CyberWire Daily - A Chinese cyberespionage campaign is active against Vietnamese targets. The European Commission acknowledges cyberattacks are under investigation. Data scraping. Bogus apps. Molerats are dudes.
Episode Date: April 7, 2021Goblin Panda’s upped its game in recent attacks on Vietnamese government targets. The EU is investigating cyberattacks against a number of its organizations. Scraped LinkedIn data is being sold in a... hackers’ forum. Facebook talks about the causes of its recent data incident. New Android malware poses as a Netflix app. Joe Carrigan shares comments from the new head of the NCSC. Our guest is Fang Yu from Datavisor with highlights from their Digital Fraud Trends Report. And the Molerats are using voice-changers to phish for IDF personnel. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/66 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Goblin Pandas upped its game in recent attacks on Vietnamese government targets.
The EU is investigating cyber attacks against a number of its organizations.
Scraped LinkedIn data is being sold in a hackers forum.
Facebook talks about the causes of its recent data incident.
A new Android malware poses as a Netflix app.
Joe Kerrigan shares comments from the new head of the NCSC.
Our guest is Fang Yu
from DataVisor with highlights from their
digital fraud trends report.
And the mole rats are using voice changers
to fish for IDF personnel.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 7th, 2021.
Kaspersky researchers describe a new and, in their view, sophisticated remote-access Trojan being used in a Chinese cyber-espionage campaign against the Vietnamese military and other government targets.
ThreatPost reports that the malware used, called FoundCore, is unusually evasive
and that it's associated with the CycleDeck threat actor, also known as APT27 or Goblin Panda.
That specific attribution is tentative, but the rat itself, Kaspersky says, constitutes a significant
step up in terms of sophistication for this sort of activity, adding that the toolchain presented
here was willfully split into a series of interdependent components that function together as a whole.
The researchers also caution against assuming that the group's focus on Vietnamese targets means that no one else needs to be concerned with it.
As the report concludes,
Experience shows that regional threat actors sometimes widen their area of activity as their operational capabilities increase,
and that tactics or tools are vastly shared across distinct actors or intrusion sets that target different regions.
Today, we see a group focused on Southeast Asia taking a major leap forward.
Tomorrow, they may decide they're ready to take on the whole world.
According to Bloomberg, several European Union bodies came under cyber attack last week.
Who precisely was affected is unclear, as is the threat actor responsible,
but a European Commission representative said that thus far no major information breach was detected.
The incident remains under investigation.
Onapsis and SAP have warned of a campaign actively taking advantage of vulnerabilities in SAP mission-critical software. SAP has issued patches for all of these,
and users are advised to take prompt action.
Data allegedly scraped from some 500,000 LinkedIn profiles is being offered
for sale in a hacking forum, with two million records displayed as confirmation that the
sellers have the goods they say they do, CyberNews reports. It's unclear whether the data is newly
obtained or simply represents an aggregation of material from past breaches.
In other data-scraping news,
Facebook has published a commentary on the recent dump of its users' data.
Menlo Park wants to make it clear that its systems weren't compromised,
but rather that the data now offered for free were obtained through scraping.
Their explanation reads, in part,
We believe the data in question was scraped from people's Facebook profiles by malicious actors using our contact importer prior to September 2019. This feature was designed to help people
easily find their friends to connect with on our services using their contact lists.
When we became aware of how malicious actors were using this feature in 2019, we made
changes to the contact importer. In this case, we updated it to prevent malicious actors from using
software to imitate our app and upload a large set of phone numbers to see which ones matched
Facebook users. Through the previous functionality, they were able to query a set of user profiles
and obtain a limited set of
information about those users included in their public profiles. The information did not include
financial information, health information, or passwords. End quote. Checkpoint describes
Android malware that misrepresents itself as a Netflix content enabler, FlixOnline. It's distributed via malicious auto
replies to incoming WhatsApp messages, and once installed, enables the attacker to distribute
phishing attacks, spread false information, or steal credentials and data from users' WhatsApp
accounts. Why would you install FlixOnline? To watch TV, obviously.
But the hoods sweetened the deal with a social engineering come-on.
Quote, Two months of Netflix Premium Free at no cost for reason of quarantine.
Coronavirus.
Get two months of Netflix Premium Free anywhere in the world for 60 days.
Get it now, here.
With a link provided, naturally.
Once installed, the malware asks for three permissions. Overlay, which allows it to create new windows on top of other applications.
