The CyberWire Daily Podcast 6.1.17
Ep 361 | 6.1.17

It's the first of June, and the ShadowBrokers' exploit-of-the-month club is open for business (exploits to be delivered to subscribers in July).

Transcript

Dave Bittner: [00:00:00:22] I want to give a quick shout out to our latest Patreon supporters - thank you so much for helping us do what we do here. If you want to help support the CyberWire, go to Patreon.com/thecyberwire to find out more.

Dave Bittner: [00:00:14:20] It's June, and the ShadowBrokers say they're open for business. Do you know where your exploits are?

Dave Bittner: [00:00:26:02] We'd like to share some research from our sponsor Cylance. Satan is as bad as it sounds. This particular prince of darkness is a ransomware as a service offering: RaaS. It's a fairly sophisticated crypto ransomware variant. The criminals who wrote it seek riches in the crook-to-crook market, selling Satan to skids who would otherwise be unable to code it themselves. If you're hit by Satan, don't pay the ransom. There's no guarantee you'll get your promised decryption key. You're dealing, after all, with the Father of Lies. Better to get protection upfront. For information on Satan and those who've followed all its empty promises, reject the glamour of evil and go to Cylance.com/blog, and check out the threat spotlight paper on Satan RaaS. While you're there, check out the protection that Cylance offers. We thank Cylance for sponsoring our show.

Dave Bittner: [00:01:28:10] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, June 1st, 2017.

Dave Bittner: [00:01:38:21] It is the first of June, and at such times, our minds turn to the ShadowBrokers. We touched on them briefly yesterday, but there's more to say.

Dave Bittner: [00:01:47:09] June is the month when, having tried direct sales, an auction, and crowd-funding since their first Equation Group dumps last August, the ShadowBrokers turn to an exploit-of-the-month club. For $22,000 in Zcash, a member will get an unspecified exploit said to have been stolen from NSA. Zcash is an alternate cryptocurrency the Brokers are using instead of their former medium of exchange, Bitcoin.

Dave Bittner: [00:02:11:09] They added a helpful set of FAQ this week, which includes a not-so-reassuring take on Zcash. To the sensible frequently asked question, "Is Zcash safe and reliable?" the Brokers replied as follows (we've edited slightly because we're a family show, but you get their demotic drift). F no! If you caring about losing 20K in Euro then not being for you. Monthly dump is being for high rollers, hackers, security companies, OEMs, and governments. Playing the game is involving risks. Zcash is having connections to USG (DARPA, DOD, John Hopkins) and Israel. Why USG is sponsoring privacy version of Bitcoin? Who the F is knowing? In defense, TOR is originally being by similar parties. The ShadowBrokers not fully trusting TOR either.

Dave Bittner: [00:02:56:18] Maybe USG is needing to be sending money outside from banking systems? If USG is hacking and watching banking systems (SWIFT) then adversaries is also hacking and watching banking systems. Maybe is for sending money to deep cover foreign assets? Maybe is being Trojan horse with cryptographic flaw or weakness only NSA can exploit? Maybe is not being for money? Maybe is being for Zk-SNARKs research? Maybe, F it, let's be finding out. This month the ShadowBrokers using Zcash. If being not good, then maybe the ShadowBrokers doing different for July.

Dave Bittner: [00:03:30:12] We confess to a certain local pride in Baltimore's own Johns Hopkins being mentioned in dispatches. Beyond that, however, note the way the ShadowBrokers have turned their message to recent news coverage, much of it prompted by themselves, connecting NSA to insecurities in the global financial system. If you, like us, is not fully trusting ShadowBrokers romantic self-presentation as bigtime little-guy Davids fighting and beating the bigtime big-guy Goliath of Equation Group, you is maybe thinking they too artful and aligned with some big guy foreign intelligence service. Or maybe is just wise guys from Anonymous runs their words back and forth through Google translate to sound funny, like our friends at KnowBe4 told our editor the week before last.

