podcast

The CyberWire Daily Podcast

Jason, an Iranian brute-forcing tool, has been leaked. A third-party breach affects customer and patient data held by Quest Diagnostics. Eurofins Scientific is recovering from a ransomware attack. A look at Baltimore City’s ransomware infestation shows no signs of EternalBlue, security firm Armor says. Instead, it looks like “vanilla ransomware.” And the prospect of antitrust investigations drives down Big Tech stock prices, tipping the Nasdaq into a correction. Emily Wilson from Terbium Labs on dark web fraud guide pricing. Guest is Jordan Blake from BehavioSec on digital transformations.

Transcript

Dave Bittner: [00:00:03] An Iranian brute-forcing tool called Jason has been leaked. A third-party breach affects customer and patient data held by Quest Diagnostics. Eurofins Scientific is recovering from a ransomware attack. A look at Baltimore City's ransomware infestation shows no signs of EternalBlue, security firm Armor says. And the prospect of antitrust investigations drives down big tech stock prices, tipping the Nasdaq into a correction.

Dave Bittner: [00:00:36] It's time to take a moment to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top-trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:43] Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.

Dave Bittner: [00:01:58] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 6 (ph), 2019.

Dave Bittner: [00:02:07] You will recall, perhaps, Lab Dookhtegan, an individual or group that presents itself as connected to Iranian cyber operators. That connection is as a dissident, evidently, because Lab Dookhtegan has specialized in leaking what it says are Tehran's hacking kit.

Dave Bittner: [00:02:24] And in another apparent leak this week, Jason, software designed to hijack Microsoft Exchange email accounts, has been dumped online. Minerva Labs has taken a look at Jason, and its conclusion is that the tool is a straightforward brute-forcing appliance designed to derive and check passwords for Exchange accounts. Jason is associated with OilRig, also known as APT34 or HelixKitten, generally attributed to Iran's Ministry of Intelligence and Security. Lab Dookhtegan began releasing Iranian attack tools in March.

Dave Bittner: [00:03:00] By BleepingComputer’s count, to date, the Iranian tools that have been leaked online include two PowerShell-based back doors - those would be known as Poison Frog and Glimpse, which security firm Palo Alto Networks calls versions of BondUpdater - four different web shells - HyperShell and HighShell, Fox Panel and Webmask, this last one a DNSpionage tool Cisco Talos analyzed - and now Jason.

Dave Bittner: [00:03:29] There's been a major data breach affecting a U.S. healthcare firm. In this case, it's a third-party problem. In an 8-K filed this week with the U.S. Securities and Exchange Commission, the large medical testing firm Quest Diagnostics disclosed that American Medical Collection Agency, AMCA, a third-party collection services firm, noted Quest that AMCA had detected unauthorized activity in its network. The breach is a large one. As reported by TechCrunch and others, the breach appears to have affected nearly 12 million people. The unauthorized user took personal data, medical information and credit card numbers from AMCA, which believes the intruder was active between August 1 of last year until this past Friday. AMCA said it was notified of the possibility of a breach by a credit card company, and upon investigation concluded that someone had indeed been in its network.

Dave Bittner: [00:04:25] As more of the things we do in our day-to-day lives shift online - from shopping to social media, and even things like visits with our doctors and other medical professionals - the organizations that handle those services need to manage that demand and the security implications that may come with it. Jordan Blake is from authentication company BehavioSec, and he advocates organizations creating a position of digital transition (ph) architect to help manage the ongoing evolution.

Jordan Blake: [00:04:54] I think the idea is that companies are already undergoing digital transformations. These are companies who've been around for a long time, and they've been focused on, you know, whatever it is they do. Retailers, banks, companies who bottle beverages - you name it - everyone is recognizing that to be successful and to compete in 2019 and beyond, they need to be transforming digitally. And what that means is they need to be focused on bringing digital experiences to their business to better deliver a good customer experience, utilizing technologies like big data analytics, mobile technology.

Dave Bittner: [00:05:39] How does this play out in the real world? Are we talking about enhancing an online experience with people's interaction with a company, or does it extend beyond that?

Jordan Blake: [00:05:47] It extends beyond that. Those are some of the most obvious ways that companies want to transform. So you know, if you're a grocer, for example, it's not enough just to put food on the shelf anymore. But you have to look at the expectations of your consumers. So you know, there are digital experiences, mobile-first experiences that are expected for consumers.

Jordan Blake: [00:06:12] But it goes beyond that. You would look at your supply chain and how you're ordering and how you're making decisions about what should be ordered and how the products get to you and how those products get to the consumer.

Dave Bittner: [00:06:25] This notion of having a digital transformation architect - describe to me what you're getting at with that.

Jordan Blake: [00:06:30] The digital transformation architect makes sure that, you know, the overarching transformation strategy and execution of it is not tripped up by unexpected security compliance and other risk factors. The idea is that the digital transformation architect is a central overseer who's able to kind of objectively weigh the opinions of various stakeholders in the business - so we're talking about CISOs and CIOs, CEOs, marketers, developers - and just generally aligning leadership across the organization so that they can partake in these digital transformation activities.

