Commodity credential stuffing gets four new collections. Google was also doing a pay-to-pwn, like Facebook. Russian trolling. FaceTime bug investigation. Joanap botnet. Other online scams.

Dave Bittner: [00:00:03] Collections No. 2 through No. 5 join collection No. 1 in hacker forums. Google is found to be collecting data from devices in much the same way its advertising peer Facebook was. Russian trolls seek to discredit the special counsel's investigation of influence ops. New York state opens an investigation into Apple's response to the FaceTime bug. The U.S. Department of Justice aims to disrupt a North Korean botnet. And a rundown of some current online scams.

Dave Bittner: [00:00:38] It's time for a message from our sponsor, Recorded Future. You've heard of Recorded Future. They're the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give InfoSec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting and collection and analysis that frees you to make the best-informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day, you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/intel and subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And the price is right. It's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:39] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 31, 2019.

Dave Bittner: [00:01:48] You will recall Collection No. 1, the big aggregation of old breaches that was released earlier this month to much discussion. A great deal of the hype surrounding Collection No. 1 quickly came to be regarded as just that - hype - since the material had been known to be out in the wild for some time. Now Collections No. 2 through No. 5 are now in circulation. And WIRED reports that the five data sets now include some 2.2 billion records. That's even bigger, to be sure, but it's still much the same - the result of old compromises. This time, the usernames and passwords aren't being hawked in the dark web markets, where they've already, for the most part, been on offer. Instead, they're being dumped into various hacker forums and shared in torrents.

Dave Bittner: [00:02:35] How consequential this sort of information will prove to be remains to be seen. Researchers at Germany's Hasso Plattner Institute told WIRED they'd seen signs that some of the combinations - a lot of them, actually - don't appear in common lists of hacked credentials, which suggests to them that they may have been harvested in little-known subsidiary attacks. In any case, you don't have to believe that quantity has a quality all its own to find yourself troubled by the collections.

Dave Bittner: [00:03:05] The principal risk here seems to be that of commodification. Collections No. 1 through No. 5 are likely to make it possible for poorly skilled skids to conduct low-end but still threatening credential-stuffing attacks. So don't reuse passwords, and change any of yours that might have been collected in the collections, No. 1 through No. 5. Don't underestimate the danger of compromised accounts. They're always a problem. A new report by Agari Research, for example, estimates that one in five advanced email attacks were sent from compromised accounts.

Dave Bittner: [00:03:42] Google has joined Facebook in acknowledging that it paid users to allow access to their phones, TechCrunch says. What Mountain View was up to did, indeed, look a lot like what their Silicon Valley neighbors were doing with the Facebook research app. What Google offered was an app called Screenwise Meter. It invited users 18 and older, or, if they were members of a family group, 13 and older, to earn gift cards by sideloading a VPN that gave Google comprehensive insight into essentially everything they're doing online. As Fortune notes, Apple may be Facebook toughest regulator. Cupertino is not happy with what it takes, with some reason, to be violations of its terms of service, and that may count for more, in the short term, at any rate, than any legal or regulatory action from government bodies.

Dave Bittner: [00:04:32] The Washington Post, The Telegraph and WIRED all observe that public expressions of contrition aside, Facebook seems to be shrugging off its string of bad news, at least in terms of the results of reports. But big tech as a whole is increasingly looking like the steel industry near the end of the Gilded Age.

Dave Bittner: [00:04:52] While ransomware may have fallen off in prominence in 2018, there are some sectors where it's expected to increase over the next few years, and one of those is health care. Hospitals, in particular, have a delicate balance to strike between effective cybersecurity and not getting in the way of doctors, nurses and caregivers. Lewie Dunsworth is chief information security officer and executive vice president of technical operations at Herjavec Group.

Lewie Dunsworth: [00:05:19] It really comes down to patient care, in my opinion. You have a lot of doctors that are trying to provide care to their patients. And the priority to secure data - good, bad, indifferent - is usually secondary. It's a delicate balance, I think is the best way I can describe it. And there's just natural friction between the two.

Dave Bittner: [00:05:46] Yeah, it's an interesting tension, isn't it? I mean, because, as you say, the doctors, rightfully, have the No. 1 priority, of course, of being - treating their patients and protecting, you know, lives and health and so forth. But when a ransomware attack happens, then you've got that very same problem. With - when those systems go down, that can be a threat to life and limb.