Dave Bittner: [00:04:14:01] It's only fair to point out that the ShadowBrokers say they intend to include sensitive data from Russian, Chinese, Iranian, and North Korean sources. The North Korean material, the Brokers suggest, is touching on Pyongyang's nuclear program. All this may be real, or it may be misdirection, but the ShadowBrokers do seem to have given NSA the lion's share of their attention.

Dave Bittner: [00:04:34:16] Here's the industry reaction we've been receiving.

Dave Bittner: [00:04:37:13] Security company, Balabit's Csaba Krasznay counsels healthy skepticism, but finds this whole business scary, and says that it should serve as a wake-up call for governments. He says, "On one hand, if the exploits are really existing and someone, or multiple parties, buys them, we may be faced with another WannaCry campaign, as we can be sure that the buyers will monetize those exploits. On the other hand, if the whole story is not true, ShadowBrokers' questionable reputation may suffer, and it may seek to prove trustworthiness in another destructive way."

Dave Bittner: [00:05:09:11] Krasznay thinks there's a lesson here for governments. "Whatever the truth is, it's clear now that the governments should handle their cyberweapons in ways similar to the handling of their weapons of mass destruction. Otherwise, perhaps a disgruntled privileged administrator might steal one or perhaps someone may simply forget to delete it after use in an operation. Those codes shouldn't get to a ShadowBroker-like group, and this is a governmental responsibility."

Dave Bittner: [00:05:36:13] We note that who the ShadowBrokers are, how they got their hands on what Microsoft and others have publicly said are NSA exploits, remain unknown, at least to the general press and public.

Dave Bittner: [00:05:47:10] We also heard from Cyphort Labs. Their Mounir Hahad is prepared to consider what the changes in the ShadowBrokers' nominal business model might be, if they're taken at face value. He sees them as trying various approaches on for size, and seeing which one yields the best margin. He says, "They've tried an auction sale, a direct sale, and now a subscription model. None of these approaches seem to have generated much profit, suggesting that neither government agencies interested in offensive security nor security companies interested in developing defensive tools have been eager to buy." Hahad thinks the $22,000 per month subscription is disturbing, because it's affordable. "My concern would be with rogue entities like cyber crime groups which now would have more affordable access to weapons of choice. Some not-so-well funded foreign governments may dip their toes in as well."

Dave Bittner: [00:06:40:10] Our financial staff did some quick research and told us that 20 grand would buy you an entry-level Honda Civic or, if you're in it for the long haul, monthly payments on a foreclosure in Fresno. So the barriers to entry in this particular market do seem to have fallen to where a modestly-funded gang could become a player.

Dave Bittner: [00:06:58:24] Hahad closed with some good advice for the security industry. He hopes the ShadowBrokers won't induce security companies to subscribe out of fear of being the last one to know. He hopes the industry at large adheres to customary codes of conduct and declines to do business with the ShadowBrokers.

Dave Bittner: [00:07:15:11] Finally, STEALTHbits Technologies' Gabriel Gumbs wrote in an email that he, for one, is very skeptical about the Brokers' declared motives. He said, "Of the list of items that the Shadow Brokers have suggested would be a part of their monthly data and exploit dump service, compromised SWIFT network data is of the most value to both Black Hat hackers and the impacted organizations." Zero days are relatively common on the Web, both the dark Web and the ordinary Web, but most of the damage is done by compromised networks. If the ShadowBrokers really had compromised SWIFT credentials, why wouldn't they use them? Why would they sell them? As Gumbs puts it, "So why would a group of hackers need to peddle exploits and the like if they have at their disposal the means to steal untold amounts of money? I, for one, am very skeptical of the group and their motives."

Dave Bittner: [00:08:05:17] The ShadowBrokers, then, if taken at face value, are like the psychic-for-hire who offers you lucky numbers for the Lotto, or sure-fire penny stock tips, all for a modest price. If they really knew, why wouldn't they use the knowledge themselves, instead of making nickels and dimes selling it? The moral is that whatever their motives are, a very significant fraction of these motives must be something other than profit.

