Russian APTs target EU governments. FIN7 is back. Google and Facebook scammed.

Dave Bittner: [00:00:04:02] Fancy Bear and Sandworm are launching cyberespionage campaigns against European governments before the EU parliamentary elections. The FIN7 cybercrime group is still active and it's using new malware. A scammer stole more than $100,000,000 from Google and Facebook. Facebook stored hundreds of millions of passwords in plaintext for years. And chatbots can learn to impersonate you based on your texts.

Dave Bittner: [00:00:36:11] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber-intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire we subscribe to and profit from Recorded Future Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want, actionable intelligence. Sign up for the Cyber Daily email and every day you'll receive the top trending indicators Recorded Future captures crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to RecordedFuture.com/cyberwire to subscribe for free threat intelligence updates. That's RecordedFuture.com/cyberwire. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:47:01] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, March 21st, 2019.

Dave Bittner: [00:01:55:12] Two Russian APT groups are targeting European NATO member states with ongoing cyberespionage campaigns ahead of the EU parliamentary elections in May. Researchers at FireEye observed both large-scale and highly targeted phishing operations launched by Sandworm and APT28 against European government institutions with the goal of stealing credentials.

Dave Bittner: [00:02:18:18] Sandworm is the group believed to be responsible for the 2017 NotPetya attacks. APT28, also known as "Fancy Bear", was one of the threat actors that hacked the Democratic National Committee in 2016. FireEye says their efforts seem to be coordinated although the two groups use different tools and techniques. Sandworm prefers publicly available hacking tools while APT28 leans toward custom-made malware and zero-day exploits.

Dave Bittner: [00:02:48:05] The campaigns are believed to have three primary objectives. The first is stealing information and credentials for use in future attacks. The second is gathering intelligence to give Russia a diplomatic advantage. The third is collecting data to assist in information operations. FireEye didn't specify which organizations were targeted or whether or not the attackers got their hands on sensitive data but it did say that attack campaigns of this size are generally successful.

Dave Bittner: [00:03:17:08] It's not clear if these campaigns are directly focused on influencing Europe's upcoming elections or if they're part of a more general cyberespionage operation. FireEye thinks it's safe to assume however that European voting systems and political parties are very tempting targets for Russian intelligence. CNBC notes that FireEye's findings are in line with an announcement from Microsoft last month in which Microsoft warned that APT28 was launching phishing attacks against European think-tanks and non-profit organizations. At a leader's summit taking place in Brussels today and tomorrow, European Union leaders are expected to urge governments to do more to protect the upcoming elections against coordinated information operations by foreign powers.

Dave Bittner: [00:04:05:08] The FIN7 cybercrime group is still active, despite the arrests of several of its members last year. Flashpoint says the group is using two new strains of malware which researchers have dubbed "SQLRat" and "DNSbot." The criminals are also using a new attack panel called "Astra" which acts as a script-management system that can push scripts to compromised computers.

Dave Bittner: [00:04:29:05] When an employee leaves your company, what kind of information are they allowed to take with them? Their contacts list? Samples of code they've written? Researchers at data loss prevention company Code42 have discovered there's a surprising disconnect between what employers and employees think they're entitled to. Jadee Hanson is CISO and VP of the information technology team at Code42.

Jadee Hanson: [00:04:54:07] When you think of insider threat there's two camps, the malicious and the non-malicious. Certainly there's issues that happen that result from both. In my opinion we're seeing more and more happen on the malicious side than we have before and as our defenses and security grow stronger, I feel like we're gonna see more and more malicious behavior internal to companies. We recently did a study about just taking data outside of companies and the response for those that feel entitled to the data that they create while they're at a company was astounding. We had over 72% of the CEOs that we interviewed admit that they were taking data external to the company that they were working for.

Dave Bittner: [00:05:47:23] And what do you mean by that? What sort of data were they taking?

Jadee Hanson: [00:05:50:24] So any of the data that you create while you're at a company is effectively property of that company. We shouldn't be grabbing all the data that we have when we're working at a company and putting it on a USB drive and taking it to a competitor or to our next position. And what we found through this survey was that a lot of the people that left companies were taking their data with them, what they thought was their data because they felt this entitlement to the data that they created. And this was at every level from the entry level analyst all the way to the CEO.

Dave Bittner: [00:06:29:02] Do you think there's any failure on the part of the company, to really be clear about what is off limits?

