Fancy Bear is snuffling around corporate IoT devices. Machete takes its cuts at Venezuelan military targets. What Mr. Kim is buying. MegaCortex goes for automation. Vigilantes, misconfigurations, etc.
Dave Bittner: [00:00:03] Fancy Bear is back and may be in your office printer. El Machete, a cyber espionage group active at least since 2014, is currently working against the Venezuelan military. A U.N. report allegedly offers a look at what Mr. Kim is doing with the money his hackers raked in. MegaCortex ransomware shows growing automation. Another unsecured AWS S3 bucket is found. A bank stores some pins in a log file, vigilante smishing and when popping off becomes arguably criminal.
Dave Bittner: [00:00:40] Now I'd like to share some words about our sponsor Akamai. You're familiar with cloud security, but what about security at the edge? With the world's only intelligent edge platform, Akamai stops attacks at the edge before they reach your apps, infrastructure and people. Their visibility into 178 billion attacks per day means that Akamai stays ahead of the latest threats, including responding to zero-day vulnerabilities. With 24/7/365 security operation center support around the globe and over 300 security experts in-house, Akamai surrounds and protects your users wherever they are - at the core, in the cloud or at the edge. If you're going to Black Hat USA this year, visit Akamai at booth 1522 to take part in their Crack the Code challenge. Akamai - intelligence security starts at the edge. Learn more at Akamai. That's akamai.com/security. And we thank Akamai for sponsoring our show. Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.
Dave Bittner: [00:02:00] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 6, 2019. Microsoft reports that Strontium, also known as Fancy Bear or APT28 - that is Russia's GRU military intelligence service - has undertaken a campaign to breach enterprise networks by exploiting poorly secured IoT devices - printers, video decoders and voiceover IP phones. Redmond says that in April, its researchers discovered infrastructure of a known adversary communicating to several external devices. Once in, the attackers would seek to pivot to more interesting targets. At least two of the corporate victims had left manufacturer's default passwords on their devices. A third had failed to keep their software updated. The campaign's goal is unknown.
Dave Bittner: [00:02:51] ESET is tracking recent activity by Machete, a cyber espionage threat actor working against Venezuela's military, as well as some targets in Ecuador, Colombia and El Salvador. Machete was identified by Kaspersky in 2014 and has since been tracked by Cylance. While it's been mostly active against Spanish-speaking countries, it's also looked at targets in Canada, China, Germany, South Korea, Sweden, Ukraine, the United Kingdom and the United States. There's no clear attribution, and ZDNet notes that it's unknown whether Machete is state-directed or the work of freelancers. It typically gains entry to its targets by phishing.
Dave Bittner: [00:03:33] What do you buy with your ill-gotten cyber gains? Well, if you're Mr. Kim, maybe a few implosion weapons, some launch vehicles - you know, whatever you can fit into your cart. Reuters says that yesterday, it saw a report on North Korean cyber operations the United Nations Security Council received last week. Pyongyang's extensive state-operated cybercrime program has raised some $2 billion since its inception, the report said. The starting date of the cybercrime operations isn't stated in the fragments of the report that have been released, but Computing observes that the U.N. significantly tightened sanctions on North Korea in 2006.
Dave Bittner: [00:04:13] The funds have been used to pay for Pyongyang's weapons of mass destruction - essentially, its nuclear and ballistic missile programs. Foreign banks and cryptocurrencies are the principal targets. There have been at least 35 reported instances of DPRK actors attacking financial institutions, cryptocurrency exchanges and mining activities designed to earn foreign currency. The report is said to conclude. The Security Council is likely to consider further sanctions against North Korea, although there can't be much left to sanction.
Dave Bittner: [00:04:44] In yet another case of a user failing to secure its data in the cloud, UpGuard has found more than 6 million email addresses in an unsecured Amazon S3 bucket belonging to the U.S. Democratic Senatorial Campaign Committee. The data were posted in 2010 and appear, from file names, to have some connection with former Senator Hillary Clinton's campaign - perhaps a do-not-contact list. People who were associated with the campaign say, no, the data were compiled by the DSCC, and the DSCC notes with some justice that the information exposed consisted only of email addresses, which is true enough. It could have been more damaging.
Dave Bittner: [00:05:24] Still, almost any data can be valuable to some criminal or intelligence enterprise. The DSCC says that the data are almost a decade old, which is also true. But another way of looking at the matter, as UpGuard observes, is that the data have been gurgling around in the cloud for nine years now, which is plenty of time for exploitation in some form.
