Iowa’s Democrats are still counting their caucus results, but on the other hand they weren’t hacked. A poorly built and badly tested app is still being blamed, and that judgment seems likely to hold up. The FBI warns of a DDoS attempt against a state voter registration site. Trends in DDoS. Some new strains of ransomware are out in the wild. Spoofed emails may be an Iranian espionage effort. And the confessed Ninendo hacker cops a plea. Craig Williams from Cisco Talos with updates on Emotet. Guest is Kurtis Minder from GroupSense on the Pros and Cons of notifying breached companies.
Dave Bittner: [00:00:04] Iowa's Democrats are still counting their caucus results. The FBI warns of a DDoS attempt against a state voter registration site. Trends in DDoS. Some new strains of ransomware are out in the wild. Spoofed emails may be an Iranian espionage effort, and the confessed Nintendo hacker cops a plea.
Dave Bittner: [00:00:29] And now a word from our sponsor ObserveIT, a Proofpoint company. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire, and we thank ObserveIT for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:01:43] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 5, 2020. The Democratic Party continues to count the results of its Iowa caucus. This afternoon, those results remain incomplete. Seventy-one percent of the precinct's results have been counted. The problems at the caucus are attributed not to hacking, The Washington Post reports, but to a buggy, inadequately tested app produced by Shadow, effectively a for-profit tech arm for its investor, the progressive Washington not-for-profit consultancy ACRONYM. The app that failed is said to have been developed in haste, a haste driven in part by fears that having precinct leaders phone the results in, as had been done in past campaigns, would have been insecure.
Dave Bittner: [00:02:30] It was finished and adopted without proper testing. For example, it wasn't finished in time to qualify for inclusion in Apple's store, and of course, many precinct leaders use iPhones. Many of the party officials who were to use the app only sought to install it the morning of the caucus, and the difficulties were, under such circumstances, unsurprising. Compounding the difficulties with the app is the apparent failure to prepare and exercise backups against the eventuality of exactly what happened.
Dave Bittner: [00:02:59] The state's party leaders say they've got a handle on the count, which they're confident they can complete accurately, only not so fast as they'd otherwise have been able to account for it. Sources at the Democratic National Committee say they warned Iowa not to try to run the caucus through the app. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, CISA, has said it offered to test Shadow's app but that the Iowa party turned down the offer. Iowa Democrats rebuffed the warnings from the National Committee, and according to The Washington Post, they say they didn't know about CISA's offer.
Dave Bittner: [00:03:35] No fresh lessons have emerged since yesterday, but it's worth repeating four of them. First, don't deploy election software until it's thoroughly tested (and Shadow's app seems hardly to have been tested at all, judging from The Wall Street Journal's account). Second, resilience always demands some sort of affected tested backup. Third, a technical problem, even if it's an innocent mistake, erodes trust and spawns unfounded rumors - what The Washington Post calls a cesspool of toxic conspiracy theories. And fourth, of course, if someone is in a position to help offers help, consider taking it. And before we leave Iowa, it's worth repeating that the problems at the caucus were an unforced error, a case of poor execution and not a cyberattack, whatever they're saying out in that toxic cesspool the Post is pointing out.
Dave Bittner: [00:04:27] There is one incident of cyber interference in election systems as opposed to campaign or caucus systems. Bleeping Computer reports that the FBI yesterday issued a private industry notification that it's received reports that a state's voter registration and information site was hit with an attempted distributed denial of service attack. The bureau didn't say which state's site was affected, but it characterized the attack this way - quote, "The FBI received reporting indicating a state-level voter registration and voter information website received anomalous domain name system server requests consistent with a pseudo-random subdomain attack," end quote. That is, the system was flooded with a large number of DNS requests for nonexistent subdomains. Happily, rate limiting on the targeted DNS servers prevented the attack from succeeding, and voter registration wasn't affected.
Dave Bittner: [00:05:21] What's the general state of play in distributed denial of service these days? Researchers at Imperva yesterday published their Global DDoS Threat Landscape Report. The categories of victims are among the interesting things in their description. By number of attacks, the top two classes of target are gambling, with 31% of the attacks, and gaming - No. 1 victim at nearly 36%. The most affected countries are in South or East Asia, with India leading at just under 23%. Looking just at application attacks, however, the biggest target hands-down was Ukraine.
