Olympic hacking, cryptojacking and other illicit coin mining. Ransomware updates. The curious case of an alleged kompromat buy. Bots turn to ticket scalping.
Dave Bittner: [00:00:00:18] Thanks again to all of our Patreon supporters, you can find out how you can become a supporter at Patreon.com/thecyberwire.
Dave Bittner: [00:00:11:07] The Winter Olympics report ongoing hacking. Cryptojacker hits government websites in the UK, Australia and the US. Engineers use a research institute's supercomputer to mine Bitcoin in Russia. The Equifax breach may be bigger and worse than hitherto believed. The Sacramento Bee deletes an encrypted database rather than pay the ransom. IBM patches Spectre and Meltdown. The CIA says it was no way bilked by a proffered sale of kompromat. And bots scalp airline seats.
Dave Bittner: [00:00:46:19] It's time for a message from our sponsor, Recorded Future. You've heard of Recorded Future, they're the real-time threat intelligence company. Their patent in technology continuously analyzes the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their cyber daily. They do some of the heavy lifting and collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the cyber daily email and every day you'll receive the top results for trending technical indicators that are crossing the web: cyber news, targeted industries, thread actors, exploited vulnerabilities, Malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyber attacks. Go to Recordedfuture.com/intel and subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. We thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:53:16] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Monday, February 12th, 2018.
Dave Bittner: [00:02:03:20] Olympic officials have confirmed that the winter games official website was hacked during the opening ceremonies and remained unavailable for some 12 hours. A Pyeongchang 2018 spokesperson said the incident was a cyberattack and suggested that they know who was responsible. They will not yet offer any attribution "in line with best practice." Tabloid speculation calls out the Russian mob and discerns a conventional criminal motive, but it's far too early to credit any snap judgment about cause and motivation.
Dave Bittner: [00:02:37:03] The Russian Foreign Ministry has released a preemptive, more-in-sadness-than-anger, denial that Russia has any involvement in Olympic hacking and that people should expect to hear the Westerners indulge their usual baseless accusations.
Dave Bittner: [00:02:50:23] While the Olympic organizers have been working to restore security and service, statements by officials seem to indicate that they regard the problem as ongoing.
Dave Bittner: [00:03:00:17] Researchers over the weekend found cryptojacking on government websites in the UK, the US and Australia. The miner, CoinHive, was apparently introduced through an accessibility plug-in, Browsealoud, developed by the British firm Texthelp. Texthelp confirmed that it was compromised and that the mining code was injected into its software. Investigation is in progress. This sort of code compromise is unusual in cryptojacking. The most common place one finds cryptojacking script is on adult sites: a Qihoo 360 Netlab investigation finds that 50% of cryptojacking deployments are on adult content sites.
Dave Bittner: [00:03:41:09] Not all problematic coin mining is done through cryptojacking. Sometimes it's just insiders misusing their access to powerful machines. Russian police have detained some engineers at the All-Russia Research Institute and Experimental Physics in Sarov in connection with their use of their work supercomputer to mine coin. The Russian Interfax news agency says the supercomputer they used was a big one - big to the tune of one petaflop. The Institute's director described it as, "an attempt to make unauthorized use of office computing capacity for personal purposes, including for so-called cryptomining." The wayward employees apparently were unaware that connecting the big machine to the Internet to mine coin would make Security suspicious. Oh, and they were mining Bitcoin, apparently, not our preferred alt-coin, Voppercoin. Anyway, the FSB has arrested some of these employees of the month in what sounds like a sitcom plot gone bad. Speaking of sitcoms, Gennady Bukin was unavailable for comment.
Dave Bittner: [00:04:43:20] Ukrainian police made a similar arrest, Friday, at a university in Lutsk.
Dave Bittner: [00:04:48:21] Don't feel smug, though, Yankee. That big Equifax data breach turns out to have been worse, apparently, than originally believed. It was thought the 2017 breach exposed names, dates of birth, driver's license numbers, credit card data and addresses of about 143 million Americans, and that it did. But a US Senate investigation may have turned up more data lost, including: email addresses, license state, date of issue of those licenses and tax identification numbers.
Dave Bittner: [00:05:20:00] The Sacramento Bee newspaper has decided to delete its legally obtained California voter database rather than pay extortionists to decrypt it. California officials say the personally identifiable information held for ransom, and possibly copied for resale by the extortionists, wasn't all that sensitive, because it didn't include, for example, social security numbers, but that seems a bit like whistling in the dark. Even data short of fullz can be used for unpleasant criminal purposes.
Dave Bittner: [00:05:50:04] Not all the ransomware news today is bad, however. Here's some nice news indeed: Belgian police have released decryption keys for Cryakl ransomware on the No More Ransom site. So bravo Belgium.
Dave Bittner: [00:06:03:15] IBM has issued patches for Spectre and Meltdown and warned of a Lotus Notes bug. Tomorrow of course is Patch Tuesday, and observers think we may see an Adobe quarterly update as well as the usual Microsoft fixes.
Dave Bittner: [00:06:18:15] The CIA says reports it gave $100,000 to a Russian informant as a down payment on $1m promised for discreditable kompromat on President Trump are a lot of hooey. That is, as the Langley puts it, the reports are, "patently false". Specifically, the agent denies that it was swindled. Their statement, as reported by AFP, says, "The fictional story that CIA was bilked out of $100,000 is patently false. The people swindled here were James Risen and Matt Rosenberg." Risen and Rosenberg were the reporters for, respectively, the New York Times and the Intercept.
