ISIS claims responsibility for Sri Lanka massacre. Spearphishing embassies in Europe. How the Blockchain Bandit probably did it. Mexican embassy doxed.
Dave Bittner: [00:00:03] ISIS claims responsibility for the Sri Lankan bombings. The government maintains its declared state of emergency and has arrested at least 40 in the course of its investigation. Check Point describes a spear phishing campaign against embassies in Europe. It's thought to be the work of the Russian mob. Weak keys let the Blockchain Bandit rifle altcoin wallets. And a disgruntled bug hunter doxes one of Mexico's embassies.
Dave Bittner: [00:00:35] It's time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web by identifying new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:42] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 23, 2019. ISIS has claimed responsibility for the Easter massacres in Sri Lanka. A statement published by the jihadist organization's news agency Amaq says the bombings were retaliation for last month's massacre of Muslims at a New Zealand mosque and were intended to kill Christians. Sri Lankan authorities who continue their social media crackdown during a declared state of emergency continue to believe the attacks were the work of local jihadists acting with foreign support. The death toll has now reached 321.
Dave Bittner: [00:02:23] Sri Lanka's decision to block social media is being read by many, The Washington Post among them, as another instance of growing distrust in big tech. They cite the inability of algorithms to keep pace with the number of people who wish to and did share the attacker's video of the massacre in Christchurch, New Zealand, as of a piece with Sri Lanka's crackdown. But this isn't as clear-cut a matter as much opinion would have it. Sri Lanka's action is more like a government in the late 19th or early to mid-20th century shutting down newspapers during times of emergency. The government is concerned about inflammatory posts that could feed further immediate violence not about social networks' inherent untrustworthiness.
Dave Bittner: [00:03:06] As Facebook pointed out quietly, people rely on our services to communicate with their loved ones. And we are committed to maintaining our services and helping the community and the country during this tragic time. Facebook, in this case, has a point. And the Sri Lankan government has legitimate counter concerns. Social media users have driven violent mass behavior in South Asia especially far too often in recent years. And that's the immediate concern here. It's not clear what role online communication played in coordinating the attacks, but the government doesn't want a mass murder to turn into mass rioting. The number of arrests made so far in the case is said to have reached about 40.
Dave Bittner: [00:03:50] Researchers at Check Point describe a targeted spear phishing attack against government finance authorities and embassies in Europe. The hackers appear to be Russian, and they appear to be criminals, although that's a tougher call given the growing penetration of the Russian mob by the Russian security organs. The campaign used malicious Excel files marked implausibly as if they were from the U.S. State Department. The payload was a weaponized version of TeamViewer capable of taking screenshots of infected systems.
Dave Bittner: [00:04:21] One of the gang members who goes by the name EvaPiks was active on a hacking and carding forum, The Verge notes, talking about the attack and offering advice to others who might wish to do likewise. This alone suggests that a criminal, as opposed to a state actor, is responsible. The campaign has received surprisingly high reviews for the convincing quality of its work, but we're not so sure. The subject line was military financing program. Marking a spreadsheet top secret, splashing some U.S. State Department logos all over it and then shooting the stuff around by email with an invitation to click now, click now, now, now, seems a come-on more designed for naifs than for diplomatic sophisticates. But we have to admit we like the touch that the attachment represents itself as GSA Form 1566, revision 9-74, which is the current top secret control sheet. The State Department watermark is just gravy.
Dave Bittner: [00:05:22] A close reading of the phish bait would, however, reveal that the workbook title is in Russian - (speaking Russian) or request one, which isn't exactly how they'd express it at Foggy Bottom, especially not in Cyrillic characters. The verbiage on the bogus form 1566 would also strike experienced textual critics of the General Services Administration canon as wayward. It says, the attached material contains secret information which bears directly upon the effectiveness of conduct of foreign relations, which reads a little like someone shoehorning Russian into an English sentence.
Dave Bittner: [00:05:59] It goes on in a boldface screamer - to display data in document, click enable editing and enable content on the protected view bar. And the instructions close, sinking in prose with, as such, the attached material deserve special care in its handling, custody and storage, as required by the information security. The information security would advise not touching this with the proverbial 10-foot pole. In fairness to EvaPiks and company, judging from Check Point's analysis, they did seem to put in the work as far as the attack chain is concerned. And indeed, while more recipients than one would like to believe did indeed click now, now now. Others at once rightly bonged (ph) it to the spam folder. Good awareness, Italy and Kenya - two countries, at least, where the diplomatic staff seem to be paying attention. NYIT is the New York Institute of Technology, a not-for-profit university headquartered in New York. Their College of Engineering and Computing Sciences is hosting a Girls in Engineering and Technology Day this coming May 4 at their Long Island campus. Maryam Rahmani is a technology consultant who's helping run the event. And she joins us to share why STEM-focused events targeting young women matter.