Dave Bittner: [00:05:58] DoppelPaymer is the latest ransomware gang to not just encrypt data but to steal data as well. Data Breach Today points out that DoppelPaymer has now joined Maze and Sodinokibi in the new normal for ransomware. The ransomware attack should now be considered a data breach until proved otherwise.
Dave Bittner: [00:06:17] Most people would like to know when something bad happened to them, right? We'd rather not stick our heads in the sand, our fingers in our ears or turn a blind eye to news that could affect our livelihood - common sense. But - and you knew there was a but coming - for a variety of reasons, many companies aren't all that eager to hear from security researchers about their potential vulnerabilities. Kurtis Minder is CEO and co-founder of GroupSense, and he shares insights on the pros and cons of sharing your findings with a company you discover has been breached.
Kurtis Minder: [00:06:51] So GroupSense is a cyber reconnaissance company. We focus on digital risk protection services for enterprise customers and governments. As part of our work on a daily basis, we're uncovering breaches, stolen data, stolen intellectual property, things like this, mostly for our clients. But in the margins of what we do, our analysts occasionally find data that affects others that are not clients. And in those cases - and we put together a program where we notify the affected parties, you know, free of charge as part of a - you know, just for goodwill. And as part of our service, we just give that data away, and we notify them when we see it.
Dave Bittner: [00:07:31] So what would your recommendations be, then? For organizations who are out there, listening to this, how can they have a pipeline for when someone needs to get a hold of them with this sort of information, which I guess we can agree is in their best interest? What sort of things should they have in place?
Kurtis Minder: [00:07:47] Well, I'll come and say that it may not be in their best interest in some cases if you think about the outcomes from this sort of notification. But it's certainly in their - a lot of times, in their constituents' best interest - right? - so their customers' best interest. I think the problem is, you know, due to some laws that vary state by state on breach notification - things like this, there is no provision in most of these laws, or the ones that I've seen, that effectively tell an organization that they have to have a channel where they listen to inbound information like this. I understand that it's a difficult problem to solve because there's a lot of noise. You know, there's a lot of people trying to sell things and a lot of scams. But there should be some official program for external notification of breach awareness.
Dave Bittner: [00:08:36] So is it that these organizations are just sticking their heads in the sand or their incentives aren't necessarily aligned? They're being pulled in different directions by different groups.
Kurtis Minder: [00:08:46] Right. And I mean, this is effectively why we have regulatory bodies that govern things like this - because there are certain actions that are unnatural or not indicative to the growth of a business that companies are just not going to take on their own without some sort of guiding hand, if you will. And so I think - I speculate that in some of these cases that the companies are choosing to ignore the problem, or perhaps they're acknowledging it and doing research on their own but not acknowledging it in a public way or acknowledging my initial outreach.
Dave Bittner: [00:09:15] What sort of adjustments would you like to see? If - can you imagine a solution like this that would be - that would work out for all parties involved?
Kurtis Minder: [00:09:23] I can imagine one, but imagination doesn't do much for us, does it? I think it goes along the lines of - in somewhere in the regulatory statutes, they need to dictate a process for third-party notification. If not that, then perhaps within the bug bounty programs, there could be a process for this. Obviously, this is something that is going to take some energy and resources on both the regulatory side or the bug bounty side or - and certainly on the enterprise side to consume it and verify it. But there needs to be something outlined. It should be fairly standard. To date, I have not seen this in any of the enterprise customers I've interfaced with. I have seen it with government customers where they do have a process in place. But it's ad hoc. It's different for each organization.
Dave Bittner: [00:10:12] Yeah, it seems to me like if an organization like yours, your team at GroupSense - if there were some way that you could establish yourselves - you know, register yourselves with the regulators and say we're a good company in good standing, you know, this is what we found - if there was some way to have those findings both hit the regulators and the company affected at the same time, at least then, the company knows that, first of all, the messaging is coming from a vetted source. But also, the regulators have been notified as well, and, you know, they can react as they see appropriate.
Kurtis Minder: [00:10:46] Yeah, that's one approach. I agree that that certainly would be effective in getting - protecting the constituents - is if the regulatory bodies were notified simultaneously.
Dave Bittner: [00:10:57] Yeah, I guess. But like you say, though, I mean, it's complicated, and nothing's perfect.