Dave Bittner: [00:07:17] And if I'm looking to integrate someone like that into my organization, what level should they sit at?

Jordan Blake: [00:07:24] Typically, what we've seen is that to be successful, they are reporting into the C-suite, in some cases, the CEO or the CIO or the CISO. But they are at sort of a fairly high level because, really, the goal here is to digitally transform as a business, not to transform a particular stovepipe within.

Dave Bittner: [00:07:50] And so what are some of the security implications of this?

Jordan Blake: [00:07:53] Well, that's a good question. The security implications are numerous. You can imagine an organization that is used to dealing with, you know, physical customers, where they kind of meet them face-to-face and transact, that is now moving into the digital realm needs to make sure that they can trust that people on the other side of the connection are who they expect them to be.

Jordan Blake: [00:08:19] Then we get into sort of this questions of authentication and how you deliver a great customer experience at the same time that you're trying to make sure that people are who they say they are and you're not going to fall - become victim to fraud.

Dave Bittner: [00:08:34] What are your recommendations? If someone wants to proceed with this sort of thing, what's the best way within their organization to get in there and sell it?

Jordan Blake: [00:08:42] The first thing you need to do is recognize that it's really about culture, and it's not about, you know, the particular technologies. You need to have meetings. You need to educate those internally what this is about, that the transformation is not about a particular technology, but it's about ensuring that the company or organization - could be a government, for that matter - it is set up to succeed going forward. And in order to do that, people need to be brought in. They need to be made part of the effort. Everyone needs to own digital transformation in their specific context.

Dave Bittner: [00:09:23] That's Jordan Blake from BehavioSec.

Dave Bittner: [00:09:27] Eurofins Scientific, a Luxembourg-based provider of food, environmental and pharmaceutical testing, disclosed yesterday that it sustained a ransomware attack over the weekend. The infection has impeded some IT operations but appears to have been contained. So while the story is still young, it appears that Eurofins may have been better prepared than other recent ransomware victims, like, for example, the city of Baltimore.

Dave Bittner: [00:09:52] It seems increasingly unlikely that EternalBlue was involved in the ransomware attack on Baltimore. Researchers at the security firm Armor obtained attack code samples and found no signs of EternalBlue or other propagation mechanisms in what they told Krebs on Security was pretty much vanilla ransomware. The strain, as we've noted, is RobbinHood, and no serious observer thought that RobbinHood was in any way related to NSA. It remains possible that EternalBlue was exploited to move RobbinHood to unpatched servers, but that possibility appears to be relatively remote. The initial infection is generally believed to have come via phishing, and no one has disputed that Baltimore left its servers unpatched.

Dave Bittner: [00:10:35] Armor also has found communications from people claiming to be the attackers, but their responsibility can't be verified. They may be communications from the crooks, or they may simply be the work of taunters. The English is broken, but broken English can easily be part of a false flag. And besides, even pranksters sometimes have poor command of English.

Dave Bittner: [00:10:57] While we have your attention, could we interest you in taking a survey? You could win big prizes, like a pen, stickers, notepad or a pint glass, maybe even an air-gapped Galaxy S4 with nothing on it whatsoever except potentially unwanted programs. It's conceptual art. We call it, The Persistence of PUP - street value somewhere north of a million.

Dave Bittner: [00:11:21] We're just kidding about the S4 and the million bucks and the art, but you might win that other stuff, even a swell card autographed by all of us here at the CyberWire. Now, you're probably asking yourself right now, Dave, why are you offering this chance to win big, big prizes? And the answer is to ask you to help us improve the quality, relevance and overall value of the CyberWire's content. We've put together a short audience survey that should take five minutes or less to complete. The survey is completely voluntary, anonymous and confidential. Go to thecyberwire.com/survey and fill it in if you can spare a moment. And, no, we're not kidding. We would really like to hear from you. So go to thecyberwire.com/survey and look for your chance to win some official CyberWire swag.

Dave Bittner: [00:12:09] To return to the news, the likelihood of significant antitrust investigations of big tech is on the rise. According to The Wall Street Journal, the U.S. Department of Justice has been in conversations with the Federal Trade Commission to see who will take on the case of Apple, and Justice is thought to have been given the first bite. Justice will also conduct any investigation of Google. The Federal Trade Commission is thought to have responsibility for Facebook and Amazon. Not to be left out of the picture, Congress will hold its own inquest. The House Judiciary Committee announced its intention to hold hearings on competition in digital markets, which can be expected to be relatively wide-open.

Dave Bittner: [00:12:48] The prospect of antitrust action has hit the stock prices of leading tech firms, pushing the Nasdaq composite down 10% from its May highs. As The Washington Post points out, that's correction territory.

Dave Bittner: [00:13:06] Now it's time for a few words from our sponsor, BlackBerry Cylance. They're the people who protect our own endpoints here at the CyberWire. And you might consider seeing what BlackBerry Cylance can do for you. You probably know all about legacy antivirus protection. It's very good as far as it goes. But you know what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hoods' hands off your endpoints, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection, but security that's quick enough to keep up with the threat by watching, learning and acting on systems' behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank BlackBerry Cylance for sponsoring our show.

