CyberWire Daily - Active ICS threats. TrickBot and TrickMo. RCE vulnerability in Windows. Google ejects click-fraud malware infested apps from Play. Attackers hit WHO, hospitals, and biomedical research.
Episode Date: March 24, 2020WildPressure APT targets industrial systems in the Middle East. ICS attack tools show increasing commodification. TrickMo works against secure banking. Microsoft warns of RCE vulnerability in the way ...Windows renders fonts. Click fraud malware found in childrens’ apps sold in Google Play. DarkHotel attacks the World Health Organization. Ransomware hits Parisian hospitals and a British biomedical research firm. More COVID-19 phishbait. Ben Yelin from UMD CHHS on Coronavirus detecting cameras, guest is Allan Liska from Recorded Future on security in the time of Coronavirus. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_24.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Wild pressure APT targets industrial systems in the Middle East.
ICS attack tools show increasing commodification.
TRICMO works against secure banking.
Microsoft warns of RCE vulnerability in the way Windows renders fonts.
Click fraud malware's been found in children's apps sold in Google Play.
Dark Hotel attacks the World Health Organization.
Ransomware hits Parisian hospitals and a British biomedical research firm.
And more COVID-19 fish bait.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, March 24, 2020.
Researchers at security firm Kaspersky summarize the activity of wild pressure,
a previously unknown advanced persistent threat active against industrial targets in the Middle East.
Kaspersky doesn't attribute wild pressure to any nation-state,
but it notes that the group distributes a C++ Trojan researchers call Mylam.
It's unclear whether wild pressure's goals extend farther than espionage. It's apparently been active in its present form since this past August. FireEye's Mandiant division has warned
about the ongoing proliferation of commodity industrial control system attack tools. The
developers of the tools, which of course lower barriers to entry for attackers and raise the
risk to enterprises, work to make their malware as widely applicable as they can,
vendor-agnostic when possible and, where not,
then tailored to the most widely used ICS systems.
Siemens is the most heavily targeted.
Within FireEye's estimation, some 60% of vendor-specific tools built with Siemens in mind.
Products from Schneider Electric, GE, ABB, Digi International,
Rockwell Automation, and Wind River Systems are also mentioned in dispatches.
The targeting follows market share in the parts of the world
of greatest interest to attackers.
IBM X-Force researchers are describing what they call
a relatively sophisticated bit of Android malware being pushed by TrickBot.
They call the malware TrickMo and say that while it's been used against targets in Germany,
it appears to be still under active development.
It's a transaction authentication number stealer.
Transaction authentication numbers, TANs for short,
are in effect a one-time password used for multi-factor authentication,
and so TRICMO is designed to get around this useful security measure.
There are, of course, security measures in place to defeat TAN stealers, but TRICMO abuses
Android accessibility features to identify and control the dialog screens Android uses
to control permissions.
Microsoft issued an advisory yesterday
that cautioned against a remote code execution vulnerability
in the Adobe Type Manager library used by Windows.
Redmond classified the issue as critical
and says it's observed some limited exploitation in the wild.
They're working on a fix and expect to push it out
in next month's Patch Tuesday.
In the meantime, they recommend certain mitigations.
Two things users might consider are disabling the Preview pane and Details pane in Windows Explorer
and also disabling the Web Client service.
Researchers at security firm Checkpoint have identified 66 malicious apps in Google's Play Store.
They're infested with a strain of click fraud malware called Techia.
The campaigns using Techia are unusual in that they concentrate on apps designed for and marketed to children.
Google removed most of these after Checkpoint disclosed them,
but others were taken down by the criminal operators themselves once they realized the jig was up.
Alan Liska is a senior analyst at threat intelligence firm Recorded Future.
I spoke with him this week on the Recorded Future podcast
about some of the specific security challenges organizations are facing
in the midst of this global pandemic.
Here's a segment from our conversation.
Obviously, we know that attackers have ramped up their use of coronavirus
or COVID-19 themed lores in their email, and they've been highly successful with that.
I've read a statistics from domain tools that one campaign in Italy they were tracking
got a 10% click-through rate,
which is unheard of for any sort of phishing lore.
And it's because people don't know what's going on.
They don't have enough information.
They're glued to their TV sets, and they're fascinated by this.