Kurtis Minder: [00:11:00] Right, exactly.
Dave Bittner: [00:11:02] Yeah, yeah.
Kurtis Minder: [00:11:04] We have to say the good side of the story - right? - which is the companies that have responded and we've engaged with, the outcomes have generally been positive, where we've been able to actually supply them with useful data. We work with their IR teams, and we come to a resolution. Typically, we're working also with their law firms in some fashion or some capacity as part of the process. And for the benefit of companies that are listening to the podcast, yes, this is a scary thing.
Kurtis Minder: [00:11:27] But the good news is we're not charging for this. We'll see it all the way from the notification to the process. Anything you need from us from a research perspective is provided free of charge through the entire process. And we've actually helped a number of well-known, large companies through the process, and when they don't have the resources internally, we've been able to help them source those for the breach response, et cetera. So, you know, on the flipside, there are some good stories that come out of this as well (laughter).
Dave Bittner: [00:11:54] That's Kurtis Minder from GroupSense.
Dave Bittner: [00:11:57] Security firm Varonis this morning reported finding a new ransomware strain which it's calling SaveTheQueen after the .SaveTheQueen the attackers append as an extension to the affected files. The ransomware propagates using the SYSVOL share on Active Directory Domain Controllers. The only thing unusual about SaveTheQueen is what Varonis calls its creative use of Active Directory to spread the dropper. Beyond that, the ransomware's components seem largely commodity tools packaged into a straightforward bit of malware.
Dave Bittner: [00:12:30] Reuters says that emails spoofing the accounts of journalists are being used to prospect targets with bogus approaches for interviews. It appears to be an espionage campaign, and the circumstantial evidence of targets and topics suggests an Iranian operation. Remember, this evidence is circumstantial, but the spoofing of accounts belonging to journalists working in the West but who have connections with Iran to approach high-profile targets who themselves have Iranian background is suggestive.
Dave Bittner: [00:13:00] Finally, one wonders what the cops and robbers are thinking sometimes - well, at least the robbers. Ryan Hernandez, who took a guilty plea Friday to charges related to hacking Nintendo servers to steal games and other things, not only spent years doing so but was brazen enough to brag about his exploits on social networks like Twitter and Discord. Vice has the whole sad story. Nintendo got wise to him in 2016, and in 2017, the FBI visited him at home to reason with him. Cliche alert - he lived with his parents. After discussion, Mr. Hernandez indicated he understood the seriousness of the matter and promised to return to the straight and narrow. But he was back up on Discord within hours, mocking the FBI in, we must observe, appallingly spelled posts. A few days later, he escalated, seeking to create a meme in which SpongeBob SquarePants was an FBI special agent. And in case anyone failed to get it, he tagged the image with, hi, @NintendoAmerica. Other public boasting enabled the FBI - using nothing more than their browser, apparently - to get enough for a search warrant. Mr. Hernandez faces up to three years in Club Fed, and he's agreed to pay Nintendo just under $260,000. The 21-year-old resident of Palmdale, California, will have another opportunity to amend the path of his life, and we hope he'll take it.
Dave Bittner: [00:14:31] And now a word from our sponsor KnowBe4. There is a reason more than half of today's ransomware victims end up paying the ransom. Cybercriminals have become thoughtful, taking time to maximize your organization's potential damage and their payoff. After achieving root access, the bad guys explore your network, reading email, finding data troves. And once they know you, they craft a plan to cause the most panic, pain and operational disruption. Ransomware has gone nuclear, but don't panic. KnowBe4 is hosting an exclusive webinar where you can find out why data backups - even offline backups - won't save you, why ransomware isn't your real problem and how your end users can become your best last line of defense. Go to knowbe4.com/ransom, and learn more about this exclusive webinar. That's knowbe4.com/ransom, and we thank KnowBe4 for sponsoring our show.
Dave Bittner: [00:15:43] And I'm pleased to be joined once again by Craig Williams. He's the director of Talos Outreach at Cisco. Craig, always great to have you back. You all recently published some information over on your blog. This is "Stolen Emails Reflect Emotet's Organic Growth." So Emotet is still under your watchful eye here, yes?