Dave Bittner: [00:08:36:10] Time to take a moment to tell you about our sponsor, Recorded Future. You've heard of Recorded Future - they're the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts unmatched insights into emerging threats. We subscribe to and read their cyber daily. They do some of the heavy lifting in collection and analysis that frees you to make the best-informed decisions possible for your organization. Sign up for the cyber daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web: cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, and suspicious IP addresses. Subscribe today and stay ahead of the attacks. Go to Recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and the price is right. We thank Recorded Future for sponsoring our show.

Dave Bittner: [00:09:36:24] Joining me once again is David Dufour. He's the Senior Director of Engineering and Cybersecurity at Webroot. David, welcome back. Big in the news lately has been the WannaCry ransomware and, of course, part of the way that it gets its way into people's systems is that it is a worm. We thought we'd check in today with you to find out what does that mean? What is a worm and how does it work?

David Dufour: [00:09:59:01] It's great to be back, David, and I appreciate you having me. Yes, it's pretty interesting, everyone's been focused on WannaCry, how it's ransomware, and we've not really been talking a lot about how it propagates. Worms have been around for quite some time, and the big difference between a worm and the now-popular phishing is that worms have been written and coded in such a way that once they've landed inside of, say, a network, or your home, they start looking around to see what other computers that they can get on.

David Dufour: [00:10:32:03] And ways they might do that is by looking at file shares or looking at open ports and maybe dropping a new version of themselves out somewhere where someone might pick them up. That's how they're moving around the network.

Dave Bittner: [00:10:45:11] So once they get past that first line of defense into the system, then they have free rein to sort of spread out and try to find new places to do their dirty work?

David Dufour: [00:10:57:16] That's exactly right. Think of it as they're kind of stretching their arms and legs, just seeing where they can get. What's interesting is the folks who created WannaCry, had to actually add more code, that they wrapped around the ransomware, and that code, as we described, once it lands, it starts looking around to see what it can infect, and figure out how to spread itself. So, it's a little more advanced than your typical phishing, where it's just that, you know, malicious payload, because it has to do more inside that network to do that exploration and see what exists where it can infect things.

Dave Bittner: [00:11:35:15] In a situation like this, where you have a worm, is this the kind of thing that your typical anti-virus software would be able to notice and shut down?

David Dufour: [00:11:43:07] Yes, it would. An anti-virus software would typically be analyzing the worm, once it's landed on the machine. It might not be able to detect things sniffing around the network - that starts to get in discussions around network security and analyzing behaviors that are occurring on the network. Whereas an anti-virus is going to detect it once it's landed on that end-point where the anti-virus is installed.

David Dufour: [00:12:15:10] The number one way is, of course, have antivirus. But, let's say you're a home user, don't have open administrator passwords on your file shares, or on your computer. Make sure you have a password. Because what those worms do are try to get access to other computers inside of a network, and then they're going to look for administrative access. A lot of people at home just make administrator passwords blank, and all of a sudden once something's inside that perimeter, they can own you. So, just make sure you've got passwords: it's that same, you know, security hygiene - always make sure you have good passwords.

Dave Bittner: [00:12:52:07] David Dufour, thanks for joining us.

Dave Bittner: [00:12:57:10] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit TheCyberWire.com. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit Cylance.com.

Dave Bittner: [00:13:14:24] Thanks once again to all of our supporters on Patreon. To find out how you can contribute to the CyberWire, go to Patreon.com/thecyberwire. I want to remind you all to check out the Grumpy Old Geeks podcast, where I join Jason and Brian for what is quite often a colorful and sometimes salty review of the week's cyber security news. We do have a lot of fun, and you can find Grumpy Old Geeks wherever the fine podcasts are available, so check it out.

Dave Bittner: [00:13:38:17] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jen Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.