Jadee Hanson: [00:06:35:19] Yeah, that's an interesting question. I do and I don't. Certainly I think there's a level that companies have to communicate what's allowed and what's not allowed but that goes beyond even just data movement, it's all sorts of different security policies. But then there's also an element where if employees know you're watching what they took and what they put on USB drives, they wouldn't do it. They wouldn't move the data as often as they do now. I've led a number of different insider trap programs and one of them that we led we were pretty quiet about what we were monitoring and the results of that one were people would take all sorts of information and when we would follow up with legal notice or some sort of follow-up to say we saw what was going on, the reaction was almost surprise. Like, "Oh, my gosh, I didn't know you were watching and I'm sorry and let me delete it." Versus when you're really, really transparent about what you're doing and what you're watching and you tell employees, you know, "You can't move IP, you can only move personal information," the volume of what employees take certainly goes down. Employees that are acting maliciously still do take data.

Dave Bittner: [00:08:00:19] So let's talk a little bit about breach fatigue. Do you suppose that the endless news reporting of one breach after another, is that a barrier to effective insider threat defense?

Jadee Hanson: [00:08:14:09] Yeah, and I think even broader. If you think about what's going on within the cybersecurity industry, every single year we outpace the previous year for number of records compromised. And in the same sense the amount of money that we're spending on response to breaches is going down. So, year over year, 17 to 18, we were down 10 per cent in terms of the response dollars that were spent. You can read into that but my read is that we're spending less on the response, meaning we're falling victim of this breach fatigue issue. And if you think through it the giant breaches that hit in 2011 were what was talked about forever and were such a big deal and now you wake up to a headline of some sort of company being breached almost every day. It's interesting to me but I do think the consumer and businesses are getting more immune to this news story and when that happens, you get less investment and less focus on it. And it's almost like certain companies are giving up on protecting it to the extent that they should and doing the bare minimum which is a very scary spot to be in from a cybersecurity perspective.

Dave Bittner: [00:09:37:21] That's Jadee Hanson from Code42.

Dave Bittner: [00:09:42:14] Facebook stored hundreds of millions of users' passwords in plaintext within a database that was searchable by 20,000 Facebook employees, Brian Krebs reported this morning. The issue was discovered in January when a security team was reviewing some new code and noticed that the code was logging passwords in plaintext. The team launched a wider investigation to find other places where this was happening and the company is still in the process of determining the extent of the problem. Krebs spoke with an anonymous senior Facebook employee who said between 200 and 600,000,000 Facebook users may have been affected dating back to 2012.

Dave Bittner: [00:10:21:02] Facebook partially confirmed the report in a blog post earlier today, saying that it plans to notify hundreds of millions of Facebook Lite users, tens of millions of other Facebook users and tens of thousands of Instagram users that their passwords were being stored in a readable format within the company's internal data storage systems.

Dave Bittner: [00:10:41:04] Facebook Lite is a version of Facebook designed for areas with low Internet speed and expensive bandwidth. Facebook emphasized that, "Passwords were never visible to anyone outside of Facebook," and the investigation has, "Found no evidence to date that anyone internally abused or improperly accessed them."

Dave Bittner: [00:11:01:15] The Irish Data Protection Commission which has jurisdiction over Facebook's European headquarters under GDPR said it was notified by Facebook and it's currently seeking further information.

Dave Bittner: [00:11:13:23] A Lithuanian man pleaded guilty in a New York court yesterday to scamming Facebook and Google out of $123,000,000 over the course of three years. The man registered a company in Latvia that shared a name with a legitimate computer hardware manufacturer based in Asia. He then used a variety of fraudulent invoices and contracts to trick Facebook and Google employees into wiring him millions of dollars at a time. Facebook is said to have lost $100,000,000 from the scams. Google lost $23,000,000.

Dave Bittner: [00:11:47:04] Finally the Register notes that a machine learning engineer has created a bot that can learn to impersonate someone based on text samples of their conversations. The bot was based on research published last month by the artificial intelligence research organization OpenAI. OpenAI said it had developed a language model capable of advanced tasks such as generating coherent paragraphs of text without task-specific training. OpenAI withheld most of the software from the public however, fearing that it would be abused to create what the Register calls, "The equivalent of deep fake videos for the written word."

Dave Bittner: [00:12:24:06] Using the limited amount of research that was released however, the engineer was able to develop a bot that can impersonate you by learning from your messages in Facebook Messenger. This particular bot is fairly rudimentary but its developer warns that it wasn't difficult to make and he expects to see more sophisticated versions of this technology being used for malicious purposes very soon.