Maryam Rahmani: [00:07:15] The program is focused on high school girls - sophomore, juniors. You know, by the senior year, you could say they've already decided, you know, where to go. But the important thing is - how do we reach these high schoolers to be interested to look into STEM programs? Often, you see that they are very strong in math and physics and biology and other science-related courses. But somehow, by the time they end up in colleges, they don't even pursue these types of degrees, whether it's engineering, computer science or other STEM-related. And so we felt that by providing them an opportunity to see women that have studied engineering and have had marvelous career track, as well as having an ability to see what each major offers and also even get to play around with hands-on workshops without having any previous experience - as an example - with cybersecurity, with drone or coding - that potentially would be triggering their interests and excite them to look into STEM programs, whether at NYIT or beyond.
Dave Bittner: [00:08:39] Now, do you think that providing this sort of environment where the girls get to speak to other girls and other women - does that provide them with insights that they wouldn't get at a regular tech event where there were both boys and girls there?
Maryam Rahmani: [00:08:52] So that's a very good question, Dave. Yeah, so I believe that girls will be very comfortable in an environment with their peers, that they can really just focus and imagine, what would it be for me? Would I ever be like that lady that is a keynote? Can I reach to those levels? It would be less distraction. It's a program that is completely dedicated for them. And they will have an opportunity to not feel that, oh, my gosh, I may not have the experience that my male peer may have, for instance, with coding or something else. And absolutely, without having any previous experience, they just get to really just be curious and try something and not feel that they're being sort of compared. So I feel that the environment would really encourage them.
Maryam Rahmani: [00:09:48] And one of the tags that I guess NYIT uses for this particular event is See Her, Be Her. I think that's very important. I often think of my own 15-year-old daughter. And I think it's so important for these girls to be able to look at women like myself and have a face for what we look like - that we are not like some, you know, stereotypes that are sometimes shown, whether in information security, whether in other aspects of engineering, that academic career really prepares us to be thinkers and innovators and have the skills that the - our country so badly needs for the future, for its security and for its competitiveness. So that's really what I believe in - you know, sort of programs like this provides these young ladies to be able to experience all in one day.
Dave Bittner: [00:10:54] That's Maryam Rahmani. The event is at NYIT. It's Girls in Engineering and Technology Day, coming up May 4, 2019.
Dave Bittner: [00:11:04] If it's the blockchain, it's got to be secure, right? Well, not necessarily. Researchers at the firm Independent Security Consultants grew curious of what might happen if, instead of using an effectively unguessable 78-digit key to their wallet, a cryptocurrency user decided to, say, smack it with, oh, something easy like the number one. They looked and found that a lot of altcoin traders were doing just that. And they found, moreover, that someone they're calling the Blockchain Bandit had got there first and made off with the coin such wallets contained. In fairness to the users, we note that not every weak key is as easily guessable as one. And the silver lining to the theft - if there can be said to be one - is that Bitcoin Bandit probably lost most his or her shirt when the altcoin speculative bubble deflated last year.
Dave Bittner: [00:11:58] A disgruntled bug hunter has released documents taken from a server in Mexico's Guatemala embassy. He told TechCrunch he expected a reply, and when he doesn't get a reply, then it's going public. So there. The doxing included many identity documents, passports, visas and so on. Much of it had markings indicating that it was confidential or sensitive. But that seems to have indicated, for the most part, that the data were private and not that they represented state secrets. Anyhoo, the hacker has since explained his motives. On his Twitter timeline overnight, he said, I am an idiot. And who are we to disagree? Know thyself.
Dave Bittner: [00:12:44] I'd like to take a moment to thank our sponsor, Georgetown University. Georgetown offers a part-time master's in cybersecurity risk management that prepares you to navigate today's complex cyber threats. Ideal for working professionals, the program features flexible options to earn your degree without interrupting your career. Take classes online, on campus or through a combination of both. You decide. Not ready to commit to a full master's program? Explore accelerated options through Georgetown's cybersecurity certificates, which you can complete in as little as six months. To learn more about these programs, visit scs.georgetown.edu/cyberwire. That's scs.georgetown.edu/cyberwire. And we thank Georgetown University for sponsoring our show.
Dave Bittner: [00:13:43] And joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, it's great to have you back. We wanted to touch today on preserving evidence when a cyberattack happens. What can you share with us today?
