Breaches at AV companies? Pyongyang’s ElectricFish. Symantec’s CEO steps down. Calls to break up Facebook and regulate the pieces. US Federal indictments for leaks and breaches.

Dave Bittner: [00:00:04] Fxmsp may have breached three antivirus companies. US-CERT and CISA warn against a new North Korean malware tool being used by Hidden Cobra. They're calling it Electricfish. A changing of the guard at Symantec. Former Facebook insiders call for breaking up the company and for more regulation. Facebook disagrees about the breakup but says it likes the idea of regulation. Verizon's head of security research joins us to discuss this year's DBIR. Two indictments are unsealed - one for leaking classified information, the other for the Anthem breach.

Dave Bittner: [00:00:44] It's time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:51] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Friday, May 10, 2019. Reports broke late yesterday that a criminal group, Fxmsp, well-known for selling access to data breaches, had successfully penetrated at least three antivirus companies. Researchers at the firm Advanced Intelligence say that Fxmsp had stolen source code for antivirus agents, analytic code based on machine learning and security plugins for web browsers. Not only was the code stolen, but Fxmsp also offered reviews of the quality of different vendors' security products. AdvIntel has notified the affected companies and law enforcement authorities. But they're keeping the identities of the firms whose code was stolen quiet. Fxmsp is an interesting group. It's described as Russian speaking and English speaking, which either says something about its members' countries of origin or about their skill with languages or their skill at repurposing Anglophone and Russophone code.

Dave Bittner: [00:02:58] US-CERT and CISA have new warnings out concerning the North Korean threat actor Hidden Cobra. Pyongyang's attack group is deploying a piece of malware US-CERT is calling Electricfish. Electricfish uses a custom protocol to funnel traffic between a source and destination IP address. A funneling session can be initiated from either side. Electricfish can be configured with a proxy server port and proxy username and password, which enables it to connect to a system inside a proxy server. This allows attackers to bypass required authentication in compromised systems. For more details, see the report at uscert.gov.

Dave Bittner: [00:03:40] The prominent security company Symantec will be getting a new CEO. President, CEO and board member Greg Clark has stepped down from all of those roles. Board member Richard Hill, former Novellus Systems chairman and CEO, will serve as interim CEO as the search for a permanent replacement begins. Clark, formerly CEO of Blue Coat, moved into the same position at Symantec when Symantec acquired Blue Coat in 2016. His resignation was prompted by shareholder dissatisfaction, an accounting probe and a significant earnings miss.

Dave Bittner: [00:04:16] Facebook's co-founder Chris Hughes, who goes way back with Mark Zuckerberg - back to when they were undergrads at Harvard - published an op-ed in The New York Times yesterday in which he advocated breaking up Facebook. Mr. Zuckerberg is still a great guy, Mr. Hughes writes, but the company is too powerful. Mr. Zuckerberg's properties - Facebook, Instagram and WhatsApp - have billions of users. The company is publicly traded. But with 60% of the voting shares in Mr. Zuckerberg's hands, other voices inside Facebook, including those of the board, are merely advisory. As Hughes puts it, quote, "Mark alone can decide how to configure Facebook's algorithms to determine what people see in their newsfeeds, what privacy settings they can use and even which messages get delivered. He sets the rules for how to distinguish violent and incendiary speech from the merely offensive. And he can choose to shut down a competitor by acquiring, blocking or copying it," end quote.

Dave Bittner: [00:05:15] It's a very long piece. But in essence, Hughes argues that Facebook should be broken up under the Sherman Antitrust Act, the way Standard Oil was broken up at the turn of the 20th century and the way AT&T was broken into the Baby Bells in January of 1984. This sort of market correction is all that Hughes advocates. He wants a number of other things, too, including a U.S. privacy agency with the power to not only protect the privacy of individual's data but also to regulate their speech. He acknowledges the First Amendment issues here but deals with them airily by assimilating speech people view as hateful or harassing to such exceptions to constitutional guarantees of free speech as prohibitions against shouting fire in a crowded theater. It's unlikely to be an easy case to make. Indeed, Facebook, Google, and Twitter are already under considerable criticism for what many perceive as ideological bias. But in any case, Hughes wants the company broken up. And he wants public servants and not corporations to lay down the guidelines for acceptable speech he sees as inevitable.

