old '80s technology have in common with insider threat management? Well, visit the ObserveIT booth at Black Hat in Vegas to find out. They're going back to the '80s to reminisce about throwback technology and show you how to take a 21st-century approach to your insider threat management strategy. Your Nintendo, floppy disks and OG Macintosh computer will all be there next to your dusty DLP solution to remind you why #ThrowbackThursday technology should stay in the past. It's time to go back to the future with ObserveIT for a more complete and modern approach to data loss prevention. Gain visibility and insights into user and file activity instead of simply locking data down with cumbersome tags, limitations and rules. And before you head out, take ObserveIT's quiz on which '80s pop culture icon best represents your insider threat management strategy. Whether you're Han Solo, Tron or Egon from "Ghostbusters," you're a pretty righteous dude. Visit observeit.com/cyberwire and take that quiz today. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:15:21] And I'm pleased to welcome to the show Craig Williams. He's the director of Talos Outreach at Cisco. Craig, welcome to the show. Excited to have you on board here. As we always do when we welcome a new partner, we want to learn more about you and the type of work that you and your Talos team are up to. So what can you share with us?
Craig Williams: [00:15:38] Thanks for having me on. You know, a lot of people are aware that Talos exists now, I think. But I don't know that everybody is aware of exactly what we do because Talos is probably one of the largest security research organizations in the world. I think right now we're right around 300 researchers. And at the end of the day, our overall mission is to protect our customers. And so in order to do that, obviously, we have a lot of specialized teams. We have a lot of, you know, different projects going on.
Craig Williams: [00:16:04] But my team, the Talos Outreach team, we look for things that the bad guys are doing that's new, right? So we look for bad guys that have found a new way to bypass security devices or a clever way to monetize some malicious act. And we try to figure out how that works. We make sure that, you know, we have detection covered. Everything's out the door. We work with the detection teams at - in Talos.
Craig Williams: [00:16:27] And then we look on, you know, well, what can we tell our users about this? You know, how can we inform the public? And so we'll do things like this podcast. We'll do things like conference talks, customer briefings. And so it's a lot of fun. And it's a really good way, I think, to help educate people and let people realize what these new threats are.
Dave Bittner: [00:16:43] And so what's the relationship between the Talos team and the broader Cisco in general?
Craig Williams: [00:16:49] That's a really good question. So Talos as a whole basically pushes all the blocking content out to all the Cisco security devices. So we work with teams like Umbrella and other security teams at Cisco. And we help make sure that not only do we have coverage in place across all the products, but we have a cohesive system to do that, right? And so literally right now at Talos, I can take a single tool, and I can type in a malicious website. And within about 2 to 5 minutes, it's going to push that out to all the different Cisco security devices and protect our users.
Dave Bittner: [00:17:19] Now, are you given a certain amount of independence?
Craig Williams: [00:17:22] Yeah. You know, I often joke that we're almost like a startup inside of Cisco because we really are given a lot of freedom and latitude to find new and innovative ways to research these threats and to figure out, you know, how they work and make sure that we have the best detection in place that's possible.
Dave Bittner: [00:17:38] Now, what about you personally? What was your journey to the position that you're in today?
Craig Williams: [00:17:42] Oh, man. That - well, it all started back in high school when I was cheating at a video game.
Dave Bittner: [00:17:46] (Laughter).
Craig Williams: [00:17:48] No, but seriously, you know, I - people think I'm joking when I tell that story. I mean, I got into computer security through trying to cheat at games like "SimCity," you know, games that I thought were fun, but I sure didn't have enough time to play them fairly. And I certainly wanted the nice, fancy building.
Craig Williams: [00:18:00] But long story short, you know, I ended up doing the traditional route through university. I was actually a contractor for Cisco. I was a contractor that started the IPS signature team for the old NetRanger IPS product, slowly but surely worked my way up in the ranks, and now, almost 15 years later, I'm the director of one of the top research teams in the country.
Dave Bittner: [00:18:20] Well, welcome. We're glad to have you join us. Craig Williams, director of Talos Outreach at Cisco. Thanks for joining us. And a quick reminder that I'll be joining Craig Williams and the rest of his team from the "Beers With Talos" podcast. We'll be doing a live show at Black Hat. That'll be on Wednesday, the 8 of August. That's a lunchtime show. Hope to see you there.
Dave Bittner: [00:18:44] And that's The CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:18:52] Thanks to all of our sponsors for making The CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at The CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE intelligence. Learn more at vmware.com.
Dave Bittner: [00:19:19] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik. Social media editor - Jennifer Eiben. Technical editor - Chris Russell. Executive editor - Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Learn more at cylance.com.
ObserveIT is the leading Insider Threat Management solution with approximately 1,700 customers across 87 countries. ObserveIT is the only solution that empowers security teams to detect insider threats, streamline the investigation process, and prevent data exfiltration. Start your free trial of ObserveIT today.