Lewie Dunsworth: [00:06:09] Exactly. It's a chicken-and-the-egg scenario, right? Which do you focus on first? And I think when you deal with security on a day-to-day basis, a lot of what you deal with and what you know is very intuitive to you, meaning that that's the world that you live in, you're trying to secure environments, etc. But on the flip side, with a doctor, what is very intuitive to them is - how do you make sure that you're able to provide the appropriate level of care to your patients? And I think to get them to understand, No. 1, what you're trying to do and why you are trying to do it is counterintuitive to everything that they focus in on a daily basis. You almost become a salesman of sorts within these organizations to help them understand that if you don't do X, Y and Z, it's going to impact your ability to provide the appropriate level of care to your patients.

Lewie Dunsworth: [00:07:07] And if you're in an environment that hasn't seen that type of breach activity before or been impacted in a negative way, it's very difficult for them to understand the potential impacts. How do I develop a plan that I can show over time will improve the security posture of my environment? I mean, as an example, you know, when I was - at one point time, I worked for Cerner, which is a very large health care IT provider across the globe. And we had this Cerner health care leadership program that, as a process - or part of the process of going through that program, you had to physically go out on site and work in a provider's environment for a day just so you could understand how they use their systems, how they operate, the pain points they have, etc.

Lewie Dunsworth: [00:07:59] And what you found was a few different things that were very interesting. No. 1, a lot of the frustration with the providers are usually less about security and just the fact that you had to deal with technology. So having to put stuff into a system that they didn't quite understand or wasn't intuitive to them all the way to, you know, being able to connect with a wireless device on a wireless network that just wasn't as reliable as a pen and paper. And you layer security on top of that and you say, OK, I'm going to put more restrictions on top of that to protect the environment, and they're at a point already where they're saying, well, you're trying to protect an environment that I can't even operate or function in right now or it's very difficult or painful for me or whatever it may be. So you flip the script to the point to where you communicate in their terms.

Lewie Dunsworth: [00:08:54] So the outcome that you're trying to get to is to prevent a ransomware attack that would prevent them from being able to provide health care to their clients. So once you start to articulate it in a way to them that is very patient-focused, at that point in time, they kind of bring down the walls a little bit and start to want to understand more. You know, educate me more on what you're trying to do, etc. And as soon as you get to that point and they're having that dialogue with you to help - or to try and understand why you're doing what you're doing, at that point in time, you know you've had a small success, and you can at least push the bar forward. The fundamentals are the same. It's the approach and execution of how you enable an environment to be more secure.

Dave Bittner: [00:09:44] That's Lewie Dunsworth from Herjavec Group.

Dave Bittner: [00:09:48] With information operations, lies usually receive a bodyguard of truth. Witness the story as reported by The Washington Post of Russian claims that special counsel Mueller's office has been hacked. That's the lie. The truth that guards it is a set of documents involving the special counsel's case against a Russian firm, genuine documents that were obtained through regular legal disclosure and not by hacking. The documents were altered and then released by a now-suspended Twitter account, @hackingredstone, which was also pushing memes associated with the well-known St. Petersburg troll farm the Internet Research Agency. The altered documents were released through proper disclosure to counsel representing Concord Management and Consulting, a firm owned by Yevgeny Prigozhin, that's accused of funding the Internet Research Agency. The special counsel says the apparent intent of the documents' release was to discredit the investigation into Russian trolling.

Dave Bittner: [00:10:50] The U.S. Department of Justice says that it's preparing to disrupt North Korea's Joanap botnet and has the necessary court orders to do so. It will do so, the DOJ says, by mapping the botnet and notifying its victims. The operation follows the indictment of North Korean citizen Park Jin Hyok whom the Justice Department identified last year as a member of the Pyongyang-backed conspiracy to carry out computer intrusions using Brambul malware. Among Brambul's functions was propagation of the Joanap botnet.

Dave Bittner: [00:11:24] New York's attorney general has announced that it's opening an investigation of Apple for the company's alleged tardy reaction to the FaceTime bug. This seems a bit starchy since it's not clear that Apple was really all that unreasonably tardy. Sure, it took them a week. But on the other hand, it was a bit of a slanted disclosure - righteous disclosure but a little outside the ordinary. In any case, the Empire State is cutting Cupertino no slack. New York issued a consumer alert on Monday and has opened up a 1-800 line for any irate customers who wish to pile on.

Dave Bittner: [00:11:59] We'd be remiss if we didn't point out the number of new ransomware and other malspam capers in circulation. You can find links to stories about all of them in today's CyberWire daily news briefing, which you can find at thecyberwire.com. Here are some of them in brief. First, Altran Technologies has shuttered its network and applications to protect its assets and its customers' data after Altran was hit with a new variant of LockerGoga ransomware. Sophos offers a close and instructive look at a bit player, the niche ransomware strain Matrix.