So if I am that person at my organization who is in charge of keeping things secure,
and suddenly I'm faced with a huge percentage of my workforce working from home, they are outside
of my firewall. They're outside the moat. I can no longer pull up the drawbridge.
How do I prioritize handling that shift? What sort of things should I be working on?
Normally, this is something that you'd have months or even a year to plan out and go on
and get implemented.
You've had to do this in a week.
There's going to be mistakes.
There are going to be holes.
There's going to be problems that people run through, and that is going to create other problems.
So obviously you'll have support problems because you'll have an overwhelmed support staff that is suddenly fielding 10, 20 times more calls than they normally do.
You'll also have employees that have trouble getting things set up.
And so they may try to do workarounds, which means you could expose sensitive data. So there's all
kinds of potential problems there. And then as with the COVID-19 example, because of all the
confusion and uncertainty, employees may actually be more likely to click on a phishing
email, especially one that purports to be from your IT team. Because right now you're probably
expecting a lot of communication from your IT team. And so you get an email that says VPN
instructions, open this Word document. So you open it and it turns out you've installed something malicious
on your desktop that now connects in. The best thing that you can do to sort of answer your
original question is have a very well-documented plan that's communicated as early as possible
and then have backup plans if those don't work. So in other words, send out to your newly minted workforce,
here are the steps you need to do to get connected.
Only follow advice that comes from this specific email address.
Don't ignore anything that is company name-support at gmail.com or anything like that.
So warn people that these may be coming.
So you do need to be adaptable in security and IT
right now. Understand the real world problems that people are having and give them the tools
they need to do their job and feel confident that they're doing it in a secure way.
That's Alan Liska from Recorded Future. You can check out the rest of our conversation
on the Recorded Future podcast, hosted by yours truly.
That's at recordedfuture.com slash podcast.
The World Health Organization has disclosed
that it was subjected to cyber attack
by the Dark Hotel Group, Reuters reports.
The attackers, who were after credentials,
were detected around March 13th,
and the WHO says the attack was unsuccessful.
It's not clear whom Dark Hotel works for, but they have a long record of cyber espionage,
mostly against Russian and East Asian targets, but hitting many other countries as well.
There's been some musing over the years that Dark Hotel may have some connection
with either Chinese or North Korean services, but that attribution is too circumstantial and speculative.
The group does show the kind of resources and patience
one normally associates with a nation-state intelligence agency,
especially since its goals seem to consist largely of espionage,
but in any case, the group's origins and masters remain,
as reports call them, shadowy.
Remember when the Mays, Doppelpamer, and Netwalker ransomware gangs
told Bleeping Computer that healthcare targets were off-limits?
Yeah, well, we didn't believe it either.
It seems that the truth changes,
or perhaps there are other gangs out there less high-minded
than the public-spirited three.
L'Express says that France's CERT reported
that Paris hospitals sustained an inconvenient but unsuccessful ransomware attack Sunday.
The strain used against the Parisian targets hasn't been specified, but in another case it has.
Forbes reports that Hammersmith Medicines Research, a British firm standing by to help
test any COVID-19 vaccines that may be
developed, was the target of a May's ransomware attack on March 14th. It might be argued pedantically
that the attack happened before May's promised good behavior on March 18th. On the other hand,
that good behavior, if it ever in fact materialized, clearly doesn't extend to helping with decryption or relaxing extortion
demands. The maze gang has continued to demand payment and, what's even more evident of bad faith,
has published to its dark web markets some of the data that it stole during the attack.
Thieves got a thief. No one should build any high hopes on criminals' promises.
This kind of nonsense, of course, represents a direct threat to public health,
but others haven't hesitated to use fear of the COVID-19 virus
as fish bait in the service of fraud or other illicit activity.
Researchers at security firm KnowBefore call it a feeding frenzy,
as the cyber sharks sense coronavirus fear in the online waters.
Old familiar come-ons are back in use.
Bogus invoices, calendar invitations, purchase orders,
requests for proposals, and casual file sharing are all out there.
So do stay skeptical and stay safe.
And it's not just that the virus is providing the fish bait.
The conditions of relatively greater isolation that people are living under in many parts of the world also has a tendency to make them more susceptible to social engineering.
