Actionable intelligence, and the difficulty of cutting through noise. Extortion hits Johannesburg. Criminal-to-criminal markets. Who’s more vulnerable to phishing, the old or the young?

Dave Bittner: [00:00:03] Actionable intelligence, culling signal from noise and the online resilience of threat groups. Ransomware hits a legal case management system. The city of Johannesburg continues its recovery from an online extortion attempt. The Raccoon information stealer looks like a disruptive product in the criminal-to-criminal market - not the best, but good enough and cheaper than the high-end alternatives. And who's more vulnerable to scams - seniors or young adults? It's complicated. 

Dave Bittner: [00:00:38]  And now a word from our sponsor Coalfire. When organizations stand up new services or move existing applications to the cloud, IT security efforts need to be coordinated with business units and partners. A common question inevitably arises. Is security the cloud platform provider's responsibility, or is it the customer's responsibility? To optimize data security, you must clearly articulate who owns what, identify security gaps and determine who will close those gaps. With the introduction of the HITRUST shared responsibility program, there's now a solid path to address the misunderstandings, risks and complexities when partnering with cloud service providers. Coalfire has delivered hundreds of HITRUST CSF certifications since 2011, and they help organizations clarify the roles and responsibilities of security controls that protect information. They've certified the leading global cloud service providers and can help you migrate data to the cloud securely. Find out more from Coalfire, the HITRUST cloud assessor, at coalfire.com/hitrust. That's coalfire.com/hitrust, and we thank Coalfire for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing one billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights. 

Dave Bittner: [00:02:17]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 28, 2019. ISIS leader Abu Bakr al-Baghdadi died Saturday in Syria's Idlib province, killing himself and, sadly, three of his children as U.S. Special Operations Forces cornered the terrorist leader in a tunnel. According to the Voice of America, U.S. Defense Secretary Esper said late-breaking actionable intelligence developed that morning enabled the attack to be executed within hours. 

Dave Bittner: [00:02:51]  Reuters says al-Baghdadi was located with the assistance of captured ISIS leaders. Whatever its accuracy, this report and others like it will probably erode the terrorist group's relationships of trust. One of al-Baghdadi's principal lieutenants, spokesman Abu Hassan al-Muhajir, was killed in a U.S. airstrike hours after the Idlib raid, the Times reports. A Bloomberg op-ed argues that terrorist groups like ISIS have proven resilient to leaders' deaths. Expect any regrouping to be foreshadowed by information operations. 

Dave Bittner: [00:03:25]  What sort of late-breaking actionable intelligence Defense Secretary Esper referred to is, of course - and quite properly - left unclear, but developing target indicators into targets can be a difficult process, and indicators are often missed. One such set of indicators seems to have surrounded one of the last high-profile massacres al-Baghdadi claimed for ISIS - the Easter massacres in Sri Lanka this April. A parliamentary select committee convened to review the attack concluded that Sri Lanka's intelligence leaders missed reports that should have alerted them to an imminent attack. Those reports began arriving as early as April 4, 17 days before the April 21 attack. Apart from direct observation of online terrorist chatter, which can be notoriously noisy, the security forces are said to have failed to act on domestic police warnings and alerts fed to them by Indian intelligence services. Missing signal is an old problem. The U.S. certainly did the same during the run up to 9/11. 

Dave Bittner: [00:04:26]  This weekend, as the Diwali celebrations arrived, authorities in India raised the alert level in several cities as the Pakistan-based terror group Jaish-e-Mohammed threatened attacks against those celebrating the Hindu festival of lights. Those attacks seem not to have materialized, and that's another instance of chatter being disruptive noise. 

Dave Bittner: [00:04:48]  A ransomware attack against TrialWorks, a widely used legal case management system, has caused disruption of trials and schedules as TrialWorks recovers and as the law firms that use the product look for workarounds and alternatives. Bleeping Computer says the ransomware strain involved is so far unknown, but the attack resembles, in some respects, August incidents that involved GandCrab successor REvil Sodinokibi. TrialWorks says it's decrypting the affected files, which has led to speculation that they went ahead and paid the ransom. 

Dave Bittner: [00:05:22]  The City of Johannesburg sustained a breach Thursday that led it to suspend most online services. The group claiming responsibility, the Shadow Kill Hackers, has said they'll publicly dump all the stolen data if they weren't paid 4 bitcoin by 5 p.m. Johannesburg time today. That was 11 a.m. U.S. Eastern Time, so the deadline has come and gone. We don't have any word yet on whether the Shadow Kill Hackers have done what they threatened to do or whether Johannesburg has paid up. 