Checkpoint explains that this is usually requested by malware to create fake login screens for other
apps with the aim of stealing victims' credentials. Ignore battery optimizations, which keeps the malware running
when it would otherwise be shut down as idle by the device's battery-saving routine.
And finally, it asks for notification access,
specifically the Notification Listener Service.
This is valuable because it enables actors to automatically perform actions,
including dismissing and replying to messages.
Checkpoint explains, quote, if these permissions are granted, the malware then has everything it
needs to start distributing its malicious payloads and responding to incoming WhatsApp messages with
auto-generated replies. Theoretically, through these auto-generated replies, a hacker can steal
data, cause business interruptions on
work-related chat groups, and even extortion by sending sensitive data to all the user's contacts.
And finally, the mole rats are back and seem to have upped their game a bit as they continue to
catfish for Israeli military personnel. The mole rats are also known as the Gaza hackers team,
Gaza cyber gang, dusty sky, extreme jackal, or moonlight.
Researchers at Cato Security say that the Palestinian Associated Group,
which they accord a middling grade for sophistication,
is using voice-changing software in social engineering calls,
sophistication, is using voice-changing software in social engineering calls, during which they pose as women seeking to approach Israeli Defense Forces personnel. As Cato points out, the known
members of the mole rats are all actually men. So, IDF, a pro tip, the women you think you are
talking to are probably really dudes. Not that there's anything wrong with that. Some of us around here are dudes too,
but you should probably kick the tires
on that virtual relationship
before things get out of hand.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges
faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora Thank you. ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your
executives and their families at home. Black Cloak's award-winning digital executive protection
platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
The team at anti-fraud security firm Datavisor recently published their digital fraud trends report.
Fang Yu is CTO and co-founder of Datavisor.
Yeah, so as a Datavisor, we globally protect 4 billion user accounts and we protect a lot of large institutions for virus fraud attack.
And we produce fraud report every year. So this fraud
report is especially interesting because it covers the period of a pandemic, which is actually new to
us. So we actually provide quite some interesting insight from the behavior change of both foster
and normal user during the pandemic period.
What sort of advice do you have for folks to best protect themselves against this?
So if you look at the fraud trend, right, the providers in financial institutions,
I think the fraudsters are coming back in high attack waves.
So I think the message is that it is true that the fraud went down quite a bit
during the pandemic period,
but now it's actually coming back.
For the e-commerce, et cetera, and the social platforms,
we see a spike last year,
and I expect continue to see that.
And then one of the things we are seeing from the fraud trend
is that the fraud is actually going more and more sophisticated.
And then especially in terms of the two areas, one is account takeover.
So many, we see 79 to 90% of the financial fraud attacks are originated or associated with account takeovers.
So account takeover is especially hard for like a remote, right?
Everybody now is actually remote, not actually going to the branch, going online, etc.
So everyone needs to be very, very careful with their customer's account not being taken over.
The second advice I would give
is actually pay very much attention to the attacks from mobile.
Although the mobile fraud rate is still much, much lower
than the fraud rate from desktop, for example.
The fraud rate from the mobile platform is only 0.5 versus the fraud rate from desktop, for example. The fraud rate from the mobile platform is only 0.5
versus the fraud rate from desktop is 7.4.
But that percentage is actually going up.
And I also want to emphasize that the fraud rate
from the mobile platforms are usually those
very, very sophisticated ones
because to conduct a desktop attack,
it's actually much more easier
than you can actually have a program.
But for attack from mobile,
you need to rook the device.
You can jailbreak.
You can hook and put something there.
But it's actually very, very powerful.
Many people think the mobile device is very low fraud.
They actually let it through with less screening.
But once an attacker actually finds ways
to how to attack from mobile,
they can quickly
spin up many,
many different devices. They can put emulators,
they can put things. So the
attack width can be much bigger because
nobody is actually very prepared
for that.
That's Fang Yu from DataVisor.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave.
A couple of articles over on ZDNet.
These are written by Danny Palmer.
And he's been tracking the fact that over in the UK,
the NCSC has a new sheriff in town to mix national metaphors, I suppose.
Who do we have here, Joe?
Dave, her name is Lindy Cameron, and she is the new CEO of the National Cybersecurity Center.
And the article that caught my eye here was hacked companies.
This is the headline.
Hacked companies had backup
plans, but they didn't print them out before the attack. Hmm. Yeah. Oops. Yep. Uh, this is
something I've said multiple times, I believe on this show and possibly over on hacking humans.
But you know, when you, when you go through the trouble of making a, uh, business continuity plan
and a recovery plan, and you. And let's think about what's
going to happen if we get hit by ransomware. Well, we've got the plan. It's all right here.