Dave Bittner: [00:12:33] If you're in Japan, watch out. "Love you" malspam is getting a makeover for a campaign that's got Japan in its crosshairs. ESET warns that "Love you" has been distributing GandCrab ransomware and the Phorpiex worm, malware that will change system settings and, of course, a cryptojacker. Trickbot is out and about again. My Online Security reports that it's being distributed by spam that misrepresents itself as a JP Morgan Chase confirmation notice.

Dave Bittner: [00:13:05] And finally, those YouTube stars are back. But this time, it's really not their fault. Grifters posing as people with lots of YouTube followers are offering bogus reward scams that hoodwinked about 70,000 victims in less than a month. Security firm RiskIQ reports that followers of Philip DeFranco, James Charles and Jeffree Star - you know who you are - received direct messages inviting them to claim their reward. Those who did did to their sorrow. If you are tempted, remember: you're probably better off investing in lottery scratch-offs.

Dave Bittner: [00:13:45] Now, a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data. But to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free - no installation required. Go to observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:14:53] And joining me once again is Mike Benjamin. He's the senior director of threat research at CenturyLink. Mike, great to have you back. We wanted to touch on another one of the botnets that you all are keeping track of. This one is called TheMoon. What do we need to know about this one?

Mike Benjamin: [00:15:08] Yeah, thanks, Dave. So TheMoon is particularly interesting 'cause it's following a trend that we're seeing towards targeting websites. And so TheMoon is - from an infection perspective, it is installing itself on IoT devices, embedded Linux devices - big shocker. We're seeing a lot of malware families out there doing that. But in this case, the actors targeting those - because their goal is to deliver a SOCKS proxy that they can use against valid websites. And what better way to hide yourself from a major website operator than actually proxy the attack commands through a real user in a real home? That's a great way to hide yourself as an actor. And so the - like I said, embedded Linux targeted malware installs itself, downloads a module, which is really a SOCKS proxy. And the SOCKS proxy is then used to allow things - and I'll describe more of what I mean in a second - to proxy through the, you know, tens or hundreds of thousands of infected hosts to carry out what they're seeking.

Dave Bittner: [00:16:10] When you say things, what are you describing here?

Mike Benjamin: [00:16:13] We have seen the actor behind this actually selling their service to other people. And so the actor has sold it to people that we've seen trying to brute force credentials on certain websites - you know, very popular ones that we've all heard of and all use on a daily basis. We've also seen it using the soft proxy footprint to validate leaked credentials, phished credentials, credential reuse. And so by sending hundreds of thousands of login attempts, they can actually clean a dataset to discern what can be used against a particular target website.

Mike Benjamin: [00:16:47] But one of the more fascinating ones that we saw was that the actor had sold their SOCKS proxy service to a video ad fraud network. And so the actor who was buying the SOCKS service was actually using it to click on video ads in an automated fashion. And the way we knew that was - by analyzing the network data that we utilize, we were able to see a particular host that was interacting with a ton of the SOCKS proxies. And so in investigating it, we saw that it had an open port where the ad fraud network was actually logging in real time, in plain text, with no authentication all of the fraud that they were committing - every log of every event there for the world to see. And so by taking that dataset in its logs and looking at our SOCKS proxy network, we were able to see that they were using almost the entire network for their ad fraud. And so that - the actor is selling it to multiple things.

Dave Bittner: [00:17:39] That's fascinating. And so in terms of folks protecting themselves against this, what are your recommendations?

Mike Benjamin: [00:17:45] So it goes back to - well, unfortunately - the basic blocking and tackling of security. And I say unfortunately because we've all known this for, in some cases, 20 years. Don't deploy equipment with default usernames and passwords. Make sure you stay up on patches. Don't expose services you don't need to. Minimize the attack surface. And so just like any other IoT attack, those are the primary factors. They are known exploits. They are known default configurations. Most of these attackers are not doing anything particularly advanced. From time to time, they are. But it is typically pretty simple to remove and eradicate the infection if they were to do anything 'cause very quickly, through the volume of their attack, folks like ourselves are able to share with the Internet community what's going on and describe what the attack vector is. And the vendors are able to patch their equipment pretty quickly.

Dave Bittner: [00:18:33] Yeah. It really strikes me with so many of these botnets that it's really - you know, it's volume, volume, volume.

Mike Benjamin: [00:18:39] Absolutely. And if you think - in this case, the ability to send more login attempts from more places means they can obfuscate and hide themselves over a longer time period, especially if they're able to be calm and be very patient in their attacks. In many cases, the folks at the other end of this - those that are attempting to eradicate it on the website end - this is a very hard area to work on. We know that because through the datasets we have, we've worked with multiple of them. This is something that they're left battling every day right now and is a very common attack against their websites.

Dave Bittner: [00:19:14] All right. Well, Mike Benjamin, thanks for the update, and thanks for joining us.

Dave Bittner: [00:19:22] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:19:35] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.