Dave Bittner: [00:05:51]  Here's what Johannesburg city staffers told SC Magazine was in the note they received. Quote, "Hello, Jo'burg city. Here are Shadow Kill Hackers speaking. All of your servers and data have been hacked. We have dozens of backdoors inside your city. We have control of everything in your city. We can shut off everything with a button. We also compromised all passwords and sensitive data such as finance and personal population information. Your city must pay us 4 bitcoins. If you don't pay on time, we will upload the whole data available to anyone in the internet." We note in passing that their style is like a somewhat less over-the-top version of Shadow Broker-ese (ph), a scriptwriter's conception of broken English we confess we continue to miss. 

Dave Bittner: [00:06:35]  The attack was initially described as ransomware, but that may be misleading. There does indeed appear to be an extortion demand, but the disruption to city services appears to have been largely a precautionary measure taken by the city government itself, which tweeted that interruption of services were consequences of the investigation. The city said that customers will not be able to transact on e-services or log queries via the city's call center or customer service centers. Most services were restored over the weekend. 

Dave Bittner: [00:07:05]  The Shadow Kill Hackers made two threats. In addition to dumping the information online and telling everyone how they got it, they also threatened to delete all the data permanently. If that's more than an empty threat, it suggests they dropped a wiper into Johannesburg's network. 

Dave Bittner: [00:07:21]  Researchers at security firm Cybereason have offered their take on the Raccoon information-stealer that's gaining black market share in the criminal-to-criminal markets. It's not sophisticated, but it's relatively cheap and easy to use, which makes it a classic example of a disruptive product. Raccoon is available for 175 to $200, and it's usually delivered via the Fallout or RIG exploit kits. Raccoon's native home seems to be the Russian criminal underground. It began as a password-stealer but has expanded into other forms of data theft. 

Dave Bittner: [00:07:57]  And finally, who's most gullible with respect to online scams? Specifically, which age cohort is likeliest to take the phish bait, and who's more predisposed to spit the hook? Well, the U.S. Federal Trade Commission has reached what will be for many a surprising, counterintuitive conclusion on the matter. You may think that the proverbial grandpa and grandma are likelier to fall victim to phishing scams than others, but no. Actually, people over 60 are less likely to take the phish bait than our younger adults, particularly millennials. The FTC's recent report on protecting older consumers reached that conclusion. 

Dave Bittner: [00:08:35]  There is a downside, however. While older adults are less likely to fall for scams than are the young adults, when seniors do bite on the fraud, their losses tend to be higher. Those over 80 seem to take the biggest hit per scam. So everyone, young or old, click with caution, and read with appropriate open-minded skepticism, which is good advice at any age. 

Dave Bittner: [00:09:02]  And now a word from our sponsor KnowBe4. Having spent over a decade as part of the CIA's Center for Cyber Intelligence and the Counterterrorism Mission Center, Rosa Smothers knows the ins and outs of leaving cyber operations against terrorists and nation-state adversaries. She's seen firsthand how the bad guys operate, she knows the threat they pose, and she can tell you how to use that knowledge to make organizations like yourself a hard target. Get the inside spy scoop and find out why Rosa, now KnowBe4's SVP of cyber operations, encourages organizations like yours to maintain a healthy sense of paranoia. Go to knowbe4.com/cia to learn more about this exclusive webinar. That's knowbe4.com/cia, and we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:10:03]  And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Joe, it's great to have you back. 

Joe Carrigan: [00:10:12]  It's good to be back, Dave. 

Dave Bittner: [00:10:13]  Before we dig into today's story, you have a little bit of follow-up for us. 

Joe Carrigan: [00:10:16]  I have some correction. Last week, I made the comment that I was considering not giving future health care providers my actual birth date, and someone hit me up on Twitter – Franklin (ph), thank you for pointing this out - that if you do that, then your claims may not be paid because that piece of PII is used to identify you with the insurance company. So if the insurance company gets a different birth date, they're going to say, this isn't the right Joe Carrigan, and they're not going to pay my claim. And I have to give them the correct birth date because I need to give the - my employer my correct birth date, who then gives it to my insurance company, who then asks my doctor for it. 

Dave Bittner: [00:10:53]  I see. 

Joe Carrigan: [00:10:54]  So... 

Dave Bittner: [00:10:54]  So you could be shooting yourself in the foot. 

Joe Carrigan: [00:10:55]  Yep, so don't do that. If you've already done it, go out and correct it. 