Dave Bittner: [00:06:22] Hughes is not the only Facebook former insider to look upon their economic child with dismay. Last month, one of the company's early investors, venture capitalist Roger McNamee, published his book, "Zucked

Dave Bittner: [00:06:56] Facebook, needless to say, disagrees. They released a statement that reads, quote, "Facebook accepts that with success comes accountability. But you don't enforce accountability by calling for the breakup of a successful American company. Accountability of tech companies can only be achieved through the painstaking introduction of new rules for the internet. That is exactly what Mark Zuckerberg has called for. Indeed, he is meeting government leaders this week to further that work," end quote. That statement came from Nick Clegg, who you may remember from his career in British politics, and who is now Facebook's vice president of global affairs and communications.

Dave Bittner: [00:07:34] So in essence, it seems everybody wants more government oversight, and more government oversight everybody will no doubt get. That oversight will be international. The French government has just announced its intention to introduce legislation that would create a duty of care for social media, with regulatory scrutiny and heavy fines for those that permit objectionable content to cross their platforms. For all of the attention Facebook has attracted lately, it does appear that the social network is on the right track in setting its face against what it calls inauthenticity, especially coordinated inauthenticity, the kind of bot herding and trolling the Russian government has so vigorously deployed in its information operations around the world. Those information operations are continuing in Ukraine, Kiev complains, even though that country's elections have concluded.

Dave Bittner: [00:08:26] Several significant legal actions have been announced. Daniel Everett Hale, 31 of Nashville, Tenn., was arrested yesterday on U.S. federal charges of obtaining and disclosing national defense information and theft of government property. Hale worked as an intelligence analyst for the U.S. Air Force, and after leaving the service, performed similar duties as a contractor for the National Geospatial Agency. The government alleges that Hale provided highly classified information to a reporter over a period of several years beginning in 2013.

Dave Bittner: [00:08:59] And you'll recall the very large Anthem breach of 2015, in which the health insurance company was breached in an incident that affected the personal data of nearly 80 million people. The U.S. Justice Department says it knows who is responsible, a highly sophisticated Chinese group. Two Chinese nationals have been indicted - Fujie Wang, also known as Dennis Wang, and a John Doe who went by the name Deniel Jack, Kim Young, and Zhou Zhihong. The indictment says they also breached three other U.S. companies. The document calls these simply victim businesses one, two and three. But it does identify them by sector - respectively technology, basic materials and communications. The defendants are, of course, still at large and in China - probably in Shenzhen (ph) - and are unlikely to appear in a U.S. court unless wanderlust takes them abroad. We hear Vancouver's beautiful this time of year. Come for the shopping and fishing, stay for the extradition hearing.

Dave Bittner: [00:10:05] And now a few words from our sponsor KnowBe4. Everyone knows that multifactor authentication, or MFA, is more secure than a simple login name and password. But too many people think that MFA is a perfect, un-hackable solution. It isn't. Learn from Roger Grimes, KnowBe4's data-driven defense evangelist in an on-demand webinar, where he'll explore 12 ways hackers can and do get around your favorite MFA solution. The webinar includes a hacking demo by KnowBe4 chief hacking officer Kevin Mitnick and real-life successful examples of every attack type. It will end by telling you how to better defend your MFA solution so that you get maximum benefit and security. Go to knowbe4.com/mfa to watch the webinar. That's knowbe4.com/mfa. And we thank KnowBe4 for sponsoring our show.

Dave Bittner: [00:11:09] And joining me once again is Johannes Ullrich. He's the dean of research for the SANS Institute. And he's also the host of the ISC StormCast podcast. Johannes, it's great to have you back. You've been tracking some malware that's been taking advantage of some tools from Google. What's going on here?

Johannes Ullrich: [00:11:25] Yeah. And what this malware is doing is it's written in Go or Golang. That's a language that Google came out with. It's a pretty neat language. A lot of developers like it. It's, I believe, sort of one of the top growing languages. And what's really neat about it is it's very easy to write multi-threaded software. It's also easy to write network-connected software. And in particular, the second part is, of course, something that malware authors like, too. So we do actually see more and more malware being written in Go.

Dave Bittner: [00:11:57] So what are the ramifications of that?

Johannes Ullrich: [00:12:00] Well, first of all, there aren't really a lot of tools to reverse this malware. So malware analysis, they're used to analyzing malware that's sort of, you know, compiled. Visual Basic, so we have a lot of that stuff, of course, around. And various C and C++ or .NET. But so far, Go is sort of this odd language where it's really sort of hard to find good tools to reverse it. Once you have the tools, it's actually not that difficult, but not that much more difficult than other languages. But that's sort of part of it. The other consequence of it is that this malware is actually pretty big because they have to deliver, basically, Go as well as the malware. So they have to deliver a lot of additional libraries and such. But oddly enough, that doesn't seem to hinder the distribution of this malware, even though it's usually, like, several megabytes in size.

