DPRK exploiting Flash Player zero-day. ISIS wants hacking help. JenX DDoS, Scrareby ransomware updates. Crime and punishment.
Dave Bittner: [00:00:00:12] Thanks again to all of our Patreon supporters. You can find out how you can become a supporter at patreon.com/thecyberwire.
Dave Bittner: [00:00:10:22] Flash Player exploited by DPRK's TEMP.Reaper, also known as Group 123. ISIS may have a hacker help-wanted sign out. We've got a JenX botnet update. Scareby ransomware tells victims it will shred their files if they don't pay up. The Nunes Memo remains a political Rorschach Test. A Japanese teenager is arrested for writing cryptocurrency-stealing code. Lauri Love will not be extradited to the US. Peter Levashov is not so lucky. And the FBI is not emailing you to say you may be entitled to compensation.
Dave Bittner: [00:00:49:07] Time to take a moment to tell you about our sponsor Comodo. Here's the bad news. There is no way you will ever be able to stop malware from entering your network. The good news is Comodo renders malware useless. That's why Comodo customers can click on anything. Over 120 million new pieces of malware were created in 2017. So even at 99 percent, you're still a target for 1.2 million pieces of malware. If you do the math, that's still over 3,000 problems per day that current solutions cannot solve. Comodo doesn't settle for 99 percent and neither should you. They put those 3,000 daily problems into a lightweight kernel level container where the malware's rendered useless. With Comodo's patented auto-containment technology they bulletproof you down to hour zero every time, solving the malware problem. So with Comodo, you can say with confidence, "I got 99 problems but malware ain't one." Go to enterprise.comodo.com to learn more and get a free demo of their platform. That's enterprise.comodo.com and we thank Comodo for sponsoring our show.
Dave Bittner: [00:02:04:12] Major funding of The CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Monday, February 5th, 2018.
Dave Bittner: [00:02:13:23] Exploitation of an Adobe Flash Player zero-day is now generally being attributed to North Korean operators belonging to the "TEMP.Reaper" threat group, also known as "Group 123." South Korea's CERT warned of the campaign last week.
Dave Bittner: [00:02:29:22] Researchers at security firm FireEye have been investigating. They say they've seen TEMP.Reaper operators working with their command-and-control infrastructure from IP addresses belonging to Pyongyang's STAR-KP network. STAR-KP is a joint venture between North Korea's government Post and Telecommunications Corporation and an outfit based in Thailand, Loxley Pacific, which would seem to associate TEMP.Reaper clearly with the North Korean regime. The targets so far have been South Korean. The exploit is delivered by a malicious Excel file delivered by a phishing email.
Dave Bittner: [00:03:04:10] Cisco researchers, and Cisco is the company that's been tracking the threat actor as Group 123, have identified the payload as ROKRAT, malware that enables remote code execution on victim systems.
Dave Bittner: [00:03:17:16] If you decide to continue to use Flash Player, you'll have to wait for the security updates Adobe has said it intends to deliver, sometime this week. As usual, treat email attachments with caution. Administrators might also consider implementing Protected View for Office in their enterprise. There's also a possibility of waterhole attacks built around some South Korean websites.
Dave Bittner: [00:03:40:09] Security industry researchers, many of them GCHQ alumni, warn that ISIS is trying to recruit hacking talent in labor black markets. The terrorist group has hitherto excelled at inspiration but generally flunked hacking proper, demonstrating little more than an ability to vandalize poorly protected sites. Europol and other police agencies have continued to assess the aspiring Caliphate's hacking skills as low, but an influx of criminal coding talent could change that. So could increased access to commoditized hacking tools, a flourishing market for which now exists in various dark web souks.
Dave Bittner: [00:04:17:20] Some such criminal services have long been available. Distributed denial-of-service attacks can now be hired. In one example of this, researchers at Radware and other security companies have tied a gaming server rental operation, San Calvicie, more closely to the JenX botnet. San Calvicie offers Grand Theft Auto San Andreas hosting, and they also offer to hit targets with distributed denial-of-service attacks for the low, low price of $20. People are working to get the service taken down, and Radware says it's had some success in getting exploit servers taken down. But they also say that this has slowed rather than stopped the growth of JenX.
Dave Bittner: [00:04:58:02] Scarabey ransomware, a variant of the well-known Scarab malware, brings a new twist to ransomware. It encrypts files, of course, but then it threatens to delete twenty-four files from the victims' systems every four hours the extortionists aren't paid. In most ransomware capers, the extortionists simply threaten to up their prices. But a threat to destroy the data beyond recovery lends more urgency to their demands. This may be an empty threat; security firm Malwarebytes, which has been studying the ransomware, hasn't found the sort of backdoor access that would lend credibility to the promise of shredding. It also seems the criminals may be implying they're retaining copies of shredded files that they could return to the victims upon payment of ransom. As always, the best practice against ransomware is secure and regular backup of files.
