For OceanLotus, a picture is worth a thousand words (or at least a few lines of loader code). Georgia Tech breached. Mounties raid offices associated with Orcus RAT.

Dave Bittner: [00:00:03] OceanLotus, aka Cobalt Kitty, aka APT32, is out and about and using a steganographic vector to deliver its loader. Georgia Tech suffers a major data breach with access to student, staff and faculty records by parties unknown. Research universities remain attractive targets. Reflections on dual-use technologies. The Royal Canadian Mounted Police have raided offices connected with the production of the Orcus RAT, which is either a legitimate tool or a commodity Trojan, depending on whom you believe.

Dave Bittner: [00:00:44] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data. But to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free. No installation required. Go to observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:01:47] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 3, 2019.

Dave Bittner: [00:01:55] Researchers at the security firm BlackBerry Cylance have new information on OceanLotus, also known as APT32 and Cobalt Kitty, the Vietnamese threat group that's been particularly active over the past few months. They've discovered several purpose-built back doors and evidence that the group is using obfuscated Cobalt Strike beacons for command and control. Most interesting, though, is Cobalt Kitty's payload loader, which is steganographic. It conceals itself inside an image, specifically in a .png file. Blackberry Cylance points out that the threat group has taken pains to alter the image they use as little as possible, the better to pass through malware screens that might otherwise block it. Once executed, the loader installs either a version of a Denes or a Remy back door in the victim machine. The attack is easily modifiable to carry out any number of other payloads. And the researchers think that Cobalt Kitty must have invested quite a bit to develop the purpose-built tools they use. Blackberry Cylance calls them bespoke, like a suit designed and tailored just for the wearer. This isn't commodity stuff off the rack. It's solid work, so hope you don't run into it.

Dave Bittner: [00:03:12] Many organizations, and particularly smaller ones with limited resources, approach cybersecurity primarily from a defensive posture. Make sure no one can get in and see your stuff. Roy Zur is CEO at Cybint Solutions, and he makes the case that organizations of all sizes need to look beyond security toward intelligence, and even threat hunting.

Roy Zur: [00:03:34] In general, when you think about intelligence collection, it's not different when you think about cyber intelligence. Then we compare it to the more traditional signal intelligence. So personally, my background was I was doing about 10 years of military intelligence in Israel. And, for example, when you need to prevent any attack - let's say it's a suicide bomber or any other military strike that you want to prevent. The way to do that is first to identify the relevant sources that you need to track, and then try to collect the information from these sources, and then analyze the information that you collected from the sources and draw conclusions.

Roy Zur: [00:04:13] So if we think about cyberattacks, for example, there are many different resources in which we can find useful information for potential attacks that happened or will happen. For example, the dark web and hacking forums or marketplaces in the dark web allows us - they allow us to take a look at what is planned to be, let's say, a potential attack that is now planned or a data breach that happened and a specific organization is not yet aware of. Once we track the specific forums and groups and marketplaces in the dark web, we can identify when specific information is being leaked there or being discussed there. And it can provide us, you know, information, or potential information, about a future attack that is going to happen.

Dave Bittner: [00:05:01] Now, from an organizational point of view, how does a company go about budgeting for this sort of thing? How do they dial it in relative to the amount of risk that they may face from this?

Roy Zur: [00:05:10] Right. So in general, when we think about, you know, the medium-sized businesses, most of them will have, you know, a fairly small security team and not necessarily a lot of budget to manage also intelligence team, or what we call threat hunters. In that case, the most important thing to do is, A, make sure our security teams are also trained on what we call threat intelligence. And by working with many security teams worldwide, I found that there was one gap - one significant gap that almost every security team has is the fact that they lack the skills to do also threat intelligence.

Roy Zur: [00:05:47] That's from - even before you buy tools or invest - I don't know - hundreds of thousands of dollars in new devices and new tools, the skills of understanding how cyber intelligence works and what kind of even online free tools you can use, you know, to better do it for your organization, that's the first step. Then, for the medium-sized businesses, there are many cyber intelligence vendors or cyber intelligence providers that are available, you know, today that you can actually use them as a service. There are analysts, and they use specific technology to track future threats against the organization. For big companies or companies that have a bigger security team, they usually take one of these cyber intelligence vendors, license their tools and actually create a threat hunting team. So in addition to your regular SOC team, security team, you will have an intelligence team in your organization.

Roy Zur: [00:06:46] So it's like every intelligence - or every, you know, defense organization or security organization or government agency - like we do it there, we need to do it in the corporate level. We need to think about our organization like we do in the military. We have our security forces, but we also have our intelligence forces, and they have to communicate with each other.

Dave Bittner: [00:07:06] That's Roy Zur from Cybint Solutions.

