Dave Bittner: [00:00:01:00] Our thanks to all the patrons who have been so generous in their support of the CyberWire. We're happy to have added a new benefit this week. Members of the Producer's Circle now receive exclusive access to our new Quarterly Report. If you'd like to see a sample, go to thecyberwire.com/quarterlyreport, and thanks again to our patrons.
Dave Bittner: [00:00:22:08] Another tippy AWS S3 bucket spills its contents over the web. FedEx's 10-K report indicates it may never fully recover systems and data hit by NotPetya. A virus hides in Game of Thrones torrents. Harvard's Belfer Center wants to secure electronic voting. The Departments of Commerce and Homeland Security consider moonshot research to take out botnets. We've got some M&A and venture funding notes. And an initial coin offering gets hacked.
Dave Bittner: [00:00:55:04] I'd like to tell you about a special offer from our sponsor Cylance for those of you who are heading to Black Hat in Las Vegas this month. As you know, Cylance is a leader in machine learning and artificial intelligence for cybersecurity and they're going to have an exclusive book signing on Thursday, July 27th in Booth 716. You can meet author and expert, Alex Matrosov and get a signed copy of his book, Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats, the latest from Alex and his co-authors Eugene Rodionov and Sergey Bratus. Oh, and did we mention the copy you'll get is not only signed, interesting and informative but free too? You can't beat that. So on Thursday, July 27th, join other thinking and thrifty people at Booth 716. And don't forget to check out cylance.com under events for more news and information about all the goings on at Black Hat. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:01:58:04] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, July 19th, 2017.
Dave Bittner: [00:02:07:18] Another unsecured Amazon Web Services S3 bucket has been found. You'll recall the three most recent instances of this sort of misconfiguration, the National Geospatial Agency, the Republican National Committee and Verizon were all victims of third-party contractors or vendors who inadvertently exposed sensitive data.
Dave Bittner: [00:02:27:13] The latest open bucket belongs to Dow Jones, which says 2.2 million customers were affected. Security firm UpGuard offers a higher estimate, suggesting the possibility that around 4,000,000 records were exposed.
Dave Bittner: [00:02:41:06] Chris Pierson of Viewpost commented about this most recent AWS S3 issue. He said, quote, "Even after the news of RNC and Verizon having open access to data stores, in S3 Buckets at AWS, companies have yet to actually scan their networks and permissions in the cloud. It was just announced that Dow Jones had its online storage configured to allow any authenticated AWS user to see the data they were storing," end quote. So scan your AWS buckets for secure configuration.
Dave Bittner: [00:03:13:03] A 10-K filing from FedEx says that the shipping company doesn't yet know how long it will take to restore systems affected by the NotPetya attack and that it's possible the company's TNT unit, the one directly affected, may be unable to ever fully recover. As FedEx put it in their 10K, "We cannot yet estimate how long it will take to restore the systems that were impacted and it is reasonably possible that TNT will be unable to fully restore all of the affected systems and recover all of the critical business data that was encrypted by the virus."
Dave Bittner: [00:03:45:07] Securities and Exchange Commission Form 10-K is an annual report publicly traded companies in the US are required to file with the SEC. It details company financial performance. In its extended treatment of the NotPetya incident, FedEx added that, "In addition to financial consequences, the cyber-attack may materially impact our disclosure controls and procedures and internal control over financial reporting in future periods." So the NotPetya story isn't over and FedEx is far from the only company that will be so affected.
Dave Bittner: [00:04:18:05] If you were planning to illegally stream Game of Thrones, think twice. There are reports of a virus lurking in Pirate Bay torrents. Anyway, here's all you need to know about Season 7, SPOILER ALERT, winter is coming. "A virus hides in the torrents of Pirate Bay" actually sounds like showrunner dialog, doesn't it?
Dave Bittner: [00:04:39:04] If you're a competitive online gamer, it's tough enough to stay at the top of the leader board without other players using questionable means to try to knock you off or put you at a disadvantage. Online gaming companies battle their own specific kinds of DDoS attacks and Brian Hamilton, Product Marketing Manager with cybersecurity company, Imperva, shares the details.