Dave Bittner: [00:05:47:03] Scarabey, to judge from its code, is apparently a Russian criminal product, and it spreads by RDP/manual dropping. Its ransom note appears in broken, poorly translated English. And not, one should note, the artfully implausible screenwriter's broken English used by the Shadow Brokers. So these look like actual hoods, and not cats' paws for a certain nation's security organs. Where are the Brokers being these days, we are being wondering, by the ways. Hobnobbing in Davos with Wealthy Elite, maybe? Saving up the Super Bowl leftovers foods they could not finish yesterday because they lose appetite watching Gronk not catch final pass from Brady, so they will be eating wings and cucumbers while watching Olympics next week? Maybe be sharing snack with Fancy and Cozy?
Dave Bittner: [00:06:34:13] In the US, the Nunes Memo is expected to be followed by other memos and releases. Reaction to the controversial memo and the controversial FBI surveillance it describes, continues to fall generally along predictable partisan lines. More documents and controversy are expected over the course of this week and beyond.
Dave Bittner: [00:06:53:08] We close with some news of crime and punishment. First, the extraditions. British hacker Lauri Love, who hit US Government sites in 2012 and 2013, will not be extradited Stateside after all. The High Court overturned his 2016 extradition order but left the door open to Love's prosecution in the UK, saying "it would not be oppressive" to do so. Mr. Love counted coup against an impressive list of US agencies: NASA, the FBI, the US Army, the Department of Defense, the Federal Reserve, the Missile Defense Agency, the Department of Health and Human Services, and the Department of Energy. It's thought that Mr. Love's Asperger's Syndrome, which he introduced in extenuation and mitigation, played a role in the Court's decision, as did the American prosecutors' presumed intention of asking for the ninety-nine year max. The judgment said in part, “the experience of imprisonment in England would be significantly different for Mr. Love from what he would face in the United States. The support of his family, in particular, would mean that he would be at far lower of risk suicide in consequence. On the evidence we have seen, his mental and physical condition would survive imprisonment without such significant deterioration, although it would undoubtedly be more problematic for him than for many prisoners."
Dave Bittner: [00:08:13:06] Russian hacker Peter Levashov, alleged creator of the Kelihos botnet and reputedly one of the world's leading spammers, was not so lucky. He's been extradited to the US from Spanish custody. Mr. Levashov has claimed connections to Russian President Putin's political party; how that will help him in the Connecticut Federal Court that will hear his case is unclear.
Dave Bittner: [00:08:35:22] A Japanese teenager, said to be a third-year high school student in the Osaka Prefecture, has been arrested on charges of developing malware that enables theft of MonaCoin, a Japanese cryptocurrency. So far the only loss identified in the alleged theft is of 15 thousand Yen, roughly $660, but police are investigating to determine whether there might be more victims. The unnamed boy says he's innocent, because, "I didn't do it with malicious intent."
Dave Bittner: [00:09:04:14] Finally, lies again receive a bodyguard of truth, in this case truth in the form of links to legitimate news articles reporting the apprehension of various online fraudsters. They're appearing in phishing emails to lend verisimilitude to what would otherwise be a bald and unconvincing narrative. The emails represent themselves as being from the Internet Crime Complaint Center, commonly known as the IC3. The typical phishbait is to tell the recipients that they may be entitled to compensation from companies that have abused them. If you open the attached text file you'll be downloading an information stealer. If you visit the link to a fake IC3 site you'll be prompted to enter a lot of personal information. The FBI warns everyone against taking the bait. And the real IC3 site is easy to remember: it's ic3.gov.
Dave Bittner: [00:09:56:03] And now a few words about our sponsor, DataTribe, the successful and growing cybersecurity start up studio. They're doing something different to bring on board some of the freshest talent to the sector. They're launching the DataTribe cyber competition. A competition to identify high technology start ups who've got a vision to disrupt cybersecurity and data science. The three finalists will split $20,000 in prize money, but that's just the beginning. Finalists will be considered by DataTribe for up to $2 million in seed funding. Start ups with less than $1.2 million in seed financing are eligible to apply and contestants have until March 23rd to apply at datatribe.com/go/cybercompetition. And if you've got questions, DataTribe has answers. Email inquiries to email@example.com. Successful companies backed by DataTribe include ReFirm Labs, Enveil and Dragos which recently made headlines over CRASHOVERRIDE and TRISIS. So check it out. It's datatribe.com/go/cybercompetition. And we thank DataTribe for sponsoring our show.