Dave Bittner: [00:14:16] And joining me once again is Emily Wilson. She is the VP of research at Terbium Labs. Emily, always great to have you back. You and I have been talking about the fraud guide that you all recently published. This is "Fraud Guides 101

Emily Wilson: [00:14:38] There were some interesting things that stood out to me on pricing and also on age. First, on pricing, we knew these guides were cheap. These guides are widely available, and they are extremely inexpensive. And, of course, again, as I always mention when I talk about the prices for dark web data, it's not as though people are spending their own money on this, right? Even if you - even if you're spending your own money in the beginning, you're going to have extreme returns. If you buy one stolen payment card, you're going to pay for that payment card and however many more 10 times over.

Emily Wilson: [00:15:14] So pricing for these, we got a combination of different kinds of guides. We got some that were listed individually, where you go and the vendor says, this is the guide you're purchasing, and you buy that guide. We also purchased some collections or guide packs, which are exactly what they sound like, these collections of hundreds, thousands, sometimes tens of thousands of guides all bundled together, which, it might surprise you, but they're not that much more expensive. And in some cases, they're cheaper than individual guides.

Emily Wilson: [00:15:46] Overall, the price for these averaged out to less than $8 per guide, and that's just for the guides. That doesn't count all of the supporting materials and bonus items that vendors include. Supporting materials would be things like fonts or images or templates, software that they include alongside it because these aren't just guides. It's also everything - in most cases, everything that you need to execute on the scheme, everything except the data, which you would need to go buy separately. So when we include all of those supporting files and all the guides and everything that we got out of this in the end, it averaged out to less than a penny per file.

Dave Bittner: [00:16:26] Wow. Now another thing that you all tracked here was the age of these files themselves. What did you find there?

Emily Wilson: [00:16:34] I had a suspicion that these guides were not as up to date as the vendors might lead us to believe. Everyone says, new, updated, fresh, working, recent, 2019, you know, all of these buzzwords that you have for marketing on the dark web markets. In reality, most of the guides are a little bit older than that. We found just 5% of the files are from the last two years, or from 2018 and 2019. And more than a quarter of the guides are a decade old. Some of that has to do with - interestingly, there was a spike of files dating back to 1994, all of which turned out to be copies of "The Anarchist Cookbook."

Dave Bittner: [00:17:14] Yeah, of course. Right.

Emily Wilson: [00:17:15] A dark web favorite.

Dave Bittner: [00:17:16] (Laughter) That old chestnut.

Emily Wilson: [00:17:18] Yes.

Dave Bittner: [00:17:18] Yeah.

Emily Wilson: [00:17:18] Yeah.

Dave Bittner: [00:17:19] Interesting. One of the things that strikes me here is just the breadth of information that's being shared here. It's everything from, you know, little side street hustles to more sophisticated fraud plans.

Emily Wilson: [00:17:32] Sophisticated is an interesting word to use there because we - you know, I've seen all different kinds of materials over the years that I've been doing this. And I definitely saw that same range in what we obtained for this research project. So we have guides that are quite literally three-line text files. You know, it's - the question is how to, you know, how to do whatever type of crime, and the guide simply says, Google it.

Dave Bittner: [00:17:58] (Laughter).

Emily Wilson: [00:17:59] You know, I love - you have to respect the grift at that point.

Dave Bittner: [00:18:02] Right (laughter).

Emily Wilson: [00:18:02] If you're out there buying a guide - if you're out there selling a guide on how to commit a crime and the answer is Google how to commit this crime...

Dave Bittner: [00:18:08] Right.

Emily Wilson: [00:18:08] ...Just, you know, a little bit of respect for that.

Dave Bittner: [00:18:10] OK.

Emily Wilson: [00:18:11] All the way to the other end - the other extreme, where we're talking about 40- or 50-page, formatted, highly detailed, highly researched materials. I'm thinking in particular - there was a guide on how to dox - how to go out and do these doxes, these detailed targeted leaks of information that included - you know, I won't get into too many details, but it included a lot of information about sourcing, a lot of information about breadth and depth and where to leak information.

Emily Wilson: [00:18:39] There really isn't a ton of unique information. You have people piecing together different collections and different guides over time. You have some people who are genuinely selling their own unique methods. But in most cases, you know, fraudsters are lazy. They're just like us. They're taking the easy way out.

Dave Bittner: [00:18:56] All right, the name of the report is "Fraud Guides 101

Dave Bittner: [00:19:11] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:19:24] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.

Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.

Supported by:
Recorded Future
Recorded Future

Get trending information on hackers, exploits, and vulnerabilities every day for FREE with the Recorded Future Cyber Daily. Sign up now.

BlackBerry Cylance
BlackBerry Cylance

Blackberry Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Learn more at cylance.com.

Subscribe to the CyberWire
Subscribe to the CyberWire Podcast: RSS Stitcher Google Play Music Castbox
Follow the CyberWire