CyberWire Daily - An espionage campaign succeeds without zero-days. Spam serves up old Office exploit. Disinformation makes it into YouTube. The Huawei Affair. Raytheon to be acquired.
Episode Date: June 10, 2019MuddyWater shows renewed activity--no zero-days and no exotic malware, just clever approaches and determined social engineering. Spam is serving up payloads that exploit an old Microsoft Office vulner...ability. Russian-sponsored disinformation has been romping freely through YouTube. Some back-and-forth over Huawei: Washington isn’t relenting, but some relief for US companies may be forthcoming. And Beijing rumbles about retaliation. United Technologies has agreed to acquire Raytheon. Joe Carrigan from JHU ISI on Apple’s newly announced secure sign-in service and it’s focus on privacy. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_10.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Muddy water shows renewed activity.
No zero days and no exotic malware,
just clever approaches and determined social engineering.
Spam is serving up payloads that exploit an old Microsoft Office vulnerability.
Russian-sponsored disinformation has been romping freely through YouTube.
Some back and forth over Huawei.
Washington isn't relenting, but some relief for U.S. companies may be forthcoming.
And United Technologies has agreed to acquire Raytheon.
and United Technologies has agreed to acquire Raytheon.
From the CyberWire studios at DataTribe, I'm Dave Bittner,
with your CyberWire summary for Monday, June 10th, 2019.
Trend Micro, which increasingly seems to be playing Captain Ahab to Teron's White Whale,
but in a good way, has more on the Muddy Water actor, there has been a resurgence in activity by the threat campaign.
The latest round of fishing targets appear to have been in the Turkish government and Jordanian universities.
The approach in these cases involved the use of compromised credentials,
as opposed to the spoofed identities noticed in earlier rounds.
There are new technical developments in Muddy Water's activity, a new PowerShell-based
multi-stage backdoor, PowerStats version 3, and some new post-exploitation tools, for example.
But Trend Micro, in their closing summary, points out that Muddy Water seems to have
access to neither zero- Days nor advanced malware,
yet it manages to compromise its targets and get the job done without needing either.
If Zero Days are your bugaboo, don't overlook the threat that shifting and clever scheming can present.
Muddy Water doesn't.
Microsoft warned late Friday that a wave of spam is carrying malicious RTF files that exploit CVE-2017-11882,
a vulnerability in an older version of Microsoft Office's Equation Editor.
That this is worrisome news shows that many users continue to be laggards with respect to patching.
The vulnerability in question was fixed back in 2017.
All you need to do to be safe is make sure your software is up to date. Speaking of patches, tomorrow is Patch Tuesday,
and the industry expects the customary round of fixes from Microsoft and Adobe. Stay tuned.
Russian-operated YouTube channels are freely spreading tabloidesque disinformation that successfully evades YouTube's content moderation.
NTV and Russia 24 were among the sources of stories that Reuters says
ranged from lurid accounts of, quote,
a U.S. politician covering up a human organ harvesting ring
to the economic collapse of Scandinavian countries, end quote.
There are a few things the Reuters story notes.
First, contrary to YouTube's stated policies,
the content was not labeled as state-sponsored.
It is now, but that's after some media-on-media nudging. And second, the 26 channels drew about 9 billion views
between January 2017 and December 2018, which is certainly
a respectable number of views and a dispiriting suggestion of the worldwide appetite for this
sort of thing. Finally, there was a commercial dimension to all those views. Omelas, the online
research firm that sourced the Reuters story, estimates that the Moscow baloney may have pulled in as much as $58 million from ads,
some of that from Western advertisers
who are innocently trying to reach a news-downloading audience.
What does that mean under standard YouTube ad revenue sharing rates?
The Russians would have got between $7 million and $32 million,
with between $6 million and $26 million going to YouTube itself.
From the Russian point of view, that's probably just gravy on the side of an information operations
main course, but still it's enough to keep a couple of decent-sized front businesses up and
running. A spokesperson for YouTube explained matters to Reuters as follows, quote,
We don't treat state-funded media channels differently than other channels when it comes to monetization,
as long as they comply with all of our other policies.
And we give users context for news-related content, including by labeling government-funded news sources.
End quote.
Reuters glosses this as saying that, quote,
YouTube said it welcomes governments in its revenue-sharing program and does not bar disinformation, end quote.
