Fancy Bear is snuffling around corporate IoT devices. Machete takes its cuts at Venezuelan military targets. What Mr. Kim is buying. MegaCortex goes for automation. Vigilantes, misconfigurations, etc.
Benny bear is back and maybe in your office printer el machete a cyber espionage group active at least since two two thousand fourteen is currently working against the venezuelan military a u._n. Report allegedly offers a look at what mr kim is doing with the money has hackers raked in mega. Get cortex ransomware shows growing automation another unsecured a._w._s. S. three bucket is found ebanks stores some pins in a log file vigilante anti smoking and when popping off becomes arguably criminal and now i'd like to share some words about our sponsor you're familiar with cloud security but what about security at the edge with the world's only intelligent edge edge platform optimized stops attacks at the edge before they reach your apps infrastructure and people their visibility into one hundred seventy eight billion tax is per day means that stays ahead of the latest threats including responding to zero day vulnerabilities with twenty four seven three sixty five security operations center support around the globe and over three hundred security experts in house optimize surrounds and protects your users wherever they are at the core in the cloud four at the edge if you're going to black hat u._s._a. This year visit at booth fifteen twenty two to take part in their crack. The code challenge akai intelligence intelligent security starts at the edge learn more at that's aka m. a. i. dot com slash security and we thank you my for sponsoring answering our show funding for this cyber wire podcast is made possible in part by extra hop providing hiding cyber analytics for the hybrid enterprise learn more about how extra help reveal x. enables network threat detection and response at extra hop dot com from the cyber wire studios at data tribe. I'm dave bittner with your cyber wire. Summary for tuesday august sixth two thousand nineteen microsoft reports that strontium siyam also known as fancy bear a._b._t. Twenty eight that is russia's g._r._u. Military intelligence service has undertaken a campaign to breach enterprise networks by exploiting poorly secured iot devices printers video decoders and voice over i._p. Phones redman says that in april it's researchers discovered evered infrastructure of unknown adversary communicating to several external devices once in the attackers would seek to pivot to more interesting targets at least least two of the corporate victims had left manufacturers default passwords on their devices. A third had failed to keep their software updated. The campaign's goal is unknown own is tracking recent activity by machete a cyber espionage threat actor working against venezuela's military as well as some targets in ecuador colombia and el salvador michetti was identified by kaspersky in two thousand fourteen and has since been tracked by silence while it's been mostly active against spanish speaking countries. It's also looked at targets and canada china. Germany south korea sweden ukraine the united kingdom and the united states states. There's no clear attribution and z._d. Net notes that it's unknown whether michetti is state directed or the work of freelancers. It typically gains entry three to its targets by fishing. What do you buy with your. Ill gotten cyber gains well. If you're mr kim may be a few implosion weapons some launch vehicles. You know whatever you can fit into your cart. Reuters says the yesterday it saw report on north korean cyber operations. The united nations security pretty council received last week. Young's extensive state operated cybercrime program has raised some two billion dollars since its inception. The report said the starting date of the cybercrime operations isn't stated in the fragments of the report that have been released but computing observes that the u._n. Significantly tightened sanctions on north korea in two thousand six the funds have been used to pay for pyongyang's weapons of mass destruction essentially its nuclear and ballistic missile programs foreign banks and crypto currencies are the principal targets there have been at least thirty five reported instances of d._p._r._k. Actors attacking financial institutions <music> crypto currency exchanges and mining activities designed to earn foreign currency. The report is said to conclude the security council is likely to consider further sanctions against north korea although there can't be much left to sanction in yet another case of a user failing to secure its data in the cloud up guard has found more than in six million email addresses in unsecured amazon s. three bucket belonging to the u._s. Democratic senatorial campaign committee the data were posted in twenty ten dan and appear from file names to have some connection with former senator hillary clinton's campaign. Perhaps <hes> do not contact list people who were associated with the campaign in say no the data were compiled by the s._e._c. and the d. s. c. c. notes with some justice that the information exposed consisted only of email mail addresses which is true enough. It could have been more damaging still. Almost any data can be valuable to some criminal or intelligence enterprise the d._s._c. z. says that the data are almost a decade old which is also true but another way of looking at the matter as up guard observes is that the data have been gurgling around in the cloud out for nine years now which is plenty of time for exploitation in some form. The black hat conference in las vegas is underway and the keynote at this cheers code. Namakonha event is being given by chris roberts chief security strategist a tivo networks. The title of his talk is a hackers perspective. Where do we go oh from here. Chris roberts joins us with a preview. I mean let's face it as an industry. You've got to look at the numbers we spending you know hundred twenty plus billion ryan dollars in this industry and <hes> we keep losing more and more data so i would argue that we're not exactly in that situation. We have failed the challenges that women went to protect. Its your sense that things are getting better or worse or are we treading water at best. I would say to treading water. I wouldn't say that we're getting better. I mean the innovation is fantastic. I mean don't get me wrong. We're actually doing some amazing amazing innovative things but we have a lot to do. We have a long. I mean you got over three thousand security vendors at their each. One of them unfortunately telling organizations that they can fix everything on. Let's be puffing on quite a a lot of them. Can't we spend the longtime chasing buzzwords. We have security conferences where fifty thousand people go but let's be