Dave Bittner: [00:11:08:17] And I'm pleased to be joined once again by Joe Carrigan, he's from the Johns Hopkins University Information Security Institute. Joe welcome back.
Joe Carrigan: [00:11:15:15] Hi Dave.
Dave Bittner: [00:11:16:16] So we have some more follow up from Nathaniel Yu who wrote into us.
Joe Carrigan: [00:11:21:23] OK.
Dave Bittner: [00:11:22:02] He's talking about passwords--
Joe Carrigan: [00:11:24:11] One of my favorite subjects.
Dave Bittner: [00:11:25:06] I know, well, that's why I saved it for you. He said, "Instead of telling users not to write down passwords and instructing them to construct complex and long passwords, issue them randomly generated and distributed 12 digit passwords on a sticky note and teach them that they can easily keep them save by adding a uniform pass phrase to the beginning or end of each password. This is an idea I came up with earlier on that I call a brain token. This allows people to only have to ever know one password for work at a time." Now that's an interesting idea. If you, you can, this allows you to write down your password because you keep this secret component of it in your head and you don't share that with anyone and you either add that to the beginning or end of a password. Seems reasonable?
Joe Carrigan: [00:12:09:00] It, it seems like a good idea. I'm gonna,if I had to vote on this one, I would vote this one down.
Dave Bittner: [00:12:14:07] Really, OK, go on.
Joe Carrigan: [00:12:15:14] Yeah, so, here's my concern with it. You're handing out the 12 characters of alpha numeric information that are, that are not to be remembered and you're putting them on Post It notes and you're writing it down. So you're writing down a portion of the password.
Dave Bittner: [00:12:27:09] Right.
Joe Carrigan: [00:12:27:24] So now if the user believes that the password is secure because they've got this secret piece, what is the secret piece? They're probably not gonna pick a very long and difficult to remember secret piece because they've already got a, a randomized piece that's written down.
Dave Bittner: [00:12:44:19] So this is where the person would say, they'd add one-two-three at the end of it. And that's not secure.
Joe Carrigan: [00:12:48:17] Exactly, well, they don't know what my code is but now, now we're just back to guessing passwords again once I get your 12 digit code, I can just go in and brute force your password using easy guesses. And I'll bet 80 to 90 percent of the time I can, I can get it pretty quickly. Rather than doing this, what I would suggest people use is either a password manager or a two-factor authentication. And a lot of times in two-factor authentications you can do exactly what the listener's suggesting here. You can pre-penned or post-penned some extra digits to a, to an authentication token that is usually either a piece of hardware that you have or it's a, an app on your phone. I'd prefer to have the piece of hardware rather than the app on the phone.
Dave Bittner: [00:13:30:22] Yeah. What I have heard people suggest with this, this brain token idea that I think is interesting is that you use it in addition to your randomly generated passwords from your password manager. Because you and I have talked about the idea of if they get, if they get into your password manager, they phone you. So this way, if you allow your password manager to create a long password and then in addition to that you have this brain token, that takes away the danger of someone basically owning your password manager. They get in to there, you know.
Joe Carrigan: [00:13:59:02] Correct. I think that's a good idea, I think that's a good use of a brain token kind of concept. Because you're still using large random passwords that are difficult to guess, if not impossible and now you're making it, you're hedging your bet that somebody has come in, into your computer somehow or they've gotten into your Cloud based password management system and now they, they have the keys to your kingdom. So you're protecting that by adding an extra bit of information to it and then the idea being that if, once they start testing your passwords and they find none of 'em work, they just throw the whole thing away.
Dave Bittner: [00:14:33:10] Yeah.
Joe Carrigan: [00:14:34:03] And I think that's a good defense.
Dave Bittner: [00:14:35:20] Yeah, sort of your own build in two-factor in a way.
Joe Carrigan: [00:14:38:11] Correct, yeah.
Dave Bittner: [00:14:39:17] Alright, very good. Joe Carrigan thanks for joining us.
Joe Carrigan: [00:14:42:02] It's my pleasure.
Dave Bittner: [00:14:44:21] And that's The CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor, E8 Security. Follow the behavior, find the threat. Visit e8security.com to learn more.
Dave Bittner: [00:15:06:20] Don't forget to check out the Grumpy Old Geeks Podcast where I contribute to a regular segment called Security, Huh? I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed and check out the Recorded Future Podcast, which I also host. The subject there is threat intelligence and every week we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:15:35:05] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John Petrik. Social media editor Jennifer Eiben. Technical editor Chris Russell. Executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.