Dave Bittner: [00:12:55] Now, what's the upside for the malware developers to be working in this environment?

Johannes Ullrich: [00:13:01] For the developer, it's much easier to actually code all the different network components that you need, and - like, connecting back to a command control server or even setting up a server, and that's actually probably the biggest strength of Go is it's very easy to write little servers. That's also where the multithreading comes in. What this allows you to do is have one server that responds to multiple connection requests at the same time. So if you want to write, let's say, an SSH (ph) server, a web server with a couple lines of code, then Go is of the language - or the go-to language (laughter) to really use in these cases.

Dave Bittner: [00:13:38] And so as always, I mean, in terms of folks protecting themselves here, what do you recommend?

Johannes Ullrich: [00:13:44] Well, antivirus should catch up with this. Of course, they will not tracker just on Go itself because that's a legitimate language. And you find a lot of legitimate software being coded in it as well. But of course, that's the usual catch and mouse - cat-and-mouse game with anti-malware, where they have to get used to writing signatures for malware written in Go.

Dave Bittner: [00:14:07] All right. Well, it's something to keep an eye on. Johannes Ullrich, thanks for joining us.

Dave Bittner: [00:14:15] Now it's time for a few words from our sponsor, BlackBerry Cylance. They're the people who protect our own endpoints here at the CyberWire, and you might consider seeing what BlackBerry Cylance can do for you. You probably know all about legacy antivirus protection. It's very good, as far as it goes. But you know what? The bad guys know all about it, too. It will stop the skids. But to keep this savvier hoods' hands off your end points, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with a threat by watching, learning and acting on systems' behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank BlackBerry Cylance for sponsoring our show.

Dave Bittner: [00:15:22] The 12th annual Verizon Data Breach Investigation Report was released this week, and my guest today is one of the report's co-authors. Alex Pinto is head of Verizon security research.

Alex Pinto: [00:15:34] Well, the DBIR's in its 12th year right now, right? We - we're joking that it's going to be a teenager next year and hope it doesn't give us too much trouble. This year we're working with 73 different partners.

Dave Bittner: [00:15:46] So take us through. What was your approach to this year's report?

Alex Pinto: [00:15:49] The report kind of writes itself, right? We're actually collecting the data, and then the data will tell us what are the important subjects, what are the important things that are happening that we should be talking about, right? And this year was no exception. Really, most of - the narrative that we can craft from this year's report has to do with attackers going for not only what's easiest but also what's more valuable for them, right?

Alex Pinto: [00:16:13] So we saw two of the most significant shifts that we saw, which are, in a way, headlining our key findings notifications, are about C-level executives being more frequently breached by social attacks. And by social attacks, I mean - the biggest representative of those are phishing because of the fact that - you know what? - those individuals probably have the most valuable information or hold the most interesting power to get whatever the evildoers want there, right? This was associated with a continuous increase we have been seeing over the years with the business email compromises - right? - the BEC. We actually see things which go beyond email, which also, quote-unquote, "hey, can you please send me the money?" And then for some reason, people just send the money, right?

Dave Bittner: [00:17:02] (Laughter) Right, right.

Alex Pinto: [00:17:03] And yeah. I mean, it's sad, right? It talks a lot to how much work - there is always continuous vigilance that's needed and how much work needs to be done on actually doing the proper - to get your awareness for it, right? So it's interesting to us. That's kind of like bad news-ish (ph), as far as, oh, yeah, people are wiring money to strangers.

Dave Bittner: [00:17:23] Right.

Alex Pinto: [00:17:23] On request. But on the other hand, we saw that the old practice of sending W-2s via email as well. So people, instead of asking for money, they ask for, oh, can you give me the employee record of such-and-such for tax return fraud or things like that. We saw it go significantly down, right? We're not entirely sure why. We asked our - all our contributors that used to give us this data, and they said, no, no, it's really gone; we haven't seen it anywhere. So we're really believing that, well, it happened a lot, so people got smart, put some policies, right? And it's not happening as much now. And we can hope that by bringing awareness to the C-level and the business email account compromise, this is also something that policy writers and security awareness folks can focus on.

Dave Bittner: [00:18:09] What are some of the key take-homes for folks who are trying to plan out their own strategies? What can they learn from this year's report?

Alex Pinto: [00:18:16] So one of the other big shifts that we saw is around the use of the cloud, which, again, shouldn't be surprising anyone. My take is that it looks like most of the people who haven't are starting to get the memo that they should be going to the cloud, right? So there were two things that we saw a relatively sharp increase this year - right? - which is tied to cloud usage. First of all is that we saw a three times increase on compromises of cloud-based email accounts. We're talking here about - we classify on the report as, use of stolen credentials.