Robert Hamilton: [00:05:00:03] People that provide video game platforms are typically connecting hundreds if not thousands, maybe even tens of thousands of individuals to a pool of servers and unlike other servers often gamers or people that create the gaming platforms are relying on proprietary protocols, that is they've written the sort of communication protocol that's being used to communicate with the person playing the game on the other end, as opposed to normal web servers or the typical web server that relies on the HTTP protocol which has been called an application protocol to communicate back and forth between a browser or a mobile client. So these are typically proprietary protocols that support a large number of users concurrently.
Dave Bittner: [00:05:53:00] And so when they get attacked, how does it take shape?
Robert Hamilton: [00:05:57:00] What the attacker is trying to do is they're trying to overload the server with simulated players. Okay? So what they're trying to do is they are creating little attack bots that pretend to be people playing the game but playing the game in a way that no human would ever play it, creating a lot of commands in other words, a lot of activities and they are attempting to overload that gaming server so that legitimate players, the real humans can't get in and can't play the game.
Dave Bittner: [00:06:34:00] And, of course, these online games rely on connectivity to make their money.
Robert Hamilton: [00:06:38:24] Oh, absolutely, they are only making money when real people are playing the games. They don't make any money off of these attack bots.
Dave Bittner: [00:06:45:05] And so what's the motivation for the attack? Is it, is it a competitor? Is there a-- are they holding them for ransom? Why are they doing it?
Robert Hamilton: [00:06:54:07] Typically what we've found in the past is it's a game, by its very nature it's competitive and a lot of the people that play these games are also really into computers. And what they want to do is they are using DDoS attacks as a sort of competitive weapon either to keep their competitors from playing the game or to give themselves an advantage where they're playing the game and people that they're try-- that maybe trying to play the game can't get in. So to a large extent, we believe it's individuals that are, through their competitive nature, are trying to knock the site off or slow it down. We have seen, in the past, attacks where one gaming company might attack another gaming company to give itself a competitive advantage but it is mostly individuals that are trying to make life hard for other people that are trying to play the game.
Dave Bittner: [00:07:56:17] And so the people who are providing the game, how do they defend themselves against this?
Robert Hamilton: [00:08:01:17] The people that are providing the games will look for a system or a service that can identify who is a human and who's not. They're basically capable of blocking the non-human traffic, only letting the human gamers go through.
Dave Bittner: [00:08:18:12] That's Robert Hamilton from Imperva.
Dave Bittner: [00:08:21:24] In the US, a bipartisan initiative to secure electronic voting spins up at Harvard's Belfer Center. It's led by former Clinton and Romney presidential campaign managers. Its advisors include security leads from Facebook, Google, and CrowdStrike.
Dave Bittner: [00:08:37:23] The US Departments of Homeland Security and Commerce have commissioned studies looking into the possibility of a "moonshot" challenge for combating botnets.
Dave Bittner: [00:08:47:20] In industry news, Awake Security emerged from stealth this week with $31 million in funding. The start-up's technology has been compared to near-unicorn Darktrace. ScaleFT has closed a $2 million seed round. And there's some M&A news. Rapid7 has announced its acquisition of security orchestration start-up Komand for an undisclosed amount.
Dave Bittner: [00:09:12:01] Cybercriminals hacked Israeli cryptocurrency start-up CoinDash's initial coin offering, stealing many of the tokens on sale. It's thought that the currency taken was worth about $7 million.
Dave Bittner: [00:09:24:16] The thieves were able to divert investors' Ethereum to the wrong address. Ilia Kolochenko of security company, High-Tech Bridge, told us in an email that it's another reminder that blockchain technology in isolation doesn't necessarily increase security and may even increase risk. As he put it, quote, "Many users, fooled by investors and so-called serial entrepreneurs, blindly believe that blockchain, particularly cryptocurrencies, can make a digital revolution and provide an "unbreakable" security. Unfortunately, this assumption is wrong and leads to a very dangerous feeling of false security," end quote.
Dave Bittner: [00:10:00:06] If the crooks cash out intelligently, they may go uncaught. Kolochenko added, "Victims of this hack will be quite unlikely to get their money back as, technically speaking, it's virtually impossible," and law enforcement is also unlikely to be able to do very much.