honest. Half of them probably don't want to be there and the cost of attending little and the cost of putting a booth in one of those ridiculous is an industry where we're more focused on minting getting millionaires and billionaires than we are actually protecting data so you know it's a little frustrating suicide. I can sense your frustration and do you think you're airing on the side of being a little cynical i mean are there things to be optimistic about. I mean it depends on where you stand. I mean i mean let's be buffalo honest. If you are a consumer and you kissed watched your shopping experience. Go down the drain because somebody lost today to. You just watched a couple of banks. Lose your information. You're in the military. You lost lost the you know your credentials and all the intelligence there you go to hospital and they lose you data. No i wouldn't take really positive look at our industry you flip it around sounds and you look at our industry and what we are trying to do and maybe some of the movements that we're doing now we haven't she realized that we've got some challenges. We have to do things differently than maybe but i mean it's i wouldn't say it's too little too late but i would definitely say that we have a lot of growing up to do you as an industry and we need to do it a lot faster than than i think a lot of people wanted to believe and i think that's probably especially relevant from unlike the vendor supply-side less so the people that are in the trenches near the people on the blue team that are actually trying to protect us into doing as best they can so what do you suppose are the forces that could make that sort of change. Come into play. I think collaboration communication would be two of the big ones and then really taking a step back and looking at the humans and if we turn around and spend more time looking at the humans that we have you know they ought got to some degree how best assets and that's everybody from. You know the uses the we've blamed for everything maybe we turn around and try to educate them in how how to protect themselves more effectively at not do it in a punitive manner all the way through to the you know the board level directors and everybody else in. How do we educate in a in a way that they understand not in a way that would comfortable teaching. I think those are probably two very big ones and then a little bit of humble pie you know we need to go back to the businesses and so the areas of the business we've blamed and say hey. How do we solve this problem together. What are the the take homes. You want folks who see your presentation at blackadder going back to their leadership. What are the messages you want them to take home with them. I i think one of the probably the biggest ones is ask more questions. You know i mean if you think about it. Black hat and other conferences are ripe with offenders and supplies trying trying to tout their wares and i look at it t i look at the guys you know then tokyo about and arguably with those same reasons and to me. It's a case of the people that are coming to listen to the talk. I want to educate them. I want them to ask more questions when a vendor or a supplier says hey you know i can blind you with signs. I want won't somebody to actually hold their feet to the fire and say show me. Tell me though just explain it to me. Improve it to me how he you actually going to help me. How are you going can help reduce risk. I think that's part of it. I think the other part of it is really that warcry we've been having which somewhat is back to the basics which is focused on the human focus on the simple things things you know. It's the grunts stuff that we don't like doing. That's chris roberts from tivo networks. According to accenture mega cortex ransomware and somewhere shows signs of greater automation as its masters trade stealth for volume speed z._d. Net says the ransom demands exceed five million dollars. The extortion targets have for the most part been in europe and north america monzo. The british mobile only bank warned customers over the weekend that it had been restoring some encrypted pins in log files. Some of the banks engineers had access to the files but no need to know any pins. The bank has now deleted deleted. Any files improperly stored this way and has advised customers of additional steps. They can take to protect their accounts. None of the pin seemed to have been accessed by anyone outside of monzo nor have any of them turned up in any of the places one would expect they had leaked nonetheless. Monzo has advised its customers of additional actions. They could take to secure their accounts info security magazine points out in an aside one problem with such warnings and disclosures. They can be indistinguishable from and fish bait. It seems that many of them wound up in spam traps or were disregarded end dumped by cautious customers and now some smashing <hes> with a side of pudi pie. People in the u._s. Have been receiving texts with the following message. I'm here to warn the masses about s._m._s. Email gateways please. Please look up how to disable it on your phone or call your provider and ask the text is accompanied by some promotional barking in the interest of youtube celebrity pupae. Hi naked security calls him controversial which is one way of looking at the gaming commenter whose cultural presence defies easy explanation some of those suv noticed the texts have been troubled by the question of how the textures got the recipients phone numbers in the first place according to wired however they didn't they brute force them mm by writing a script to generate all possible mobile numbers from one to nine nine nine nine nine nine nine. The textures then associated these numbers with each u._s. Us area code from there. They sent the text to the email to s._m._s. Gateways used by carriers. That's about seven point. Two billion possible phone numbers wired tired identifies the spammers by their hacker names jaaser and ox giraffe a pair who last december hacked poorly secured printers and chrome casts to disseminate seminar a pro pudi pie message and inter alia lay some wisdom on the masses about these vulnerabilities. They appear to be doing the same kind of stick now. Oh so if you're in the masses and who isn't that's why you may have been getting those messages and finally the case in pennsylvania illustrates some of the legal dimensions mentions of cyber stalking a warminster pennsylvania man blair strauss has been sentenced to two and a half years federal prison for threatening his estranged wife and her family he did this online and the people he threatened weren't all in state. We'll give the prosecutor the last word u._s. Attorney william mix swain offered offer distinct explanation of why this was a crime