Hacking and infosec news: August 22, 2017
This week MalwareTech goes to court, NYT's big Ukrainian DNC malware piece got shredded, connected fish tanks are used to rob casinos, a Yahoo hacker gets extradited, Mirai was meant for PlayStation, and much more.

Anyone remember the second defendant?

Marcus Hutchins (aka "WannaCry hero" MalwareTech) is about to face his August 24th court date, and things aren't looking as optimistic as they were this time last week. 

For starters, it was reported Monday that the UK's GCHQ knew Hutchins would be 'walking into a trap' and FBI's sting. 

"Our US partners aren't impressed that some people who they believe to have cases against [them] for computer-related offences have managed to avoid extradition. Hutchins's arrest freed the British government and intelligence agencies from yet another headache of an extradition battle," an unspecified source told International Business Times.

As you may remember, he pleaded "not guilty" to six counts of felony charges on a grand jury indictment accusing him of creating and maintaining the Kronos banking trojan malware.

He was freed on bail after the hearing and some researchers saw it as a sign of the Feds changing their tune about Hutchins.

Also Monday (yesterday) the court granted a Protective Order clamping down on discovery, binding his legal team to conditions of not being able to share any evidence from discovery, and mandating that his defense team return to the US government or destroy any discovery evidence. In my opinion -- though I've only personally experienced one federal case, and reported on a few -- I believe it means that the court believes the US government has a strong case.

Real imitation news

Last week the NYT published what its staff touted as a political cyber-bombshell, saying a "Ukrainian hacker who wrote program used to hack DNC turned himself in to Ukrainian police; now working with FBI." The article seemed too good to be true -- and it looks like it was. The piece was quickly shredded by not one, but multiple prominent (and a few respected) members of the infosec community. 

@pwnallthethings started a painful thread (with angry branches from researchers whose reports the story cited) by saying, "This claim by NYT based on a misunderstanding of DHS' report; this guy & his malware has nothing to do with DNC hack." 

Robert M. Lee is among those (of many) who broke it down saying in a post, "Where did they get this assertion that P.A.S. was used in the DNC breach? By tying the GRIZZLYSTEPPE report (which does note that P.A.S. has been used by Russian security service members before) to the DNC breach." A FireEye researcher even weighed in saying "i had to stop reading that article after they interviewed carr. i wish there was an authoritative list for media of known fakes/charlatans."

The article has not been updated, noted, or corrected.

Talkin' smack

Say what you will about Kaspersky, but they're never going to get a break in the press. "Current and former senior U.S. officials familiar with the matter" apparently told CyberScoop this week that the FBI is pressuring the private sector to cut its enterprise software ties with Kaspersky. Which is, of course, easier said than done since defense purchasing is done on budget and schedule, and phasing out something like Kaspersky (the product) is going to be a long and extremely expensive haul for any organization. 

CyberScoop adds, "The FBI’s counterintelligence section has been giving briefings since beginning of the year on a priority basis, prioritizing companies in the energy sector and those that use industrial control (ICS) and Supervisory Control and Data Acquisition (SCADA) systems."

So 1337 he hacked your mom's email account

One of the men sought for the giant 2014 Yahoo email hack agreed Friday to forgo his extradition hearing and go face the charges in the United States

Karim Baratov [who has dual Canadian-Kazakh citizenship, goes by at least two other names according to the FBI] was arrested in Hamilton, Ontario, in March under the Extradition Act after U.S. authorities indicted him and three others, including two alleged officers of Russia's Federal Security Service. They are accused of computer hacking, economic espionage and other crimes.

The 22-year-old previously bragged on Instagram about his young, sudden wealth, showing himself fanning out handfuls of $100 bills and described himself as "well off in high school to be able to afford driving a BMW 7 series and pay off a mortgage on my first house." According to CBC, "He claimed in postings on the social media site Ask.fm that he made his "first million" when he was 15, working on "online services.""

Krebs thought it was all about him, too

Last October the internet had its biggest hiccup to date when a whole bunch of major websites were maliciously knocked offline: The attack was done via the Mirai botnet

Harnessing the weak security of internet-connected devices, like DVRs and cameras; The bot-herders knocked out a range of sites including Amazon, Netflix, The New York Times, Reddit, Twitter, Spotify, Playstation, Airbnb, Heroku, Vox, The Boston Globe, PayPal, and many others. Hilariously, Wikileaks was sure Mirai was a gift from their supporters

New research presented at Usenix thinks the Mirai gang may have just been trying to go after PlayStation networks. The Verge explained

The new report comes from a team of researchers at Google, Cloudflare, Merit Networks, Akamai, and a range of university partners, drawing on data from some of the largest infrastructure networks on the web. Looking at the October attack on DNS provider Dyn, researchers noticed something unusual. 
All the IP addresses targeted by the attack were nameservers for the PlayStation Network, used by Dyn to connect visitors to the correct IP address. Because of the networked nature of Dyn’s domain registration system, attacking those servers meant attacking the whole system — and when it went down, it brought down access to dozens of other services with it.

As bad a real mining

Attackers have snatched $500K as Enigma was compromised weeks before its ICO: TechCrunch writes that "Enigma, a de-centralized platform that’s preparing to raise money via a crypto token sale, had its website and a number of social accounts compromised with the perpetrators netting nearly $500,000 in digital coin by sending out spam."

But, they add: "Enigma, which was started by a group of MIT graduates, did not lose any money from the attack. Whoever orchestrated it grabbed money from the Enigma community, people who joined the company’s mailing list or Slack group of over 9,000 users to learn more about its ICO in September." There was some social engineering involved, as the thief apparently "posted Slack messages, altered the website and spoofed emails to a community list which were made to look official and urged money to be sent to their crypto wallet."

Totally super sneaky

File this one under "wishful thinking" (or dad stop being embarrassing ). Lieutenant-general Vincent Stewart of the US Defense Intelligence Agency had strong fantasy imaginings in his words at the Department of Defense Intelligence Information System Worldwide Conference. Stewart thinks they're gonna start grabbing malware and ransomworms as they come in and hurl them right back at the bad guys, just like how superdudes in the movies pick up a live grenade and throw them right back at ... whoever threw it.

Once we’ve isolated malware, I want to reengineer it and prep to use it against the same adversary who sought to use against us. We must disrupt to exist.

This is what was being said while the agency did their demo using the Norse pew-pew map, which we all groaned about last week. Yay, our government.

The better for Facebook to phish you with

The $100K "Internet Defense Prize" (from, who else would make such an arrogant name, Facebook) was awarded to researchers at UC Berkeley. They came up with a new, automated way to correctly spot spear phishing on monitored networks. They got an average of 17 out of 19 correct with a system called DAS (Directed Anomaly Scoring) that finds unusual patterns in email:

They trained DAS by having it analyze 370 million emails from one single large enterprise with thousands of employees, sent between March 2013 and January 2017.
Researchers configured DAS to use a series of factors for evaluating newly received emails. These included a sender domain reputation score and sender reputation score, but also analyzed SMTP, NIDS, and LDAP logs, looking at logins from new IPs, total logins per employee, inactivity periods, and others.
By looking at this factors, DAS was able to detect spoofed addresses, spoofed sender names, but also lateral attacks from the compromised accounts of fellow co-workers.

More cyberclickables:

Thank you!

Thank you for reading; I appreciate the gift of your time and attention. And if you also show your support by being a patron, you are literally making this post and everything it means possible -- you are making a writer be seen. My gratitude is real.

Image: The hacker briefcase laptop from 1997 series La Femme Nikita, via JWZ.