Dave Bittner: [00:07:11] There's trouble these days among the Ramblin’ Wrecks. Georgia Tech learned late in March that it had sustained a security breach affecting some 1.3 million current and former students, staff and faculty. The breach is bad. It's not quite a set of fullz, but there's a lot of inadvertent oversharing of PII. The university said the exposed information includes names, addresses, Social Security numbers and birthdates. The Atlanta Journal-Constitution says the data were accessed by an unknown outside entity, which sounds totally spooky but really means just that someone got into the database, and the university doesn't yet know whodunit. They're investigating and figuring out whom they need to notify. The university says they've clapped a stopper over the breach.

Dave Bittner: [00:07:59] We got a quick reaction by email from Dan Tuchler of SecurityFirst. He said, quote, "how ironic that a university with a high ranking in computer science, which offers courses in cybersecurity, got hacked. This is in a state which has had privacy regulations in place - the Georgia Personal Identity Protection Act - since 2007. This is a clear example of the need for encryption of personal data. Hackers always find a way in, and they need to be stopped before they get the personal data," end quote. He's right, of course, and it is ironic.

Dave Bittner: [00:08:31] But let's not be too hard on Georgia Tech or on the Peachtree State itself, which does have some serious privacy protections in place and the local expertise to use them. First, expertise in academic programs often doesn't translate to administrative matters. Second, universities, particularly universities with strong technical programs, are very attractive targets with an expansive attack surface. And third, Georgia Tech is far from alone. A great many large universities with highly regarded computer science programs have been hit before, and more of them will be hit again.

Dave Bittner: [00:09:09] And finally, can we talk for a few minutes about dual-use problems. A dual-use problem poses a familiar set of dilemmas, most familiar to people who have to do with arms control. Ammonium nitrate fertilizers - innocent. You may have some out in your garage ready to be applied to your lawn. Diesel fuel - innocent. Fill her up. You can pump your own at any gas station, unless you're in New Jersey, where the filling station attendant, by law, must pump it for you. But put diesel and fertilizer together, and you get a powerful explosive. Ballpoint pen ink - totally righteous. Where'd we be without it? We use it in the pens the CyberWire gives away at trade shows. The chemicals used to produce it - innocent, too. But those same chemicals are precursor materials used in blister agent production. That is, they are used for making mustard gas, and boo to that. Krytrons - innocent. Nice, high-speed switches for photocopiers, but also nice, high-speed switches for nuclear implosion weapons - high yield, and no bueno.

Dave Bittner: [00:10:13] Cybersecurity also has its dual-use problems. Take the humble RAT. I mean the remote administration tool. That's OK, right? Sure. Nice RAT. But the remote access Trojan, bad RAT - bad. How do you tell the difference? If you ask the author of Orcus RAT, it's the good kind. If you ask the Mounties, it's the bad kind. And therein lies a tale. The Royal Canadian Mounted Police late last week raided the residence of an Ontario software developer, John Revesz, who wrote and sold Orcus RAT through his company, Orcus Technologies. There are problems with Orcus RAT. One of them is the markets it's found its way into. It's being traded in various black markets. Another problem is its use in various attacks since its introduction in 2015. Mr. Revesz says Orcus is legit - the nice kind of RAT - and that it's just being abused by bad guys who happen to have bought it. Poor RAT. Besides, RATs don't hack people. People hack people. Most security experts would demur, seeing in Orcus features that really do hiss and bite like a bad RAT. Still, Orcus does seem to be a dual-use item.

Dave Bittner: [00:11:30] Ilia Kolochenko, CEO of web security company High-Tech Bridge, emailed us some comments. He said, quote, "it's pretty difficult to draw a straight line and delineate legitimate RA software from malware. Unless the RAT in question cannot be used by its design for anything but malicious activities, it will be quite complicated to charge its author with a crime. However, a walkthrough with customers may shed some light on past cybercrimes committed by unscrupulous buyers who purposefully acquired the tool to break the law," end quote. He looks forward to the findings of fact and to the investigation of intent. We'll know soon enough if the Mounties got their man, or their RAT.

Dave Bittner: [00:12:12] And finally, in a very odd story out of Florida, the U.S. Secret Service over the weekend detained a woman, Yujing Zhang, who was carrying at least one, maybe two, Chinese passports, a laptop, four phones and at least one dongle as she sought entrance to President Trump's Mar-a-Lago estate and club. She said she was there to use the pool, then said her father was a member, and then that she was there as an invited guest to a United Nations Chinese-American Association event. At this point, it all just became too implausible, especially since there was no such event, and the Secret Service took her into custody.

Dave Bittner: [00:12:50] The devices she had with her are said to contain what the Miami Herald helpfully, if perhaps redundantly, called malicious malware. Or maybe the dongle and so on were potentially dual-use, like a RAT. People have checked and found that the malware was the bad kind and not the beneficial kind that might be on anyone's laptop or tablet. In any case, Ms. Zhang has been charged with making false statements to a federal law enforcement officer and entering a restricted area. No word on whether she got to take a dip in that pool, but probably not.