But if you don't have that printed out, it's going to be encrypted when you get hit with a
ransomware attack. Right. Right. Have it on a binder on a shelf. Right. Have it on a binder
on a shelf. The paperless office is a myth. It's never going to happen. We're going
to need to keep paper because it's really hard to hack paper. One of the things that people say is
you can't Google paper, which is true. You really can't run a search engine on paper without first
turning it back into a digital media, which is really an unnecessary step. But it is a critical
step if your data is destroyed or damaged.
Yeah. And that needs to be addressed. One of the things, she has a quote in here. I've talked to
organizations which have walked in on Monday morning to find they can't turn their computers
on. The backup plan was not printed out, so they couldn't find a phone number.
Right. If you're doing business continuity planning,
you should have a telephone tree
for your business continuity plan
printed out and put on a shelf somewhere.
This is actually something I've taken part in years ago.
Actually, before I was involved in,
made a career shift to cybersecurity organizations,
I was involved in working on business continuity plans with the
company. And one of the things that we did was develop a phone tree list and print that list
out. And the reason we were thinking about that wasn't so much for ransomware, because this was
back in the early 2000s, but it was for a natural disaster, right? It's still the same problem.
For a natural disaster, right?
It's still the same problem.
You've lost access to your systems because they're gone.
They don't physically exist anymore.
So you need to have a way to access that information.
And the only way that we could come up with, and the most cost-effective way, is just print it out.
Print it out and keep a copy of it.
Yeah.
I would add, too, that don't count on your corporate phone system to be working, right? That's right. I mean, that could be part of the ransomware grab or
in case of a natural disaster or something like that. Have people's personal mobile phone numbers
as part of that tree as well. Yeah, that's an absolutely excellent suggestion, Dave. You're 100% correct because your corporate phone system is probably computer
system based now. And it is just as easy to bring that down as it is to take your network of servers
down. One of the things that's interesting, a good quote from Ms. Cameron here is, there is no doubt
that organizations that have experienced,
and by that she means a ransomware attack, have a much more visceral sense of what it feels like
to experience a ransomware attack or a cyber attack, and therefore they're better prepared.
I'm reminded of a child that touches a hot pan, right? When your kids were young, you'd say,
don't touch the hot pan, don't touch the hot pan, but they had to touch the hot pan at some point in time. Right.
I distinctly remember this as a kid. When I did this, I could tell you exactly where it happened.
It was at a Roy Rogers and Alney. And there was a sign that said hot. And I was like, well,
but let's see what happens. And I was very young and sure enough, burned my finger. Right. I,
I tell a great
story about my daughter with this, but you know what? I don't go around touching hot things
anymore. Neither does my daughter, neither does any kid that's ever touched something hot. They
learn that lesson. And this is exactly the same thing. The people who have been through these
cybersecurity attacks, they have an absolutely clear understanding of how bad it is. So they
prepare for it to protect themselves.
And boardrooms that haven't been through this are probably less prepared. I think this is a
great observation on her part. Yeah. They also point out that the NCSC has some tools that they
offer up. One of them is called exercise in a box. That's right. That's a great idea.
Yeah. And I think we've covered this as well that, you know, you, you need to practice like you play to use that old sports metaphor
that these tabletop exercises, these simulations, um, you know, that, that is going to put you in
a much better place than just reading through the plan, you know, to actually go through and say,
to have someone there and say, okay, none of the phones work.
Now what are you going to do?
Right.
You know, okay, you know, you can't access these files.
Now what are you going to do?
Okay, the press is calling.
What's your response going to be?
How quickly you're going to, you know, so to feel that heat, right?
Yes.
That's going to put you in a much better place.
Those kind of exercises are absolutely invaluable. And not only that, but you can
actually do, you can hold these exercises like annually or semi-annually, or maybe even quarterly
if you like, to make sure that your team that has to handle this is prepared. The exercises take
less than a day. Everybody can come together. I think it pays dividends in the future.
But you can also just do on a weekly basis. We've talked about this before,
grab a newspaper, look at one of the cybersecurity headlines and go, what do we do if this happens to
us? And just have people think about it weekly, you know, make sure that people are aware and
in that mindset so that when things happen, they at least have the neural pathways already in place to understand what's going on.
Yeah, yeah.
All right, well, a couple articles over on ZDNet written by Danny Palmer,
so do check those out if you're interested.
Joe Kerrigan, thanks for joining us.
It's my pleasure. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Put a little distance between yourself and the crowd.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.