Dave Bittner: [00:05:46] The Black Hat conference in Las Vegas is underway, and the keynote at this year's Codenomicon event is being given by Chris Roberts, chief security strategist at Attivo Networks. The title of his talk is A Hacker's Perspective
Chris Roberts: [00:06:03] I mean, let's face it. As an industry, you've got to look at the numbers. We are spending, you know, $120-plus billion in this industry, and we keep losing more and more data. So I would argue that we're not exactly in a good situation. We have failed the charges that we are meant to protect.
Dave Bittner: [00:06:21] Is your sense that things are getting better or worse, or are we treading water?
Chris Roberts: [00:06:25] At best, I would say we're treading water. I wouldn't say that we're getting better. I mean, the innovation is fantastic. I mean, don't get me wrong. We're actually doing some amazing, innovative things, but we have a lot to do. We have a long way to go. I mean, you've got over 3,000 security vendors out there, each one of them unfortunately telling organizations that they can fix everything. And let's be perfectly honest. Quite a lot of them can't.
Chris Roberts: [00:06:51] We spend a long time chasing buzzwords. We have security conferences where 50,000 people go, but let's be honest. Half of them probably don't want to be there. And the cost of attending, let alone the cost of putting a booth in one of those, is ridiculous. As an industry, we're, you know - we're more focused on minting millionaires and billionaires than we are actually protecting data, so, you know, it's a little frustrating, shall we say.
Dave Bittner: [00:07:16] I can sense your frustration. And do you think you're erring on the side of being a little bit cynical? I mean, are there things to be optimistic about?
Chris Roberts: [00:07:23] I mean, it depends on where you stand. I mean, let's be perfectly honest. If you are a consumer and you've just watched your shopping experience go down the drain 'cause somebody lost your data - you just watched a couple of banks lose your information. You're in the military; you lost, you know, your credentials and all the intelligence there. You go to a hospital, and they lose your data. No, I wouldn't take a really positive look at our industry.
Chris Roberts: [00:07:49] You flip it around, and you look at our industry and what we are trying to do and maybe some of the movements that we're doing now where we haven't. You realize that we've got some challenges, and we have to do things differently. Then maybe - but I mean, it's - I wouldn't say it's too little, too late, but I would definitely say that we have a lot of growing up to do as an industry, and we need to do it a lot faster than I think a lot of people want to believe. And I think that's probably especially relevant from, like, the vendor supply side - less so the people that are in the trenches - you know, the people on the blue team that are actually trying to protect us - think they're doing as best they can.
Dave Bittner: [00:08:30] So what do you suppose are the forces that could make that sort of change come into play?
Chris Roberts: [00:08:37] I think collaboration, communication would be two of the big ones, and then really taking a step back and looking at the humans. And if we turn around and actually spend more time looking at the humans that we have, you know, they are, to some degree, our best assets. And that's everybody from, you know, the users that we've blamed for everything - maybe we turn around and try to educate them in how to protect themselves more effectively and not do it in a punitive manner - all the way through to the, you know - the board level, the directors and everybody else.
Chris Roberts: [00:09:08] And how do we educate in a way that they understand, not in a way that we're comfortable teaching? I think those are probably two very big ones. And then a little bit of humble pie - you know, we need to go back to the businesses and to the areas of the business we've blamed and say, hey, how do we solve this problem together?
Dave Bittner: [00:09:30] What are the take-homes you want to folks who see your presentation at Black Hat and are going back to their leadership - what are the messages you want them to take home with them?
Chris Roberts: [00:09:40] I think one of probably the biggest ones is ask more questions. You know, I mean, if you think about it, Black Hat and other conferences are ripe with vendors and suppliers trying to tout their wares. And, you know, I look at Attivo, and I look at the guys, you know, that I'm talking about. And arguably, we're there for the same reasons. And to me, it's a case of the people that are coming to listen to the talk. I want to educate them. I want them to ask more questions.
Chris Roberts: [00:10:05] When a vendor or a supplier says, hey, you know, I can blind you with science, I want somebody to actually hold their feet to the fire and say, show me. Tell me. Don't just explain it to me, and prove it to me. How are you actually going to help me? How are you going to help reduce risk? I think that's part of it. I think the other part of it is really that war cry we've been having, which, somewhat, is back to the basics, which is, you know, focus on the human. Focus on the simple things. You know, it's the grunt stuff that we don't like doing.