Craig Williams: [00:16:02] Absolutely. Emotet's been one of those campaigns that we've been monitoring for, like, literally years. I don't know that it's the longest. I'm sure we've been monitoring a couple things longer. But it's definitely up there in terms of things that we've just been sitting back and watching and keeping a really close eye on for both our customers and the internet as a whole.
Dave Bittner: [00:16:21] And so what are you tracking here? What's the latest?
Craig Williams: [00:16:24] Well, so what we saw in this particular campaign was basically a compromise with some government and military customers. And then, you know, as usual, Emotet will use those accounts to move laterally within organizations. And because these were government and military, it's moving inside of government and military. And obviously, when you see that type of thing, it's very concerning because generally speaking, if people see emails from sources that they consider internal, they're much more likely to trust them. And that's why we needed to make sure the word got out that there are malicious actors using these relationships for nefarious purposes.
Dave Bittner: [00:17:01] Can you give us some of the specifics about how Emotet functions?
Craig Williams: [00:17:05] Yeah. I mean, one of Emotet's favorites is to basically find conversations that have existed over an email thread and basically continue on that thread with a malicious attachment. So, you know, if you've got a thread with your buddy and it's gone on and on and on and all of a sudden, your buddy replies back with, oh, you know what? - that's right, and then attaches, like, receipt.pdf, probably don't open that (laughter).
Dave Bittner: [00:17:30] Right, right. So Emotet works by getting access to your email account for getting in there and being able to do those sorts of things.
Craig Williams: [00:17:39] Well, that or phish credentials. And generally speaking, it responds with a Word document that's been - has macros embedded in it. And, you know, the typical Emotet attachment is one that you open where - it'll then entice you to open a macro or otherwise interact with it for the compromise to take place.
Dave Bittner: [00:17:58] Is this a case where, because it's so effective - does that explain the longevity of Emotet?
Craig Williams: [00:18:05] Yes. And we actually saw them take a break for the Orthodox Christmas holiday, and so obviously, that has certain political implications. And it can lead you to conclude that actors are potentially operating out of certain areas. And when those number of TTPs add up over time year after year, it can help you really get a good idea of where these operators are acting out of, you know? I think as of this morning, we're even tracking campaigns that are distributing themselves as new coronavirus information. So these actors aren't going to go away, and they're going to continue to find very enticing reasons for people to open these email attachments.
Dave Bittner: [00:18:44] And best practices to protect yourself here?
Craig Williams: [00:18:47] Well, this falls back to just - don't open untrusted email attachments, right? And if you are on a thread and all of a sudden, an attachment appears, even if the thread appears to be legitimate and even if the reply doesn't seem that unusual, you should probably just pick up the phone and make sure that the person sending it intended to send it, especially if it hasn't come up in the thread before. Now, obviously, if someone says, hey; on Thursday, I'm going to send you that email, then it's probably OK.
Dave Bittner: [00:19:13] Yeah.
Craig Williams: [00:19:13] But alternatively, if you have a thread that's existed for a while, that's been basically abandoned and then all of a sudden, someone replies to it with an attachment and maybe a couple of really generic statements that don't make a lot of sense in the context of the conversation, that's when your guard should shoot up.
Dave Bittner: [00:19:28] Yeah. All right, well, the blog is titled "Stolen Emails Reflect Emotet's Organic Growth." Craig Williams, thanks for joining us.
Craig Williams: [00:19:36] Thank you.
Dave Bittner: [00:19:42] And that's the CyberWire. For links to all of today's, stories check out our daily briefing at thecyberwire.com.
Dave Bittner: [00:19:47] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:59] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our truly amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
ObserveIT, a Proofpoint company, is the leading Insider Threat Management solution with approximately 1,700 customers across 87 countries. ObserveIT is the only solution that empowers security teams to detect insider threats, streamline the investigation process, and prevent data exfiltration. Start your free trial of ObserveIT today.
There is a reason more than half of today’s ransomware victims end up paying the ransom. Cyber-criminals have become thoughtful; taking time to maximize your organization’s potential damage and their payoff. After achieving root access, the bad guys explore your network reading email, finding data troves and once they know you, they craft a plan to cause the most panic, pain, and operational disruption. Ransomware has gone nuclear. And KnowBe4 will show you how. Go to www.KnowBe4.com/ransom to learn more about this exclusive webinar.