CyberWire Daily - ActionSpy Android spyware deployed against Uyghurs in Tibet. Anonymous claims an action against Atlanta PD. Security vendor or malware purveyor? Spelling counts.
Episode Date: June 15, 2020A new Android spyware tool is deployed against China’s Uyghur minority. Anonymous claims it disrupted the Atlanta Police Department’s website yesterday to protest a police shooting. An apparently ...legitimate security firm has apparently been selling malware to criminals. Breachstortion joins sextortion as a criminal tactic. Craig Williams from Cisco Talos on Astaroth, an information-stealer that has been targeting Brazil, Our own Rick Howard on risk assessments. And why spelling always counts. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/115 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A new Android spyware tool is deployed against China's Uyghur minority.
Anonymous claims it disrupted the Atlanta Police Department's website yesterday to protest a police shooting. An apparently legitimate security firm has
apparently been selling malware to criminals. Breachstortion joined sextortion as a criminal
tactic. Craig Williams from Cisco Talis on Astaroth, an information stealer that's been
targeting Brazil. Our own Rick Howard on risk assessments, and why spelling always counts.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday,
June 15, 2020. Trend Micro is tracking a new campaign by Earth Empusa, also known as Poison Carp, a group believed to be linked to the Chinese government, against Uyghurs in Tibet.
The campaign uses a new strain of android spyware, Action Spy, modularized and typically distributed in watering hole attacks.
Action Spy has also been used against a travel agency in Taiwan and political and media organizations in Turkey.
The Muslim Uyghur minority in China has long been a target of domestic surveillance.
The Atlanta Journal-Constitution reports that Atlanta police websites were briefly down yesterday.
Tweets purporting to be from Anonymous claimed responsibility for the outage,
which they called a response to Friday's fatal shooting of a man during an altercation.
Quote, Anonymous has taken action against Atlanta PD for the execution of hashtag Rayshard Brooks.
We call for the arrest of the two murderers. No more impunity. End quote. Rayshard Brooks was
shot and killed by police during an attempted arrest.
It's the latest hacking incident to accompany recent unrest in the U.S.
As with other recent episodes connected with Anonymous, it's, first, difficult to attribute,
and second, basically, nuisance-level vandalism.
ZDNet reports that the Italian security firm CloudEye has been selling criminals malware.
The report is sourced to security firm Checkpoint,
whose investigations of the malware dropper GU Loader
eventually led it to CloudEye's anti-reverse engineering binary protection service.
They connected CloudEye to a malware crypting service, DarkEye,
and the associated GU Loader, which, as ZDNet says,
had been heavily advertised on hacking exchanges since 2014. The same website, securitycode.eu,
is involved with both DarkEye and CloudEye. In fact, it makes the connection explicit with this
splash page. DarkEye evolved into CloudEye, says the page,
explaining that it's the next generation of Windows executables protection.
CheckPoint's analysis found that CloudEye
and GU loader code were the same,
barring some irrelevant applied code randomization.
So the researcher's conclusion?
Quote, CloudEye operations may look legal,
but the service provided by CloudEye
has been a common denominator in thousands of attacks over the past year, end quote.
ZDNet says that CloudEye has denounced Checkpoint's report and denied any involvement in crime,
but there have been more calls for Italian authorities to investigate CloudEye and its
founders in connection with aiding and abetting
a criminal operation and money laundering. CloudEye has apparently, ZDNet says, shut down in the wake
of the report. Who were the customers? According to Checkpoint, they were threat actors with no
deep technical knowledge, interested in using commodity malware they picked up in the criminal-to-criminal market.
Organizations are receiving extortion notes that claim, falsely,
to have installed info-stealing ransomware,
and that if they're not paid, they'll destroy the victim's sites and release sensitive data online.
There's no ransomware.
The threats are similar to the sextortion notes that claim, falsely,
to have access to discreditable browser histories and webcam videos.
Naked Security calls it breach-stortion,
equally indiscriminate and equally full of empty threats.
It might be marginally harder to recognize than sextortion,
but an organization would know, one would generally think,
if it had suffered a ransomware infestation,
because they'd noticed that they could no longer access their data.
