The CyberWire Daily Podcast 8.16.16
Ep 164 | 8.16.16

All your attack code are belong us. Guccifer 2.0 suddenly more fluent.

Transcript

Dave Bittner: [00:00:03:22] The Shadow Brokers say they've pwned the Equation Group and with it an NSA attack code. Guccifer 2.0 gets a lot more polished. A BogusQuadRooter patch is serving malware in Google's Play Store. Vawtrak's evolution. Someone's watching the Veracrypt audit. Iran looks into possible cyber causes of oil-and-gas facility fires. Fake Pokémon installers have trainers choosing ransomware. No more Pokéstops in the Flughafen. And British lawyers get a license to hunt hackers.

Dave Bittner: [00:00:39:01] Time to take a moment to tell you about our sponsor, Cylance. Are you looking for something beyond legacy security approaches? If you are, and who isn't, you're probably interested in something that protects you at machine speed and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA. Their solution scales easily and it protects your network with minimal updates, less burden on your system resources and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It may be artificial intelligence but it's real protection. Visit Cylance.com to learn more about the next generation of anti-malware. Cylance: artificial intelligence, real threat protection. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:35:12] I'm David Bittner in Baltimore with your CyberWire summary for Tuesday, August 16th, 2016.

Dave Bittner: [00:01:41:13] A group calling itself "The Shadow Brokers" has placed files online they say they obtained by hacking the Equation Group, widely believed to be associated with the US NSA. To review some history, Kaspersky Labs described the Equation Group in February 2015. Most of the Equation Group's targets were reported to be in Afghanistan, India, Iran, Mali, Pakistan, Russia, and Syria. The actor was believed to be associated with both Stuxnet and Flame. Kaspersky was, and remains, circumspect about attribution, but F-Secure has in the past offered the opinion that Equation Group's firmware exploits were NSA products.

Dave Bittner: [00:02:21:08] The Shadow Brokers offer what they characterize as "NSA malware" for 1,000,000 Bitcoin, about $568,000,000, which is an outrageously high price. The samples they've posted strike researchers as interesting and even, possibly, genuine, but analysts are a long way from reaching firm conclusions about either the Shadow Brokers or the Equation Group, or indeed about the files in question. The posted files don't appear, at least on quick inspection, to be recent. Their date stamps are no later than 2012, but of course that's not yet dispositive. Date stamps can be manipulated.

Dave Bittner: [00:02:56:24] Security researchers are looking closely at the files and will be sharing their conclusions, insights, opinions, speculations, and so on as the story develops.

Dave Bittner: [00:03:05:19] The Shadow Brokers' blog was offline as of this morning, but Hack Read captured some representative prose before it vanished. We read it, verbatim, but you will have to imaginatively supply the accent yourself. Quote, "We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof, no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files," end quote.

Dave Bittner: [00:03:43:05] So there you are. The "best files" would have to be very good indeed to fetch the asking price. The prose is noteworthy if only because it reads like a screenwriter's conception of the way a hacktivist would talk. To fill out the scene all that's needed is a figure in a hoodie crouched over a keyboard, tapping vigorously and saying "I am in," or better yet, "All your attack code are belong to us."

Dave Bittner: [00:04:05:05] It's worth noting that another high-profile hacker, Guccifer 2.0, now almost universally regarded as a Russian sock puppet vigorously waving a Romanian false flag, has recently shifted his or her or their persona away from "hacktivist" and toward "sophisticated leaker." He or she or they has released more documents related to the compromise of US Democratic Party networks, specifically some belonging to the Democratic Congressional Campaign Committee. As Motherboard notes, Guccifer 2.0 has evolved from a stage hacktivist, complete with broken English, something between Ensign Chekhov's dialect and that of the Hekawi tribe from F Troop, into a polished, fluent leaker without any of the linguistic stigmatic earlier on display.

Dave Bittner: [00:04:50:22] The FBI has expanded its inquiry into political season hacking as leaks show that many more accounts were compromised than just a few at the Democratic National Committee.

Dave Bittner: [00:05:01:07] QuadRooter may not be as much of a threat to Android users as some of the initial scare stories made it out to be, but one fix is snake oil. And not only snake oil, but venomous snake oil at that. Someone has posted a bogus QuadRooter patch in the Google Play Store. Don't go there, it's malware.

Dave Bittner: [00:05:18:19] One continuing threat that should be taken seriously is Vawtrak, recently found in newly virulent forms out in the wild. We spoke with Hardik Modi, Director of Threat Research at Fidelis Cybersecurity. He told us what Fidelis has discovered about Vawtrak and its most recent evolutions.

Hardik Modi: [00:05:35:07] So Vawtrak is a highly regarded banking trojan which means essentially when you have an inspection it's monitoring for access to mainly banking sites. For the victim, what it's doing is monitoring access to such sites and when it sees an access it grabs their credentials from the browser so there's a web inject and it looks in the browser, sees that the credentials have been entered, it captures a copy of that and transfers that up to the command-and-control server. It's fairly trivial to go capture, you know, the user ID, the password, get that to their central location and then after that they essentially wreak havoc by stealing money and, you know, doing the thing that criminals do.

Dave Bittner: [00:05:35:10] And so you all have been tracking the evolution of this, and there are some changes that have happened recently that caught your attention?