Dave Bittner: [00:13:29] Now a moment to tell you about our sponsor, ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms

Dave Bittner: [00:14:45] And joining me once again is David Dufour. He's the vice president of engineering and cybersecurity at Webroot. David, it's great to have you back. You all recently published your 2019 threat report. A lot of interesting stuff in here. Take us through. What did you find?

David Dufour: [00:15:01] First of all, great to be back, David. And yes, you know, every year we take a look at our data that we've been collecting on threats, things we're seeing out there in the wild. And we publish the annual threat report. And it's pretty big so I'm not going to sit here and read it to you. But some super-curious things we found. One of the key things was, 40 percent of malicious URLs we found to be inside of good domains.

David Dufour: [00:15:24] So as your listeners know, I'm sure, a domain is, like, google.com or webroot.com. And a URL is something that's, like, webroot.com/business, slash, you know, information.html. And so the URLs that we're seeing, a significant proportion of them that are malicious, that are hosting malware, that are trying to do phishing, are - or, you know, things of that nature - are living inside of good domains.

Dave Bittner: [00:15:51] So describe - what does that mean? I mean, someone has compromised a legitimate domain, and they're sort of hiding a malicious URL within there?

David Dufour: [00:16:00] That's exactly right. You - and it's typically a non-navigable link. So it's not like they hacked a domain and then changed one of the links or added a link that sends you to something bad. They literally went in there and, you know, at webroot.com or mydomain.com/malware/thisisavirus.exe. They dump some malware on that actual server or provide a link to a location, a server inside of that domain, that allows them to deliver malicious payloads.

Dave Bittner: [00:16:30] And how should folks protect themselves against that? I mean, there must be a lack of awareness there, right?

David Dufour: [00:16:36] Well, it's interesting because there is something of a lack of awareness. And what you really do need is a solution that will not only prevent if the malware gets on your computer, but is actually analyzing the domains you're either browsing to or looking at, you know, in your - behind the scenes, where maybe webpages are navigating to or programs are navigating to, that will then block that access to that malicious URL.

Dave Bittner: [00:17:02] Now, another thing that you found - you all were tracking phishing attacks. You saw some movement there?

David Dufour: [00:17:07] Yeah. You know, I'm sure everybody's getting tired of hearing about phishing attacks. But, boy, that's something that just won't go away. We saw a 36 percent increase over the last year, and we've seen just an astronomical growth in the number of phishing sites. Over 2018, over 220 percent increase. And that's saying a lot because phishing sites go up and down all the time. So to see that kind of growth, it's just phenomenal.

David Dufour: [00:17:32] But what you're seeing is, it's really become an automated process where people have gotten really sophisticated in their ability to find places to drop phishing payloads - again, using potentially good domains - and then just gather data through automated processes. So it's just continuing to balloon.

Dave Bittner: [00:17:52] Now, you also found some interesting things when it comes to places that malware tried to try to install themselves. So what's going on here?

David Dufour: [00:17:59] Yeah. So this is, like, one of those old is new, and sometimes we just got to refresh things because people aren't that creative. But we're seeing, as usual, tons and tons and tons of malware being dropped into your app data, your temp and your cache folder. You shouldn't be going in there and locking down your app data folder because, you know, applications need to install there.

David Dufour: [00:18:21] But the thing is, these folders where we're seeing the stuff installed, if whatever permissions that a specific user has when a malware lands on the machine, that malware's going to end up with the same permissions. So things like making sure you have proper permissions configured on your machines. And then again, any almost rudimentary endpoint solution's going to protect against malware running in these folders.

Dave Bittner: [00:18:45] So the point is that the malware is looking for folders that it knows have to be active, that there's a lot going on there so that's not a folder that can be locked down.

David Dufour: [00:18:54] Correct. But on top of, you know, being active, it also is a place where there's a lot of stuff so it's easy to get lost in those folders, as well.

Dave Bittner: [00:19:03] So what are some of the take-homes from the report? As we look toward the horizon, what are some of the lessons learned here?

David Dufour: [00:19:09] You know, (laughter), every time your listeners hear me, I end with the same thing. But, David, it's really true. Just make sure you have a good endpoint solution. Make sure you're applying patches so that if you do end up at a malicious URL that's trying to exploit something in your machine that it can't because you've got the latest patches. And make sure you've got your data backed up because at the very worst, you can format your computer and restore your data. I mean, the same takeaways we always have, they remain tried and true today.

Dave Bittner: [00:19:42] All right. Good enough. I guess don't mess with success. Right?

David Dufour: [00:19:46] Exactly.

Dave Bittner: [00:19:46] Yeah. All right. David Dufour, thanks for joining us.

David Dufour: [00:19:49] Thank you for having me.

Dave Bittner: [00:19:55] And that's the CyberWire. For links to all of today's stories, check out our CyberWire daily news brief at thecyberwire.com.

Dave Bittner: [00:20:02] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:20:13] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.