Dave Bittner: [00:10:33] That's Chris Roberts from Attivo Networks.
Dave Bittner: [00:10:37] According to Accenture, MegaCortex ransomware shows signs of greater automation as its masters trade stealth for volume and speed. ZDNet says the ransom demands exceed $5 million. The extortion targets have, for the most part, been in Europe and North America.
Dave Bittner: [00:10:55] Monzo, the British mobile-only bank, warned customers over the weekend that it had been storing some encrypted PINs in log files. Some of the bank's engineers had access to the files but no need to know any PINs. The bank has now deleted any files improperly stored this way and has advised customers of additional steps they can take to protect their accounts. None of the PINs seem to have been accessed by anyone outside of Monzo, nor have any of them turned up in any of the places one would expect they had leaked.
Dave Bittner: [00:11:26] Nonetheless, Monzo has advised its customers of additional actions they could take to secure their accounts. Infosecurity Magazine points out in an aside one problem with such warnings and disclosures. They can be indistinguishable from phish bait. It seems that many of them wound up in spam traps or were disregarded and dumped by cautious customers.
Dave Bittner: [00:11:48] And now, some smishing with a side of PewDiePie. People in the U.S. have been receiving texts with the following message - I'm here to warn the masses about SMS email gateways. Please look up how to disable it on your phone, or call your provider and ask. The text is accompanied by some promotional barking in the interest of YouTube celebrity PewDiePie. Naked Security calls him controversial, which is one way of looking at the gaming commenter, whose cultural presence defies easy explanation.
Dave Bittner: [00:12:19] Some of those who have noticed the texts have been troubled by the question of how the texters got the recipients' phone numbers in the first place. According to WIRED, however, they didn't. They brute-forced them by writing a script to generate all possible mobile numbers from 1 to 999-9999. The texters then associated these numbers with each U.S. area code. From there, they sent the text to the email to SMS gateways used by carriers. That's about 7.2 billion possible phone numbers.
Dave Bittner: [00:12:49] WIRED identifies the spammers by their hacker names, j3ws3r and 0xGiraffe, a pair who, last December, hacked poorly secured printers and Chromecast to disseminate a pro-PewDiePie message and, inter alia, lay some wisdom on the masses about these vulnerabilities. They appear to be doing the same kind of shtick now, so if you're in the masses - and who isn't? - that's why you may have been getting those messages.
Dave Bittner: [00:13:16] And finally, a case in Pennsylvania illustrates some of the legal dimensions of cyber stalking. A Warminster, Pa., man, Blair Strouse, has been sentenced to 2 1/2 years in federal prison for threatening his estranged wife and her family. He did this online, and the people he threatened weren't all in-state. We'll give the prosecutor the last word. U.S. Attorney William McSwain offered a succinct explanation of why this was a crime. Quote, "It's not an excuse to say you were just mouthing off. If you threaten serious bodily injury or even death over the internet, that is a federal crime with consequences." So a word to the wise - control yourselves, ladies and gentlemen. At some point, shooting your digital mouth off crosses the line into communicating a threat.
Dave Bittner: [00:14:10] And now, a message from our sponsor ObserveIT.
Unidentified Person: [00:14:15] Great party, huh?
Dave Bittner: [00:14:16] Yeah, yeah. Great party. Could you excuse me for just a moment? Hey, you. What are you doing? Oh, no. Looks like another insider got into our systems when we weren't looking. I am going to be in so much trouble with the boss.
Unidentified Person: [00:14:36] Did someone say trouble? I bet I can help.
Dave Bittner: [00:14:38] Who are you?
Unidentified Person: [00:14:39] To catch insider threats, you need complete visibility into risky user activity. Here. I'll show you how ObserveIT works.
Dave Bittner: [00:14:47] Wow. Now I can see what happened before, during and after the incident, and I'll be able to investigate in minutes. It used to take me days to do this.
Unidentified Person: [00:14:56] Exactly. Now, if you'll excuse me, I think there's a cocktail over there with my name on it.
Dave Bittner: [00:15:02] But wait. What's your name? Oh, well. Thanks, ObserveIT, and whoever she is. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. Get your free trial at observeit.com/cyberwire.
