Dave Bittner: [00:00:00] Hey, everybody. Dave here with a quick reminder to follow the CyberWire on your favorite social media platforms - Twitter, Facebook, LinkedIn; all the usual suspects. Pretty sure we're not on Talkomatic or Friendster anymore. Try as I might, I can't get the suits down the hall to greenlight a dial-up BBS. So Twitter, Facebook, LinkedIn - we'll see you there.
Dave Bittner: [00:00:24] Hostinger resets passwords after a breach. Arkose finds that more than half the social media logins they investigated during the recent quarter were fraudulent. U.S. state governors seem likely to call on the National Guard to help with cyber incidents. A new phishing campaign is distributing the Quasar RAT. A new ransomware strain, Nemty, is out in the wild. Has your Fortnite account been encrypted? Emsisoft can help. And who knew that hedge funds liked bananas?
Dave Bittner: [00:00:58] It's time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want - actionable intelligence. Sign up for the Cyber Daily email. And every day, you'll receive the top trending indicators Recorded Future captures crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights, like remediation advice, to help fix faster while methodology-driven assessments ensure compliance needs are met at bugcrowd.com.
Dave Bittner: [00:02:35] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 27, 2019. Web hosting provider and domain registrar Hostinger reset user passwords over the weekend after determining that unauthorized parties had gained access to databases in its internal systems. About half of the company's 29 million users may have had their information exposed in the breach. The breach is thought to have occurred last Thursday, when an intruder tripped and alert that a server had been improperly accessed. Using an access token found on the server, the attacker gained access to an API database that contained customer usernames, email addresses and passwords. These were all hashed with SHA-1, which is good but not nearly as it might have been since SHA-1 is vulnerable and has been deprecated. Hostinger has since moved to the stronger SHA-2 algorithm. The company says no financial information was exposed. But the compromise is worrisome, and customers were told to reset their credentials.
Dave Bittner: [00:03:42] It seems there's lots of fraud in social media. Now, saying that social media are rife with fraudulent activity will, of course, surprise no one, but the scale of the fraud is surprising. Arkose Labs' Fraud and Abuse Report for the third quarter claims that over half the logins they investigated were fraudulent. The company analyzed more than 1.2 billion logins in the financial services, e-commerce, travel, social media, gaming and entertainment sectors to reach this conclusion. The national center of gravity for social media fraud also seems to have shifted, with the Philippines now the clear leader in the origination of such traffic. The U.S. is a distant second, with Russia, the U.K. and Indonesia as also-rans.
Dave Bittner: [00:04:28] Recent attacks on U.S. local governments suggests that one of the threats to expect during the 2020 elections will be ransomware. Reuters reports that CISA is working to help secure voter registration databases in particular against this form of attack. StateScoop sees the National Guard assuming a role in ransomware defense. U.S. Air Force General Joseph Lengyel, currently chief of the National Guard Bureau, said late last week that the recent incidents in Texas and Louisiana have amounted not exactly to a cyber hurricane but to a major cyber storm. In both states, the governors called on the National Guard for help. He expects this to become more common. And as states and municipalities are hit by hacking, they are likely to call out the Guard.
Dave Bittner: [00:05:16] Cofense researchers have detected a sophisticated phishing campaign distributing the Quasar remote-access Trojan. Quasar is a widely available commodity RAT, but the campaign distributing it is not just some off-the-shelf crimeware. Cofense says the email vectors have proven unusually adept at evading detection and avoiding analysis.
Dave Bittner: [00:05:38] Bleeping Computer reports research by Vitali Kremenz that outlines a new strain of ransomware, Nemty. It appears to spread via remote desktop protocol. RDP would give an attacker more control over the attempt than the more commonplace email vector. Nemty is an odd duck in terms of some of its features. There are embedded references, for example, to Russian President Vladimir Putin, although it's unclear from the reports whether these are complementary or derogatory. And the code checks for systems in Russia, Belarus, Kazakhstan and Tadzhikistan but apparently not to avoid infecting machines in those countries, as is so often the case.
Carole Theriault: [00:06:21] So meet Omar Yaacoubi. He heads up a U.K. company named Barac. Now, Barac specializes in detecting encrypted traffic by using machine learning and behavioral analytics to analyze not the contents - I mean, it's encrypted, remember? - but by looking at the metadata that is holding that encrypted content. Now, that sounds pretty neat. I asked Omar to come and chat with us about this technology and to help us understand how it can help us beat even the most privacy-aware bad guys at their own game.