Dave Bittner: [00:12:52:07] And now a word from our sponsor, LookingGlass Cyber Solutions. When it comes to digital business risk, you don't want a general admission perspective. Get a back stage pass for the LookingGlass digital business risk roadshow this spring to learn the industry latest on effective third-party risk management tactics to protect your employees, customers and brand, taking a proactive security posture to combat today's sophisticated threat actors and a cybercriminal mastermind's insights on manipulating your organization's cyber strengths and weaknesses. Come see LookingGlass in a city near you. The tour includes Atlanta, Charlotte, Chicago, San Francisco, New York City, DC and Houston. They hope to see you at the show. To learn more about the roadshow and register, visit their website, LookingGlassCyber.com. And we thank LookingGlass for sponsoring our show.

Dave Bittner: [00:13:56:06] And joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. We saw an interesting article over on the Lawfare blog and this had to do with Section 215 and some whispers about some potential changes here. What's going on?

Ben Yelin: [00:14:14:16] Yeah, so Section 215 of the USA Patriot Act is the provision that we found out allows for the government to collect nearly all domestic phone records as part of a national security surveillance program. If you'll recall this was one of the programs revealed in the 2013 Edward Stone disclosures. Under those disclosures we found out that most of the major telecommunications companies were routinely handing over metadata, so information on who made a phone call, who received the phone call and the duration of the call, over to the NSA and they were holding those records for over five years. Obviously that caused major controversy particular among privacy advocates. So Congress amended the law in 2015. The way that law works under what's called the USA Freedom Act, is that the telecommunications companies themselves now hold those call detail records and the government has to obtain a warrant from the Foreign Intelligence Surveillance Court to access those records.

Ben Yelin: [00:15:16:00] Now that program is up for re-authorization at the end of this calendar year and there have been whispers from staffers on Capitol Hill, on the relevant intelligence committees, saying that it's possible not only that the program will not be re-authorized but that the National Security Agency and other elements within the federal government are no longer using the call detail records program at all.

Ben Yelin: [00:15:42:20] Part of that stems from an announcement the NSA made almost a year ago where they said that because a bunch of phone records were not authorized to be obtained and were obtained by the National Security Agency, the NSA had to scrub up to five years' worth of CDR, call detail records, data. Now they didn't make any announcement at the time that they were suspending collection to that program but this has Fed whispers that the program is dysfunctional, it's too much of a legal headache, it exposes our government to legal liability and controversy and it's frankly ineffective. The government's Privacy and Civil Liberties Oversight Board under President Obama wrote in a detailed report in 2014 that this program hasn't really done anything to stop terrorist attacks and frankly, and this is something the Lawfare blog article mentions, the technology has changed.

Ben Yelin: [00:16:40:23] And not only has the technology changed but the terrorist organizations that we need to monitor to protect our national security themselves have changed. Al-Qaeda was a very top-down run organization. You could draw connections between low level individuals and whether they were connected to the high level Al-Qaeda apparatus through figuring out who these people made phone calls to. Much more difficult in the current era. ISIS in particular has much less of a top-down structure. It's far more disorganized. It's composed of smaller factions and terrorists have adopted to the technology themselves. They're using encrypted apps, messaging services, rather than just making phone calls. So as a result the program, I think, has perhaps run its course in terms of its effectiveness and because it has become so controversial and has subjected our government to lawsuits and controversy, I think there's a good chance that by the end of 2019 we may get the definitive end of the call detail records program.

Dave Bittner: [00:17:55:24] So I suppose people on the civil liberty side would take this as a win regardless of how it comes.

Ben Yelin: [00:18:04:07] Absolutely. Now of course they wouldn't warn us that these are so far just the murmurs of congressional staff. I think one of them was quoted in an obscure article and this kind of became fodder for the national security surveillance community online. There was excitement that this finally might be the death knell for the call detail records program and there are obviously other programs conducted under the authority of the NSA that are controversial but this was one that really stuck out in the post Snowden freak-out we all had over government surveillance. So, yeah, no matter how it ends I think it would definitely be considered a victory for civil liberties advocates.

Dave Bittner: [00:18:45:08] Ben Yelin, thanks for joining us.

Dave Bittner: [00:18:53:23] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at ObserveIT.com. The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe. And I've Dave Bittner. Thanks for listening.