Justin Harvey: [00:13:57] Well, what I can share with you is - the first thing that many organizations make a mistake in is actually destroying the evidence, thinking they're doing the right thing. They have Patient Zero. It has some sort of malware or an adversary on it that has appeared within their SIM. And the first thing that people want to do is say, well, let's go reimage that box. And reimaging is absolutely the wrong thing to do because you absolutely don't know how the adversary got on there. You don't know what they've stolen or grabbed. And you also don't know if the adversary has moved lattery (ph) off of there or if they have a secondary or tertiary persistence mechanism.
Justin Harvey: [00:14:36] So the first thing that we tell our clients do is hibernate the system. Don't put it to sleep. Don't shut it down. Don't disconnect it from the network. I mean, disconnecting from the network - from the physical network is absolutely OK, but make sure that you hibernate the system. That ensures that the running memory is preserved. And actually, from a technical perspective, it writes it to disk so that when we do digital forensics on it, we get to see the full picture, which is both the memory, which has very valuable bits of information with what the adversary has done since last reboot, as well as the disk in order to do the analysis.
Dave Bittner: [00:15:15] I could see someone's first impulse to be that - something's gone wrong. Let's just walk around and pull the plug.
Justin Harvey: [00:15:22] (Laughter) That is - that's actually - pulling the plug is probably OK, but when you do that, you never know if there's an encryption routine running or if there's something else that could be inadvertently interrupted. So what you want to do is if you do pull the plug, if it's a hard-wired connection, absolutely follow up with a hibernate directly following.
Dave Bittner: [00:15:44] I see. What about in terms of folks who may have to preserve things for regulatory reasons?
Justin Harvey: [00:15:50] Well, from a regulatory perspective, you want to focus on the machines or the systems that matter. Let's say you're hit with a widespread ransomware attack, and 4,000 of your 5,000 machines have been affected. You clearly don't want to go forensically image 4,000 systems. That would be - that would take up a lot of disk space and take up a lot of time. But what - you want to focus on material systems that are pertinent to the investigation. Regulators want to see how they got in, how they escalated privileges, how they move laterally and what they took and or what they got. So sometimes that's actually not forensic data. Sometimes it's actually log data that you can save off and keep to the side so that when you are audited or you are working with regulators, you could actually paint them a full picture. And in incident response terms, what you want to be developing is a timeline. On Monday, the adversary sent a phishing attack. On Tuesday, Allison clicked on the link. On Wednesday, they were able to move laterally, and they took this information. So when you show this to the regulator, you want to show a very complete timeline with as much perspective information as possible while not going completely overboard and inundating them with information.
Dave Bittner: [00:17:03] Is there a natural tension that comes into play here where - you know, folks want to get back up and running. They've got business to do. And we've got this machine sitting there in hibernation mode, and time's a-wasting.
Justin Harvey: [00:17:15] Yeah. The No. 1 priority for my clients, Dave, is, how do we get back to doing the business that we do - collecting revenue, communicating with customers, dealing with patients? And the answer is, particularly for some of these larger attacks or the more dangerous ransomware, you really want to find out how the adversary or the threat got into the network before you start standing everything back up - for a few reasons. First is, you don't know if the adversary has secondary or tertiary backgrounds. Many of the attackers out there - they want the ability to persist if you find one of their legs of persistence, in other words. So it's a very standard practice to see them use one type of malware to persist, and then there's a backup that no one ever really realized out there on the perimeter or the edge.
Justin Harvey: [00:18:06] The second thing to take into consideration with restoring services is you also don't know the dwell time. I think that the jury is still out for the average of dwell time. Some vendors put it at sub-100 days. Some vendors put it at over 200 days. Let's just pick the average. Let's pick 150 days of average time that an adversary - once they've compromised an organization - how long they get free reign to do whatever they want. So when you're running this case and you want to get back to operations, how do you know that the adversary hasn't already been - implanted themselves within the backups inadvertently - meaning Monday, the adversary got in. On Tuesday, the backup ran. And you discovered it on Friday. Well, let's go back to Tuesday's backup. Well, that wouldn't do very much good because the adversary - you're just - basically, you're reinstalling the adversary with their tools. So you really need to have a good idea of how the adversary got in, how they're persisting in order to close those loopholes off before restoring services.
Dave Bittner: [00:19:09] All right. Well, Justin Harvey, thanks for joining us.
Justin Harvey: [00:19:12] Thank you.
Dave Bittner: [00:19:17] And that's the CyberWire. For links to all of today's stories, check out our CyberWire daily news brief at thecyberwire.com.
Dave Bittner: [00:19:24] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:35] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.