Alex Pinto: [00:18:52] And this is a little bit of conjecture, right? This doesn't mean that cloud-based emails are more insecure than your traditional, run-of-the-mill host them inside - right? - the on-prem solution. But because they're always available, there's always the web option, it just becomes easier, right? It's a little bit more low-hanging fruit for, if you have compromised some sort of credential, to try it over there, right? Most of the times, the company itself is not monitoring, right? It will be the cloud provider that's monitoring. And they have to be a little bit permissive, at least if they're trying a few times. When other cloud-based - interesting shift to the cloud story.

Alex Pinto: [00:19:29] This has been growing a little bit over the years, but there was another sharp increase this year on the number of records leaked through misconfiguration of cloud-based storage. So think about your favorite cloud-based platform as a service provider. They will have an option where you can just post files online. Some people are leaving them open for public consumption, right? And there's a lot - we had - we tracked over 60 million different records of multiple sources, multiple organizations that were leaked this way, just because someone failed to press the keep this private checkbox - could potentially have been easily avoided, right?

Dave Bittner: [00:20:04] Yeah.

Alex Pinto: [00:20:05] There was no work on anybody's part. There was no hacking, no zero day, no nothing involved, just plain in misconfiguration.

Dave Bittner: [00:20:13] It was interesting to me, reading through the report, that it seemed as though cryptojacking had really fallen off the radar. Is that accurate?

Alex Pinto: [00:20:20] So yes. It's important to understand the specifics around that statement, right? Because we're specifically talking about malware, right? So we don't have a measurement on websites hosting cryptojacking JavaScript. We don't have a measure of - we do have, but it's not tracked there, of, oh, somebody's cloud-based account was hijacked, and somebody just spun up a bunch of servers and are mining your favorite cryptocurrency there, right? We're specifically talking about malware whose functionality buys into crypto mining, right? So a piece of malware is installed, and one of the things it does is mine cryptocurrency for you, right? And we saw that that just doesn't happen. It's way more profitable. It's way - makes way more sense to just go and put some ransomware in. It's way more profitable, so to speak.

Dave Bittner: [00:21:17] Were there any surprises this year, things that popped up that you weren't expecting?

Alex Pinto: [00:21:21] Sort of one. The one that was most surprising was the human resources story, right? We're not really used for things getting, in a way, fixed so quickly (laughter), if you know what I mean. So the fact that it really seems that this was a trend, and it was happening, and suddenly it's way less of a trend - right? - gives us hope that it's something that - people are doing a good job. One of the other interesting ones not - was surprising in a good way is some of the research that we've done with some of the data that the FBI provided us, the FBI IC3, which was specifically about the great work that they do on business email compromise return, getting the money back. According to their data, over half of companies where they contact - half of U.S.-based organizations that contacted them, can you assist us get the money back, they were able to either retrieve or freeze 99% of their money for half of those companies. So it really ties into, well, something bad happened; what should I do next? It's really good to hear, surprising in a very good way, of how successful they have been in trying to counteract those kinds of attacks.

Dave Bittner: [00:22:32] Well, I have to say my hat's off to you. It's - not only is there a lot of interesting information in there, it's actually a fun read, which you don't get to say about every report in this industry. And lots of pop culture references and fun things like that throughout. So congratulations to you and your team on a job well-done.

Alex Pinto: [00:22:52] Thank you. The team is really incredible. The code team that we have doing the report, some of those people have been with us since the beginning - right? - from 12 years. It's really fantastic to see. It's a lot of work; I'm not going to lie.

Dave Bittner: [00:23:06] (Laughter).

Alex Pinto: [00:23:06] But it's really fantastic to see the report getting done, how much care the team puts into making sure that not only is it a good report - right? - not only, like you said, it's fun to read, it's accessible, but that it's accurate, and we can very clearly represent in a fair way and as correct as possible - right? - the data that those contributors have been provides us. They're all volunteers, right?

Dave Bittner: [00:23:33] Yeah.

Alex Pinto: [00:23:33] And they provided anonymous data to do this work. If anyone who's listening - right? - is interested about this, believes they have data that they could contribute, especially law enforcement, especially security vendors, please reach out to us. We're not hard to find on Twitter. We would love to work with you to make this report even better next year.

Dave Bittner: [00:23:52] That is Alex Pinto. He is one of the authors of the Verizon DBIR, the Data Breach Investigation Report, for 2019.

Dave Bittner: [00:24:05] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.