But actually, the hoods aren't claiming to have encrypted the victim's data.
They just say they've stolen it. How? According to their message, like this,
quote, we have hacked your website and extracted your databases. How did this happen? Our team has
found a vulnerability within your site that we were able
to exploit. After finding the vulnerability, we were able to get your database credentials
and extract your entire database and move the information to an offshore server.
So maybe they have the data and maybe they don't. But absent the kind of evidence serious crooks
normally provide, usually a small sample of the stolen material posted to establish that they've really got something, it's probably
smarter to dismiss the threat as empty. Bleeping Computer says the notes themselves are unusually
well-written without the eccentric usage one normally sees, so they're missing one of the
customary tells that so often betray the bogus impostures used in social
engineering. We've looked at some of the samples published, and while the spelling, grammar, and
usage are standard, the style is atrocious, hackneyed, breathless, and too much like something
you'd read in cheap crime fiction. Phooey to them all. And finally, there's another case in which bad spelling doesn't betray criminal intent.
According to Krebs on Security,
PrivNotes.com has been impersonating the legitimate PrivNote.com free messaging service.
The bogus site is fishing for Bitcoin by substituting the criminal's Bitcoin address
for any such address it detects in communications.
Bleeping Computer notes that the campaign combines cyber-squatting and phishing.
Specifically, it's typo-squatting.
The criminal's URL is just one character off from the legitimate site,
and it's just taken a singular to an innocent-looking plural.
So remember, kids, spelling always counts.
And I'm pleased to be joined once again by our own CyberWire chief analyst, Rick Howard.
Rick, always great to have you back.
We're going to have another preview
of your CSO Perspectives podcast.
And this week, you're talking about risk.
Yeah, and how do we calculate risk?
And this has been a stumbling block for most of my peers
since I've been doing this some 25 years.
And I got to tell you, Dave,
it is really about our fear of probability and statistics.
Do you remember taking that class back in college?
Oh boy. Yeah. You know what I remember most about it is how counterintuitive so much of it is.
Yeah, that's the way it was for me too. I barely got through that class by the skin of my teeth,
and I definitely didn't understand it. And as I've been in the industry, you know,
understand it. And as I've been in the industry, you know, we have tried to calculate risk based on what we tried to learn, okay, in that probability and stats course. And let me tell you, there's a
reason that most of us are IT guys and not math guys, right? Because math is hard. And we try to
do risk assessments by calculating probabilities based on what we learned in that class.
And it's essentially, you have to be able to count things, right?
Count the things that have happened and then divide it by the number of times it could have happened.
And that sounds really simple, but in cybersecurity, the variables are vast and we don't even know where to start.
And what really is true is our perception of what probability is
is completely wrong.
And we need to expand what we think it could be.
There is a great scientist out in California.
His name is Dr. Ron Howard.
And he invented decision analysis theory back in the 60s.
And he has a whole different perception of what probability is.
It's really a measurement, or it could be a measurement, of what we know about a certain
situation. And when you think of probability in that way, okay, it kind of expands how we think
about it. So I'll give you an example. Yeah. Right. What we really want to do is figure out
what the probability is of a material impact by a cyber event in our
organization in, say, the next three years. And what I usually do when I make those calculations
is I whip out my qualitative risk heat map chart and give it three categories, high, medium, or low,
which is not very precise. But with a probability assigned it, you might say
there's a 4% chance that our organization will be materially impacted in the next three years.
And that might be a swag, but it is definitely more precise about what you know about your
security infrastructure. How much of this is kind of that old thing from the Jurassic Park movie, you know,
the butterfly flapping its wings and we get rain instead of snow. Like, can things spin out of
control really quickly when you're doing these sorts of calculations? Well, I think the thing
to remember here is that everything we do in a risk calculation is a model. And all models are wrong, but some are useful. Okay, so...
Some are less wrong than others.
Exactly right.
Okay.
So we're going to talk about how to do really simple models to get a kind of a baseline of
what your risk is. And then later on in the series, you know, we'll talk about it and get
more complex, but we'll try to ease your way into it and get over your fear of what probability and
stats are.