Carole Theriault: [00:06:58] Omar, thanks so much for coming on the show. Now, it seems you and your guys at Barac uncovered a sophisticated cyberattack targeting a major African headquartered financial institution. Now, what were the bad guys up to? Can you set the scene for us?
Omar Yaacoubi: [00:07:14] Yeah. So the team - well, the scoring - we do what we call scoring engines. So we score every connection - encrypted connection. And the scoring engine in this case scored several connection as high. So the team went to - took a look - to take a look at those metadata and those connection coming out of the bank. We found that suspicious activity around certificate run different information. So when we took a look at more - indeed more details, we found out that it was a sophisticated attack and exfiltration by - associated to North Korea in this case.
Carole Theriault: [00:07:55] And so, just to be clear, what you're saying is the data was encrypted, so you guys aren't actually seeing what's inside or what's being shared. But just the pattern of traffic had changed, and that was enough to alert you guys that something weird was going on.
Omar Yaacoubi: [00:08:10] Yes. So we don't see the data itself. We look at what we call the metadata related to the traffic. And by looking at those metadata, we've been able to spot abnormality within those metadata. So certificate informations contained a word NK, for example, that was associated to North Korea. The traffic was going to a country in East - in Eastern Europe. The size of the package was the same. The cipher suit used and proposed and used were - all were the same. So all those combined together were raising flags as abnormal behavior within that financial institution.
Carole Theriault: [00:08:50] Now, you guys were working with this financial institution, and you were able to presumably spot this and put a stop to it. Is that right?
Omar Yaacoubi: [00:08:59] Yes. So we spotted this early in our fusing our beaconing engine to be able to block that traffic and investigate - dig in more into detail. So we sent sandbox to that suspicious IP with the help of the banking team and some of the partners. And then we discover that it was a command and control - advanced command and control traffic that were taking place with the full audit of the logs and information. So the people that were behind it were trying to do small transactions on their SWIFT account to be able to extract those money and send the money to suspicious servers.
Carole Theriault: [00:09:38] You know, it's almost ironic - isn't it? - because they were obviously doing small transactions to evade detection. But in trying to do that, their data - their metadata actually changed pattern, and then that is what actually alerted you to the problem.
Omar Yaacoubi: [00:09:52] Yes, exactly. So even if you try to do some advanced detection or advanced attacks, the metadata still give us clear indication on what you guys are doing, especially when you associate that with powerful machine learning that learned from the behavior of the bank, the people within the bank, the transaction, the traffic - understands what's normal and therefore be able to detect all those abnormality or all those thing going wrong within the bank or within any other customer.
Carole Theriault: [00:10:21] Now, tell me - is this a unique example? Have you never seen anything like this before?
Omar Yaacoubi: [00:10:27] We never seen such an advanced type of attack before. All the certificate information were good. All the certificate was legit. The server were legit - never been flagged before. The encryption used was moderately strong. So all that combined together shows that the hackers are also - especially powerful nation hackers - are moving toward encryption and are moving toward hiding all those traffic behind encryption.
Carole Theriault: [00:10:58] Well, Omar, on behalf of banking customers worldwide, we thank you for fighting the good fight. And thank you for coming on the show and making the time to speak with us.
Omar Yaacoubi: [00:11:08] Thank you very much.
Carole Theriault: [00:11:09] This was Carole Theriault for the CyberWire.
Dave Bittner: [00:11:12] Emsisoft has a free decryptor available for the Syrk ransomware that bamboozled Fortnite players looking for methods of cheating. Don't look for cheats, friends, and earn your skins and loot boxes legitimately. But if you were infected, Emsisoft has your back. And bravo, Emsisoft, we say.
Dave Bittner: [00:11:30] The Washington Post conducted a quick experiment to see who received data generated in credit card transactions, what kind of data interested them and what they did with the data once they had them. Technology columnist Geoffrey A. Fowler went to Target and bought a couple of bananas - 29 cents each - with the Chase Amazon Prime Rewards Visa and another with an Apple Card. He says he found that, quote, "six types of businesses could mine and share elements of my purchase, multiplied untold times by other companies they might have passed it to."