HelpNet Security summarizes research by the Better Business Bureau, the FINRA Investor Education Foundation, and the Stanford Center on Longevity that suggest isolation and loneliness contribute to anyone's vulnerability to manipulation by scammers.
So try to stay connected as safely as you can.
Pick up the phone, chat, exchange emails.
And of course, stay alert and stay healthy.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen.'s from the university of maryland center for health and
homeland security also my co-host over on the caveat podcast uh ben over on caveat you and i
have been uh discussing as i think most podcasts are these days uh the evolving situation with the
coronavirus um but we've been hitting specifically on some of the issues that deal
with civil liberties. You had an article that came by you wanted to draw attention to. This is about
a surveillance company deploying what they're calling coronavirus detecting cameras in the US.
What's going on here? Yeah, so this was an article from the motherboard page at Vice. It's about a
company called Athena Security. It's previously
sold systems to both public and private sector clients, where they claim to use artificial
intelligence to identify items in video feeds like knives and guns. So you can see, for example,
how that would be particularly useful at public venues, places like airports, theaters, etc. But
also could be very useful for the
government as well, including at government facilities. They are claiming now that they
have developed technology to use thermal imaging to measure whether people in a public place have
a fever. They are using this imaging to measure people's temperature, and they claim to be able to measure within a half degree of reality of that person's actual temperature.
And, you know, there are potential consequences to this technology.
A person goes out in public, they have a fever above, you know, whatever that 100.4 is that would indicate they potentially have the coronavirus.
100.4 is that would indicate they potentially have the coronavirus. And, you know, because this fever would indicate that they're positive, they might face some sort of quarantine and
isolation order. So there are certainly some civil liberties implications of this.
Yeah. How interesting how our perspectives can change when it comes to these sort of privacy issues when faced with
a legitimate emergency. Absolutely. You know, I heard yesterday in Maryland that they were going
to close down the locations where they measure vehicle emissions and might turn them into
drive-through testing centers. And I was ecstatic at that news. I thought it was an excellent idea.
We already have the infrastructure in place for cars to come by and for people, you know, to either take the coronavirus test or be screened for their
temperature. This is something that three or four weeks ago would have seemed absolutely outlandish.
You know, you could have thought of conspiracies about the government, you know, conducting a
mouth swab on every single person in the state and putting them into some sort of DNA database.
And that would have felt extremely scary. But, you know, we're living through particularly scary times. This is
a true pandemic, public health emergency. And at least my instant reaction to that news was not to
have any concerns about civil liberties, but was to be pleased that perhaps we could ramp up our
testing capabilities so that we could better identify who has this virus
and we could isolate those people
while allowing everybody else to return
to some semblance of normal life.
You know, it's interesting as the federal response has been,
I suppose, if I'm being generous, I could say slow,
that the states have really stepped up here. As a resident
of Maryland, it's been comforting to see that our governor, our leadership, they've been doing
everything within their power to step up. And I think that's something we're seeing nationwide.
That's interesting to me when we look at sort of, you know, the structure of our nation. You and I
have talked many times about how things sort of break out between the feds and the states.
And we're seeing that play out in real time here with this.
Yeah, it's quite an experiment in federalism.
States retain police powers.
So they've given up some of their powers to the federal government as part of Article I of our Constitution.
government as part of Article 1 of our Constitution. But everything else, those powers to protect the health, safety, and welfare of citizens, those powers are retained at the state level. And because
of that, states have very broad public health emergency powers. They can demand mandatory
quarantine and isolation. They can and have in many states shut down large businesses like bars and restaurants and casinos.
They can demand the closure of schools.
You know, in the state of Maryland, I know that the governor could even seize private property for public use if that public use was for some sort of public health emergency.
States are doing the best that they can, but there are some things that do require strong, robust federal action.
There's something called the Defense Production Act.
It is a Korean War era law where the government could actually compel companies to, you know, abandon whatever else they're manufacturing and focusing on producing, for example, N95 masks, surgical masks or testing kits for the COVID-19 virus.
And that's something that really can only be done at the federal level because it's only the federal government that has access to those resources.
Right, right. All right. Well, interesting insights as always. Ben Yellen, stay safe. Thanks for joining us. You too. Thanks.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
a smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios
of Data Tribe,
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing Cyber Wire team
is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.