quote. It's not an excuse to say. You were just mouthing off. If you threaten serious bodily injury or even death over over the internet that is a federal crime with consequences quote so a word to the wise control yourselves ladies and gentlemen at some point shooting eating your digital mouth off crosses the line into communicating a threat and now a message from our sponsor observe it great party <hes> yeah yeah great <hes> great party. It could be excuse me for just the moment hey you. What what are you doing. What no looks like another insider got into. You're systems when we weren't looking. I am going to be in so much trouble with the boss. Did someone say trouble. I bet i can help. Who are you to catch. Insider insider threats unique complete visibility into risky user activity here. I'll show you how it works. Wow now i can see what happened before or during and after the incident and i'll be able to investigate in minutes. It used to take me days to do this exactly now. If you'll excuse me i think there's a cocktail tale over there with my name on it but wait. What's your name. Oh well thanks observe it and whoever she is observant enabled security teams to detect risky user activity investigate incidents in minutes and effectively respond. Get your free trial at observant dot com slash cyber wire and pleased to be joined once again by craig williams. He's the head of talos outreach at cisco craig. It's always good to have you back. <hes> you and i talked previously about sea turtle and <hes> yukon got some updates to share with us before we get to that. Can you just give us a brief overview reminder. <hes> what is sea turtle sure sea turtle is one of two separate campaigns that that we believe are operated by different actors that we're seeing the middle east and north africa involving d._n._s. tomfoolery will call it basically actors hijacking d._n._s. to redirect victims to their site and the sea turtle campaign primarily. It's been reserved for strategic military targets at this point when we identified defied this actor and we worked with siberian suppler partners in the cyber threat alliance to get the word out there so that people could see the difference in the t t p's normally when you do something like that bad actors particularly those who are likely related to nation states tend to stop their activity right. They don't wanna be openly seen doing bad things unfortunately for us. The two actors did not stop. They continued with their mission. They basically changed their t. T p's a little bit they <music> added some additional infrastructure but overall they just continued to compromise sites and so it's usually brazen normally when you catch somebody red-handed. They'll stop particularly if other people have blamed other actors right. It's it's like a get out of jail free card but these actors didn't care you know like imagine if you're a bank bank robber and all of a sudden one of the witnesses miss identifies. Somebody else's the bank robber and the police get him criminals quit while you're ahead criminals. I'm i'm gonna stop this week and then tomorrow i'm gonna come back and completely different outfit and continue robbing banks if i want but you know they would probably stop not get caught. <hes> these actors have not stopped opt. They've changed their operations. A little bit we were able to identify some additional past activity with them <hes> and unfortunately they seem to be broadening the types of places that they target uh-huh so this is this is kind of we're worried about right i mean last time we talked about how there are primarily targeting basically military strategic targets so for the average user not that big of a concern now. It's is not expanded to much outside of that but has expanded to other government organizations energy companies things like think tanks international organizations and airports. It's a disturbing trend. I'm concerned that this activity will continue to broaden as they continue to be successful. One of the the more concerning things we've noticed in the past it is that for some of the very let's call them high value targets. The attackers were actually making new individual servers for each one new name servers with new i._p. Addresses so that it would be very difficult for to be noticed and for it to be identified. Unfortunately i guess they decided that that was not necessary anymore and so they started reusing infrastructure sure which is how we initially found them so it's looks even more like a system. That's been in place for a while. They're not only broadening their target set but they're optimizing their capabilities so what is available in terms of defense against this well. There's a lot of different ways to defend against it. You know i think the primary one is making sure that your registrars are secure making sure that your name servers are hardened simple. Things like multi factor authentication can be extremely useful. You know if you have very sensitive the main start looking at things like d._n._s. Sec try to validate look ups with their cursive revolver or something like <hes> open d._n._s. right. Make sure that everybody's seeing the the right domain for your site so there's lots of different things you can do. You can make sure that passwords are rotated particularly if you're something that nation states in the middle east north africa. May i want you know if you're a registrar hosting those type of domains are t._l._d.'s realize that you're a target right. I mean we're seeing secondary targets attacked and the united states and sweden so we make sure that everyone who's involved at these type of sites in these type basically potentially hosting this type of information realized that their target you know and you can do simple things to lose connecting to your v._p._n. Right where's it coming from so this is one to watch definitely i. I don't think these actors are going to go away until they have have a significant reason to you know from what we've seen. They've only continued to expand their operations and i expect we'll continue to see that going forward all right well craig williams. Thanks for joining joining us and that's the cyber wire thanks to all of our sponsors for making the cyber wire possible. Especially are supporting sponsor observed the leading insider threat management platform learn more at observant dot com. The cyber wire podcast is proudly produced produced in maryland out of the startup studios data tribe with their co building. The next generation of cybersecurity teams and technology are amazing cyber wire team stefan missouri to make a smith kelsey bond tim no dr joe kerrigan carol -tario nick valenki bennett mo- chris russell john patrick jennifer ivan. I been heater kilby and i'm david ner. Thanks for listening see you tomorrow.