Axios Codebook

A master lock with ones and zeroes instead of the regular numbers.

August 16, 2018

Welcome to Codebook, the cybersecurity newsletter that hasn't trusted Iceland since Mighty Ducks 2.

Tips? Feel free to reply to this email.

1 big botnet: Banks are target of massive new attack

Image: Schneider-Photographie via Getty Images

The massive Necurs botnet shifted its focus from consumer spam to tunneling into banking networks early Wednesday morning, according to a new report by Cofense. The botnet had first shown hints of the change in July, but the full pivot toward banks used slightly refined tactics.

Why it matters: The FBI warned banks last week that they should be on the look out for a large ATM cashout scheme. It's not clear this is what the FBI was referring to. But, it is worth noting that hackers have often bolstered thefts at ATMs by first hacking a bank to increase withdrawal limits on accounts.

The background: Necurs is a network of six million computers (by a 2017 estimate) hacked to follow commands. Like many botnets, its primary use is to send spam, though none can compete with its scale – 60% of spam from botnets comes from Necurs. So, when the network shifted from spamming advertisements for cheap pharmaceuticals and penny stocks to targeting phishing emails at bank employees at 7 am Wednesday, it was not a change its controllers would have taken without expecting a massive reward from the operation.

In July, security firm Trend Micro flagged two developments concerning banks and Necurs.

  • Somebody was emailing PDF files infected with malware that would download the "FlawedAmmyy" remote access program. FlawedAmmy is associated with the Necurs botnet. About half these targets were banks.
  • Necurs instructed all of the computers it had hacked to check if they were either on the networks of either banks or credit card processors.

The new campaign: As Axios reported yesterday, Cofense infects its own computers with botnet malware to keep tabs on what the botnets are doing. "Until yesterday, we were seeing subjects like '67% off pills.' This morning at 7 am, it entirely changed to subjects like 'Payment advice,' said Aaron Higbee, chief technology officer at Cofense.

  • Necurs had been sending emails to any address it could get its hands on. Now the emails were targeted to specific employees of 2700 different banks.
  • Cofense checked the LinkedIn pages of some of the would be victims that its computers received commands to target, and found that the emails appeared to be based on current rosters of bank employees.
  • The phishing emails contained a Microsoft Publisher file laced with malicious code using a technique known as a macro. Usually, macros are used with Excel and Word files. "In all our time doing this, we've never seen a '.pub' [publisher] file used this way before," Higbee said.
  • The .pub file installs "FlawedAmmyy."

What they're saying: "It is likely the broad spam campaign was not producing the results and returns they were looking for, so they decided to shift to a targeted approach with a different payload,” said Jon Clay, Trend Micro director of global threat communications via email.

The FBI has not responded to requests for comment.

2. A secure communications flub cost the CIA its Chinese network

A mistake in the way the CIA handled secure communications may have allowed China to identify and kill many of the agency's operatives in 2010, Foreign Policy's Zach Dorfman reports.

What happened? The CIA used a two-tier system to talk to its operatives that was supposed to be segmented so that someone who found access to one network couldn't access the other one. But, in the colorful language of one FP intelligence source, the CIA "fucked up the firewall.”

What they're saying: “You could tell the Chinese weren’t guessing. The Ministry of State Security [which handles both foreign intelligence and domestic security] were always pulling in the right people,” another official told FP.

The fallout: It's unclear how China obtained access to either side of the CIA's communications apparatus. But it appears China set up a task force to burrow into the communications networks to out spies.

3. Trump reverses Obama's cyber attack policy

The Wall Street Journal's Dustin Volz is reporting that President Trump formally relaxed Obama-era rules about launching cyber attacks.

Why it matters: Trump, per the Journal, signed an order Wednesday to cut back on a thorough deliberative process required before the United States launches an offensive cyber operation. The Obama policy had created too many bureaucratic hurdles for the U.S. forces, cyber hawks argue. (You are free to use that as a band name.)

But, but, but: It's unclear what policies will replace the Obama process, leading many to worry that replacing too many hurdles with no hurdles may cause more harm than good.

4. DEF CON hotel's room checks irked some, terrified others

Photo: Getty Images

Caesar's Palace's security policy during DEF CON may have irreversibly alienated the hacker community from the venue.

The policy, in place since January, allowed security checks for hotel rooms without maid service for more than 24 hours. But the hotel did a poor job communicating the policy to guests and conducted the searches with none of the delicacy the situation would call for.

The details: The policy is part of increased vigilance in Las Vegas following a terrorist attack at the Mandalay Bay hotel and casino last year.

Why it matters to attendees: DEF CON is a community-minded conference of people trying to protect the security and privacy of other people. The cavalier nature of the searches was antithetical to both.

Why it should matter to Caesar's: DEF CON is under contract to hold the event at Caesar's properties for the near future. But attendees aren't under contract to stay at Caesar's hotels.

5. Odds and ends

We'll be back on Tuesday.