Dave Bittner: [00:10:16:20] So, any advice for those who would invest in cryptocurrencies? Kolochenko is something of a skeptic. He calls such investment a "very profitable, but risky game, like investing into North Korea. Better to place your cash into Apple or Google stock if you have no financial experience."
Dave Bittner: [00:10:34:00] Wait. There are profitable investment opportunities in North Korea? If you're a member of the Wealthy Elite and have a high tolerance for risk, well…good luck.
Dave Bittner: [00:10:48:08] Now I want to share some notes from our sponsor, Cylance. We've been following WannaCry, Petya, NotPetya and other forms of destructive ransomware for weeks. Cylance would like you to know that they can prevent Petya-like ransomware from executing in your system. They'd also like you to know that they've been doing that since October of 2015. How's that for getting ahead of the threat? Their success against NotPetya demonstrates the benefit of their temporal predictive advantage. Cylance Protect stops both file and fileless malware. It runs silently in the background and, best of all, it doesn't suffer from the blindspots in legacy defenses that NotPetya exploited to such devastating effect. If you don't have Cylance Protect and if you'd like to learn more about how it can defend your enterprise, contact them at cylance.com and find out how their AI driven solution can predict and prevent the unknown unknowns from troubling you. That's cylance.com. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:11:50:13] And I'm pleased to be joined once again by Justin Harvey. He's the Global Incident Response Leader with Accenture. Justin, welcome back. We have heard a lot lately about fileless malware. First of all, let's go through here and just describe to us what are we talking about with fileless malware?
Justin Harvey: [00:12:05:21] Well, fileless malware really has two types of, of categorization. The first would be truly fileless, something comes in through a document, an attachment or something you get through a web transaction and it is executed and resides in memory. There is another definition which we use in the industry where fileless malware could also be executable-less malware and that type of fileless malware is delivered usually via some sort of scripting language, VBScript, PowerShell are the two most frequently used, and those types, while one could argue, yes, they are scripts, they could be files, a lot of times they don't touch the file system. They come in through a Word document or Excel document or some sort of attachment that enables the attacker to trick the user into hitting enable macros. The enable macro function runs an autostart script, typically that's programmed in VBScript. It goes out to the Internet, it goes to a hosting site that has malicious PowerShell, it pulls that down and then it executes it. Now both of those types are what we consider fileless malware.
Dave Bittner: [00:13:27:02] And the notion being that when there's no file, that makes it harder for the AV software to-- which would be working for a file, to detect it?
Justin Harvey: [00:13:34:08] Correct. I think this is one of our biggest areas of concern in cyber defense today is what do we do about scripts? It's very easy to take an executable and create a signature from it or, if there's polymorphic malware, be able to identify, well, it's this type of packer or it has to persist by getting inside of the registry and working with these keys or performing these sorts of function calls we know to be malicious. Scripting is a lot harder to be able to put some controls around and that is why we're seeing a lot more PowerShell type of malicious attacks.
Dave Bittner: [00:14:12:23] And is this a situation with-- because the malware is residing in RAM, in terms of persistence if you reboot does the malware then get wiped clean?
Justin Harvey: [00:14:20:22] Yes to no. In a normal fileless attack-- normal, meaning the first definition, meaning that there was an executable or something that came down that's resident within the memory, yes, when you reboot the system, it is gone. For that first type where an executable is used and it doesn't persist, the adversary needs to either work quickly to get secondary or tertiary methods of getting under that system or they need to get the data off as fast as they can.
Justin Harvey: [00:14:49:17] The second definition, so a PowerShell type of attack, there are methods and means to persist even after a reboot using that scripting language but they're not as obvious as an executable, let's say, in, in the startup folder, for instance.
Dave Bittner: [00:15:06:15] Alright, interesting stuff. Justin Harvey, thanks for joining us.
Dave Bittner: [00:15:12:02] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. You can find out more about Cylance and how they can help protect you with artificial intelligence at cylance.com. We've gained a lot of new listeners over the past couple of months. Welcome, we're glad you're here. A reminder that one of the best ways you can help spread the word about our show is to leave us a review on iTunes. It really does make a difference.
Dave Bittner: [00:15:36:14] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.