Hardik Modi: [00:06:27:16] That's right, that's right. The first of those updates is in how it discovered the command-and-control infrastructure, in particular what it has done has now introduced dynamically, you know, domain generation algorithm, a DGA, into the core base so that it now, you know, instead of trying to reach out a specific site to conduct command-and-control, it walks through dynamically generated list of domains so, you know, tries to connect to each one of them. When it succeeds at a connection, you know, that's when it recognizes that there's active command-and-control and it kind of proceeds from there. So after it has a successful connection to the DGA kind of generated site, it downloads a static configuration list of further domains to go connect to. So by doing this, the adversary ensures that, you know, it is difficult for law enforcement and for researchers such as ourselves, to go and confiscate their infrastructure since it could be located in any of the domains that are generated that are part of the list.

Hardik Modi: [00:07:30:06] The second change that we saw was that they've started using SSL to encrypt communications to the command-and-control server. Now this is mildly interesting but what really caught our attention was the fact that it actually checks the SSL certificate that is returned from the server and it knows what certificate to expect. And in instances where command-and-control-- maybe there's a man in the middle, an SSL interception, that has been conducted either through, like, authorized devices inside the enterprise or through maybe a researcher like us, kind of, you know, trying to use a safe network to look at the traffic. It will recognize that this has occurred and it will actually cease communication at that point, physically go to sleep and wait until the next attempt to retry the connection. And so in this way it can, it can evade detection inside enterprise environments where somebody might be trying to inspect the SSL traffic. The certificate checking is also known as certificate pinning, SSL pinning and it's the first time that we've seen SSL pinning in the context of a malware family in the crime domain.

Dave Bittner: [00:08:37:20] That's Hardik Modi, from Fidelis Cybersecurity. They've got a blog post with more information on the Vawtrak Trojan online at threatgeek.com.

Dave Bittner: [00:08:49:04] Parties unknown seem to be monitoring communications related to the ongoing Veracrypt security audit. The Open Source Technology Improvement Fund (OSTIF) says, quote, "We have now had a total of four email messages disappear without a trace, stemming from multiple independent senders. Not only have the emails not arrived, but there is no trace of the emails in our "sent" folders. In the case of OSTIF, this is the Google Apps business version of Gmail where these sent emails have disappeared. This suggests that outside actors are attempting to listen in on and/or interfere with the audit process," end quote. OSTIF regards these attentions as a badge of honor, along the lines of, "if nation states are interested, we must be doing something right," which is one way of looking at it.

Dave Bittner: [00:09:36:03] Iranian authorities investigate the possibility of a cyber attack, or at least a SCADA failure, in recent fires at oil and gas facilities. This seems so far, on the strength of sketchy reports, to be a judgment of theoretical possibility as opposed to one based on clear evidence.

Dave Bittner: [00:09:52:17] We're sure that you, like us, would feel bereft if there were nothing about Pokémon-GO in security news. But there are two stories today. BleepingComputer has found ransomware representing itself as a Pokémon-GO installation app, and German civil aviation authorities are trying to get Pokéstops removed from the secure areas of airports.

Dave Bittner: [00:10:13:06] And finally, they may not be issuing letters of marque and reprisal, but London's Metropolitan Police seem to have taken a step in that direction. They'll be experimenting with a program in which they'll turn evidence of cybercrime over to lawyers, encouraging them to sue the hackers. The lawyers will be able to keep what they win. This would remove some cyber crimes to the sphere of civil law. So, good hunting, solicitors, we guess, but we're also surprised that the plaintiff's bar in the United Kingdom needs encouragement to sue. Maybe things are different over there?

Dave Bittner: [00:10:48:20] Time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The cyberwire staff subscribes and consults it daily. The web is rich with indicators and warnings but it's nearly impossible to collect them by eyeballing the Internet yourself, no matter how many analysts you might have on staff. And we are betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:11:54:08] And I'm joined once again by Dr Vikram Sharma. He's the founder and CEO of QuintessenceLabs. They're one of our academic and research partners. Dr Sharma, I know you at Quintessence are kind of at the leading edge of blending cyber security with advanced physics with all of the work that you do with quantum technology and so tell me, what are some of the challenges and what are some of the opportunities when you are right at that leading edge of both security and physics?

Dr Vikram Sharma: [00:12:18:21] Yes, indeed. The seed technology on which QuintessenceLabs was founded was some research that came out of the Australian National University in the area of quantum key distribution. The capability or the science was about harnessing some quantum effects on highly tuned lasers to transport encryption keys securely between two locations. As we took this technology out into the commercial space, one of the key challenges was how to take a scientific implementation of quantum key distribution which was on an optical table something like about 6ft by 3ft and translate this into a product that would operate in a commercial environment. This certainly meant some further work on the science but equally and perhaps even more so on the engineering side as some of the capabilities and the techniques required to translate this science into product had to be developed for the first time in our labs. Looking at the opportunity side of it, what's been very interesting is to see that in-- the science in and of itself was, was interesting and provide some unique capabilities but to develop product that would make sense for the market meant a blending of that science with conventional cyber security capabilities. The opportunity that we saw was to come up with a synthesis of key management capabilities with the true random number generation coming from the quantum source.

Dave Bittner: [00:14:05:21] Alright, Dr Vikram Sharma, thanks for joining us.

Dave Bittner: [00:14:10:20] And that's the CyberWire. If you enjoy our show we hope you will help spread the word and leave a reviewer rating on iTunes. It's the easiest way you can help us grow our audience.

Dave Bittner: [00:14:19:16] To subscribe to our daily podcast or news brief, visit the thecyberwire.com. The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jen Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.