Dave Bittner: [00:15:29] And I'm pleased to be joined once again by Craig Williams. He's the head of Talos outreach at Cisco. Craig, it's always good to have you back. You and I talked previously about Sea Turtle, and you've got some updates to share with us. Before we get to that, can you just give us a brief overview or reminder? What is Sea Turtle?
Craig Williams: [00:15:46] Sure. So Sea Turtle is one of two separate campaigns that we believe are operated by different actors that we're seeing in the Middle East and North Africa involving DNS tomfoolery, we'll call it - basically, actors hijacking DNS to redirect victims to their site. And the Sea Turtle campaign - primarily, it's been reserved for strategic military targets at this point. When we identified this actor, you know, we worked with CyberWire and several of our partners in the Cyber Threat Alliance to get the word out there so that people could see the difference in the TTPs.
Craig Williams: [00:16:19] You know, and normally, when you do something like that, bad actors - particularly those, you know, who are likely related to nation-states - tend to stop their activity, right? They don't want to be openly seen doing bad things. Unfortunately for us, the Sea Turtle actors did not stop. They continued with their mission. They basically changed their TTPs a little bit. They added some additional infrastructure, but overall, they just continued to compromise sites.
Craig Williams: [00:16:46] And so it's unusually brazen. Normally, when you catch somebody red-handed, they'll stop, particularly if other people have blamed other actors, right? It's like a get out of jail free card, but these actors didn't care. You know, like, imagine if you're a bank robber, and all of a sudden, one of the witnesses misidentifies somebody else as the bank robber, and the police get him. Criminals would...
Dave Bittner: [00:17:06] Quit while you're ahead, right? (Laughter).
Craig Williams: [00:17:08] Yeah. And normal criminals would be like, hey, I'm going to stop this week, and then tomorrow, I'm going to come back in a completely different outfit and continue robbing banks if I want. But, you know, they would probably stop to not get caught. These actors have not stopped. They have changed their operations a little bit. We were able to identify some additional past activity with them, and unfortunately, they seem to be broadening the types of places that they target.
Craig Williams: [00:17:31] So this is kind of what we were worried about, right? I mean, last time, we talked about how they were primarily targeting, basically, military or strategic targets - so for the average user, not that big of a concern. Now, it's not expanded too much outside of that, but it has expanded to other government organizations, energy companies, things like think tanks, international organizations and airports. It's a disturbing trend. You know, I'm concerned that this activity will continue to broaden as they continue to be successful.
Craig Williams: [00:17:57] You know, one of the more concerning things we've noticed in the past is that for some of the very - let's call them high-value targets - the attackers were actually making new individual servers for each one - new name servers with new IP addresses so that it would be very difficult for it to be noticed and for it to be identified. Unfortunately, I guess they decided that that was not necessary anymore, and so they started reusing infrastructure, which is how we initially found them. So it's - looks even more like a system that's been in place for a while. They're not only broadening their target set, but they're optimizing their capabilities.
Dave Bittner: [00:18:32] So what is available in terms of defense against this?
Craig Williams: [00:18:36] Well, there's a lot of different ways to defend against it. You know, I think the primary one is making sure that your registrars are secure, making sure that your name servers are hardened. You know, simple things like multi-factor authentication can be extremely useful. You know, if you have very sensitive domains, start looking at things like DNSSEC. Try and validate lookups with a recursive resolver or something like open DNS, right? Make sure that everybody is seeing the right domain for your site.
Craig Williams: [00:19:02] You know, so there's lots of different things you can do. You can make sure that passwords are rotated, particularly if you're something that nation-states in the Middle East and North Africa may want. You know, if you're a registrar hosting those type of domains or TLDs, realize that you're a target, right? I mean, we're seeing secondary targets attacked in the United States and Sweden, so we need to make sure that everyone who's involved with these type of sites and these type - basically, potentially hosting this type of information realize that they're a target. You know, and that - you can do simple things, too, like look who's connected to your VPN, right? Where's it coming from?
Dave Bittner: [00:19:35] So this is one to watch.
Craig Williams: [00:19:37] Definitely. I don't think these actors are going to go away until they have a significant reason to. You know, from what we've seen, they've only continued to expand their operation, and I expect we'll continue to see that going forward.
Dave Bittner: [00:19:48] All right. Well, Craig Williams, thanks for joining us.
Dave Bittner: [00:19:55] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:08] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.