Dave Bittner: [00:12:04] Perhaps unsurprisingly, he found it difficult to determine just who had his data and what they were doing with the data. Some data consumers were obvious, like Target itself, Amazon, Google and other marketers. But others were surprising - to us, anyway - like hedge funds. Who knew hedge funds were so interested in purchases of fruit, even one so rich in beneficial potassium as the banana? And note Mr. Fowler's observation about the effective impossibility of determining to whom the data collectors might have passed or sold their take. He contacted some of the businesses who were interested in his information and says he generally got the EULA-style verbal misdirection behind which companies retreat, as an octopus cloaks himself in ink to make a clean getaway - or in other cases, they just didn't reply.
Dave Bittner: [00:12:58] Now it's time for a few words from our sponsor BlackBerry Cylance. You probably know all about legacy antivirus protection. It's very good as far as it goes. But you know what? The bad guys know all about it, too. It will stop the skids, but to keep the savvier hoods' hands off your endpoints, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems' behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank BlackBerry Cylance for sponsoring our show.
Dave Bittner: [00:14:03] And joining me once again is David Dufour. He's the vice president of engineering and cybersecurity at Webroot. David, it's always great to have you back. I wanted to touch today on cybersecurity assessment - sort of taking stock and measuring where you are as an organization. I know you have some specific thoughts about this.
David Dufour: [00:14:22] You know I do, David. Great to be back, as always. You know, a lot of times people say cybersecurity assessment and they're thinking, you know, the CISO or the risk coordinator coming down from the top and saying, you know, we've got to look at this or we've got to look at that. But in this instance, I'm really talking about your technology teams, your software engineers, your IS team, your network support folks. And how do you put some processes in place that help those teams, one, assess themselves on their security posture and, two, allow those external resources, like the CISO or the risk folks, come in and analyze, you know, how these teams are doing.
Dave Bittner: [00:15:00] So what does a self-assessment provide you that's different from someone coming in from outside?
David Dufour: [00:15:07] A couple things. One, a self-assessment set up properly with - we have a lot of agile teams, and those agile teams do spend time doing self-assessments. The biggest thing that it does, honestly, is get buy-in from the teams on why this is important, and it helps them work closer with the security folks - the CISO, etc. - to be able to really buy into the whole security process and why it's important. That's just from the buy-in perspective.
David Dufour: [00:15:33] But how it plays out in practicality is - what we do is we try to put some parameters in place on trying to have small code bases, the smallest code base you can for development teams; the larger code base, the larger footprint for an attack. We analyze the way that they're doing development, what type of maybe open source they're using and the risk that that may have. And in this effort, we're giving the teams parameters to analyze the choices they're making and the choices their teammates are making, so as a team, they can work together because there's a lot of pride in being the best-rated secure engineering team here.
Dave Bittner: [00:16:10] It's interesting that you mentioned how, you know, the teams have a say in the process itself, that they've got a part in, you know, deciding how we're going to measure things internally.
David Dufour: [00:16:20] That's exactly right. And again, about buy-in - and let me tell you, David, I - working at a cybersecurity company, the engineering teams - I mean, I feel bad for the CISOs here because they come in and try to tell a bunch of cybersecurity engineers what to do, and you want to talk about getting pushback...
David Dufour: [00:16:36] But what this does is help them really have that buy-in and really, you know, apply the knowledge they have on hacking and attacks to their development processes - makes the whole organization more secure. But it really is fundamentally working with both the CISO and getting the teams bought in to figure out how to provide those standards and what it is they should be looking for because if you do it at the point of development or the point technology is implemented, you're going to have a lot stronger security posture than if you're trying to do it from the top down.
Dave Bittner: [00:17:07] I would imagine also that if you compare your own internal assessment to an external assessment, that could be really insightful for seeing as the way you view yourselves differently than perhaps the way other people view you.
David Dufour: [00:17:23] That is another great point, in that it brings value to the table when there is the external assessment - someone comes in and looks at us - because you're also now ready to have that dialogue. When someone says, externally, hey, this doesn't look right or this is maybe a miss on your part, the team can say, you know what? That is a miss, and we're sorry. Or they can say, you know what? We've thought about that, and this is why we've made choices around that. And they can have a really good dialogue. To be honest, assessors like it because they now feel like they're working with someone that's really invested and that understands what they're trying to do, and you just end up with a better, more secure posture in your technology stack.
Dave Bittner: [00:18:05] All right. Well, David Dufour, thanks for joining us.
David Dufour: [00:18:08] Great being here, David.
Dave Bittner: [00:18:14] And that's the CyberWire.
Dave Bittner: [00:18:15] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:18:27] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:18:55] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing cyber wire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carol Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.