All right.
Well, do check it out.
It's Rick Howard's CSO Perspectives podcast.
It is over on CyberWire Pro.
Check it out at thecyberwire.com.
Rick, always great to talk to you.
Thank you, sir.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time
visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, Thank you. off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives
are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Craig Williams. He's the head of Talos Outreach at Cisco.
Craig, always great to have you back.
You and your team have some interesting research you wanted to share here.
This is about an information stealer you all have been tracking?
Yeah, so this one's called Astaroth.
And basically, it's an information-stealing Trojan
that has a somewhat unique profile because it's targeting people in Brazil.
And the reason this one really popped up on our radar is because it's one of the vast array of malware using COVID-19 lures right now.
Well, take us through some of the details here.
What brought it to your attention?
Well, there's a lot of obfuscation and anti-analysis involved. It was actually pretty
challenging to reverse. You know, we had to rely on Talos's reverse engineering team.
You know, those folks are top notch. And, you know, when we have samples that evasive,
we typically expect that they're doing something bad, which let's take for a moment and just think
about this, because I think this is worth noting as well.
A lot of bad guys will make their malware
supervasive, thinking that makes it
undetectable in their mind.
But let's look at the reality of the situation.
There really isn't much benign software,
if any, that is hacked and obfuscated
to that extent.
So the sheer fact that they've tried to obfuscate the program flow, which is super obvious,
is enough for us to say, yeah, it's up to something bad. You generally don't want that
running on your system. We don't really even have to know what it does. So I always think that's
funny. People go to these great links to obfuscate the
program flow when, you know, you can simply check to see if that's happened. And if it has, is it
one of like, you know, a handful of known good things that do that and attempt to like protect
their IP or something silly? And chances are it's not. And it's a bad guy. And they've done something
super obvious and attempts to be sneaky. It's like trying to rob a bank with a strobe light on.
Well, I mean, is there a flip side to that?
Have you guys run into situations where people try to hide in plain sight?
Absolutely, right?
I mean, that's incredibly common as well, right?
That goes back to these fake invoice scams or lots of email-based scams where they pretend to be a friend.
And even in this one, there were lots of fake COVID-19 lures
attempting to be real information.
There was lots of invoice scam type of stuff going on.
And if you flip through the blog post,
you'll see examples of some of those.
But at the end of the day, what the attacker is trying to do
is use an initial vector that should look legitimate,
right? And the user's tricked to clicking on that through curiosity or whatever.
And that's really the COVID-19 angle here, right? It's important people realize
from a cybersecurity perspective, the COVID-19 pandemic has really put one single target on the entire human race, right?
Every single person on earth is susceptible to COVID-19 information.
They want to know more.
They're scared.
They don't understand what's happening.
And so if you make an empty promise like that, people will click on it.
And the bad guys are aware of this.
They've realized it.
And so we've seen a massive shift across basically all malware families
and even APT actors towards COVID lures
because the effectiveness rate is just through the roof.
In the time we have, is there anything technically that stands out to you?
Anything they've been doing under the hood here that's noteworthy?
Well, the C2 mechanism is pretty unique.
They basically are using YouTube
as a way to have a covert channel for C2
that's probably going to be one that isn't inspected.
If you look at the way that most businesses
try to reduce inspection through their security devices
or through their firewall or whatever,
they try to identify sites that they can effectively whitelist.
And so if you can use something like PaySpin or YouTube
or any website that allows the user to use data,
I think last year one was even using Reddit,
that's a way to potentially bypass that inspection for nefarious purposes.
So yeah, at the end of the day, this is not that rare of a piece of malware,
but the fact that it's using COVID-19 lures,
incredibly evasive techniques are all quite suspicious.
And so it's definitely one we took note of.
All right.
Well, the blog post is titled
Astaroth Maze of Obfuscation and Evasionasion, reveals Dark Stealer. That is on the Talos blog
from Cisco. Craig Williams, thanks for joining us. Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, Thank you. data and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.