Dave Bittner: [00:06:57:13] So to be clear, Langley denies it was cheated, and such a denial is consistent, as everyone will soon be pointing out, with either a denial that they engaged in any such transaction, or denial that they were hoodwinked, because maybe they got good value for whatever they paid - if they paid anything.
Dave Bittner: [00:07:15:21] This very odd and still developing story derives mostly from reports in the Times and the Intercept. The alleged transaction is said to be part of an operation to recover stolen classified information, which is itself at least as odd as any alleged kompromat. We will refrain from speculation and watch whatever develops.
Dave Bittner: [00:07:35:22] And finally, do bots grok supply and demand? Some botmasters apparently do. Security firm Distill Networks is bot-hunting and it's doing so in the service of an industry that's being disrupted, as the kids like to say, by on-line travel and pricing services. Why bother with a travel agency if you can find the best pricing and most convenient arrangements quickly, on-line, for yourself. So on-line travel services have disrupted the travel agency. But wait, unscrupulous agents are said to be thinking: what if we could get bots to reserve all the discounted seats on airline flights, then scalp them? You can hold a seat for 24 hours without paying for it. The bots do that, then, when the free day is up, they cancel and repeat.
Dave Bittner: [00:08:20:20] Not everyone agrees this is a major problem, but it is at least an interesting one, and Distill wants travelers to be forewarned and forearmed.
Dave Bittner: [00:08:21:11] And now a message from our sponsors at E8 Security. We've all heard a great deal about artificial intelligence and machine learning in the security sector and you might be forgiven if you've decided that maybe they're just the latest buzzwords. Well, no thinking person believes in panaceas but AI and Machine Learning are a lot more than just empty talk. Machine learning, for one thing, is crucial to behavioral analytics, you can't recognize the anomalous until you know what the normal is and machines are great at that kind of base lining.
Dave Bittner: [00:09:02:14] For a guide to the reality and some insights in to how these technologies can help you, go to E8security.com/cyberwire and download E8's free white paper on the topic. It's a nuance look at technologies that are both future promise and present payoff in terms of security. When you need to scale scare human talent AI and Machine Learning are your go-to technologies. Find out more at E8security.com/cyberwire. E8 Security - follow the behavior, find the threat. We thank E8 for sponsoring our show.
Dave Bittner: [00:09:41:17] Joining me once again is Emily Wilson, she's the Director of Analysis at Terbium Labs. Emily welcome back. We've got the Korea winter Olympics under way and in addition to that we've got the 2018 election on the horizon. These are both interesting events that you think provide opportunity for us to do some comparisons.
Emily Wilson: [00:10:01:07] I think these two events give us a chance to compare to similar events we saw a couple of years ago. Back in 2016 we had the Rio Olympics and we obviously had a pretty big presidential election, here in the US. On the Olympic side I think this is an interesting kind of regional comparison. With Brazil we saw a lot of personal information being leaked, both from citizens and from government employees, and that came out of a lot of new actors popping up, a lot of economic unrest in Brazil, leading up to the Olympics - this was a big six month campaign with a lot of information being leaked every day.
Emily Wilson: [00:10:36:19] Korea, very different situation. We're seeing different kinds of threats. We're seeing different kinds of actors involved right. This is a lot less on personal information leaking and a lot more at the nation state level.
Dave Bittner: [00:10:46:17] I remember also with, with Brazil we saw lots of warnings about carrying your personal devices - people getting their credit card skimmed, and things like that.
Emily Wilson: [00:10:57:10] Yeah, and I think we've seen in a lot of reports, and also just in some of the work that we do, there's a growing community in South America for these kinds of concerns. Whether it's fraud or some of these more vandalism-style attacks. I think we're just seeing different interests and different calculations in East Asia.
Dave Bittner: [00:11:19:18] How about the election?
Emily Wilson: [00:11:20:20] The election's an interesting one because it is a midterm election, so we're probably not going to see leaked information from delegates, for example. Like we saw during the Presidential election. Some of these factors have been removed. But I'm curious to see, as we get into these campaigns, especially some of the more contested seats, are we going to see information being leaked about candidates and their families? Are we going to see people leaking information about parties, or maybe specific voters? We've heard a lot in past couple of years about voter databases being compromised. Recently, just in the past month or so, we heard about another database in California. I'm curious to see how all of this plays out, and what we see kind of happening openly, and what we see behind the scenes.
Dave Bittner: [00:11:56:16] What about this notion, when we talk about the Russians interfering with the last presidential cycle, this notion that it really doesn't matter so much what they're doing. The fact that they're doing it creates chaos and uncertainty?
Emily Wilson: [00:12:20:19] I think there's a lot to be said for compromising trust in a system. Whether that is the integrity of elections. Whether that is the integrity of communications, the integrity of media sources. I think it's not necessarily to, your point, what kind of chaos you create so much, as that you create chaos. I think all of us regardless of politics are going into this midterm election with a few different things in mind, may be a few different expectations, a few different biases, and I think that changes the way these games are played.
Dave Bittner: [00:12:56:11] Interesting times for sure. Emily Wilson thanks for joining us.
Dave Bittner: [00:13:03:17] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence visit Cylance.com. And thanks to our supporting sponsor, E8 Security - follow the behavior, find the threat. Visit E8security.com to learn more. Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed and check out the Recorded Future podcast, which I also host. The subject there is threat intelligence and every week we talk to interesting people about timely cybersecurity topics. That's at Recordedfuture.com/pod-cast.
Dave Bittner: [00:13:53:10] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.
Dave Bittner: [00:14:03:15] Our show is produced by Pratt Street Media with editor is John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.