Dave Bittner: [00:10:58]  OK. 

Joe Carrigan: [00:10:58]  Sorry. 

Dave Bittner: [00:11:00]  Fair enough. Well, this week we're talking about a story that came by from Threatpost. This is from Tom Spring, and it's titled "15 Years Later, Metasploit Still Manages To Be A Menace." 

Joe Carrigan: [00:11:11]  A menace - I don't like that term, a menace - and a useful tool for penetration testers. 

Dave Bittner: [00:11:17]  Yeah, well, before we dig in here, just a quick overview on - what is Metasploit for folks who may not be familiar with it? 

Joe Carrigan: [00:11:23]  Metasploit is a framework. I'm not intimately familiar with it, but it is a tool that you can use to penetrate networks. It comes pre-bundled with a bunch of known exploits, and if you discover an exploit or a vulnerability, then you can write your own exploits in Metasploit and have them run. And you can distribute them as well so that your other penetration testers can use it as well. But just like any other tool, it can be misused and frequently is misused. 

Dave Bittner: [00:11:49]  Right. 

Joe Carrigan: [00:11:50]  When you hear the term script kiddie, these are generally people who are learning to use Metasploit and running very simple attacks against other targets that may not be protected against it. And there is even a graphic user interface called Armitage for the Metasploit framework. 

Dave Bittner: [00:12:07]  I see. 

Joe Carrigan: [00:12:08]  So it makes hacking very easy, but that's - the intent of the tool was to make - it was designed by a guy who had, you know - was a network administrator and had to do all this other stuff along with test the security of his network, so he automated the process of testing the security of his network. 

Dave Bittner: [00:12:23]  He built a tool to make his own job easier... 

Joe Carrigan: [00:12:25]  Yep. 

Dave Bittner: [00:12:26]  ...Shared it with the community. 

Joe Carrigan: [00:12:27]  Yep. 

Dave Bittner: [00:12:27]  And of course, any tool can be used for good or bad. 

Joe Carrigan: [00:12:30]  Right. 

Dave Bittner: [00:12:31]  So what are they getting at here with their - with the notion that it could be a menace? 

Joe Carrigan: [00:12:35]  They're talking about a particular technique that Metasploit presents called shikata ga nai, which is Japanese for nothing can be done. And what it does is it makes your exploit polymorphic, so it's very difficult to see it when it's coming in through your network. So detection systems are less likely to find it, and the exploit is more likely to be successful. 

Dave Bittner: [00:12:59]  So it's doing some encryption, some scrambling of what your... 

Joe Carrigan: [00:13:04]  Yep. It uses... 

Dave Bittner: [00:13:05]  ...Stuff will be looking for. 

Joe Carrigan: [00:13:06]  It uses something called XOR encryption. It's a very basic type of encryption. It is good, and actually, it's technically unbreakable if you have a long enough random key. But those keys are one-time use keys. It's effectively a one-time pad cipher. So XOR is a bitwise operator, which means that if you go through a string of bits one at a time, you can encode them with a key. But the great thing about it is that you can decode them with the same operation in the same key. So if I have a key that's exactly as long as the message that has enough randomness, it imparts all of that randomness to the message, and then that randomness is easily deciphered with the same key. 

Dave Bittner: [00:13:48]  OK. 

Joe Carrigan: [00:13:48]  But it pretty much requires pre-shared keys or some way to share that key, and those keys can only be used once. If you use them multiple times, it's very easy to break the encryption. 

Dave Bittner: [00:14:00]  I see. 

Joe Carrigan: [00:14:00]  So that's a high-level look at XOR encryption. 

Dave Bittner: [00:14:04]  And so as that applies to Metasploit here, it's just a matter of making the scripts harder to detect. 

Joe Carrigan: [00:14:10]  Right. What they're doing is they're using XOR to make the payloads harder to detect because they essentially look like random strings of bits. And then once the payload is in the target system, it's trivial to decrypt it if the software has the key. 

Dave Bittner: [00:14:23]  All right. So, I mean, overall, Metasploit - valuable tool. 

Joe Carrigan: [00:14:27]  But just like any other tool, it's going to have bad uses and people that are good at - very good at using it. And there are people out there that are remarkably good at using this tool. A lot of them are on the good guy's side, but a lot of them are also on the bad guy's side. 

Dave Bittner: [00:14:40]  Yeah. All right, well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: [00:14:43]  My pleasure. 

Dave Bittner: [00:14:48]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast. 

Dave Bittner: [00:15:29]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.