We mention this not to bash YouTube, but to offer a kind of reality check concerning the state of content moderation.
have been on a bit of an algorithmic high horse for the last couple of months about the content they would and would not tolerate
and the measures they put in place to clean the Internet's cognitive house.
Apparently, that high horse is shrinking a bit,
down from deplatforming to a promise of compliance plus context.
In fairness to social media,
they've been getting a fair bit of stick from various governments,
including the governments
of relatively free states, about the stuff they allow to transit their platforms. And it's also
true that content moderation is difficult, expensive, and quite possibly impossible to automate.
There's been some backing and filling over Huawei blacklisting since late last week.
It continued over the weekend. The GSM Association,
a major mobile communications industry group, estimates that the cost of ejecting Huawei from
5G infrastructure could cost EU mobile carriers perhaps as much as 52 billion euros and might
delay the fielding of 5G service by as much as 18 months. For their own part, U.S. tech companies, especially
semiconductor manufacturers, have expressed concern over the bans hit on exports. This is,
in some circles, being pitched as a security matter, with the economic health of the export
market being tied to the economic health of the defense industrial base. Some of those companies
may have found sympathetic ears in both the Office
of Management and Budget and the Commerce Department, who have suggested that it might
be worth giving U.S. companies a bit more time to arrange coping mechanisms for the effects the
entity listing of Huawei will have on them. The Department of Defense hasn't softened its
own opinion of Huawei, nor has the U.S. let up on the diplomatic offensive
against Huawei, urging South Korea to take a similar stock of the risk the Chinese device
manufacturer may pose to supply chains. Russia has taken notice, too, and has publicly aligned
itself with Huawei. This probably represents an opportunistic shot at the American main enemy
than it does any deep convergence of Sino-Russian strategic objectives.
China's government is warning tech companies,
specifically Microsoft, Dell, and Huawei,
of the consequences of cooperating with Washington
as opposed to Beijing in the Huawei affair.
Those consequences will be, Beijing points out,
very bad for their business indeed.
Not everyone got the memo.
Facebook won't be offering its products pre-installed in new Huawei phones.
And finally, Raytheon has agreed to be acquired by United Technologies.
The merged company will be the world's second-largest defense and aerospace integrator, behind only Boeing.
Raytheon will bring significant
cybersecurity capabilities to its new corporate parent, assuming they're retained once the
acquisition settles. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and
their families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io. University Information Security Institute and also my co-host over on the Hacking Humans podcast.
Joe, it's great to have you back.
It's good to be back, Dave.
Apple recently announced at their Worldwide Developers Conference that they were going to be introducing a single sign-on option.
Right.
They're calling it Sign-In with Apple.
The folks over at Naked Security, Sophos' blog, have some coverage of that,
which is what you and I are looking at here right now.
Danny Bradbury wrote about.
What do you make of this?
Well, I'll tell you, I'm not a big fan of single sign-ons,
and the article talks a lot about Facebook and Google single sign-on.
Right.
Now, I have absolutely no reason to trust Facebook on anything
with their history and their mission statements, I guess.
Yeah, let me interject just quickly. I will shamefully admit that there was a time
years ago before I had seen the light with using a password manager and before I think
our opinions had turned on Facebook, before all the revelations that came out about what they
were doing with our data, I made use of Facebook single sign-on for several sites because it solved a problem.
Right.
It made things easier.
It does solve a problem and make things easier.
Yeah.
And the same with Google's.
I'm more inclined to trust Google, although Google still does have the privacy concerns
because they are essentially a free service, which means you're the product.
Right.
And now Apple's getting into the game.
My solution is I just use a password manager.
Yeah.
Right?
And I have a different account for everything, and it's much more difficult, or they have
to go through more math or whatever to align my accounts across multiple projects, right?
Right.
Or multiple websites.
If I just willingly give up that information by having a single sign-on with either Google
or Facebook,
that's just been something that's never appealed to me.
I just don't want them to know who I am from that perspective.
Right.
Now, the thing that Apple's doing here, though, is that they say they're coming at this from a privacy direction.
That's correct.
Apple's addressing this from a privacy direction.
And one of the things that they're doing is if your app in the App Store offers single sign-on for Facebook or Google, then you are required to offer the Apple option when it becomes available.
A little arm twisting there, perhaps?
A little arm twisting there.
Yeah, this is nothing new for Apple.
Apple's always been kind of dictatorial in their development process, which is one of the reasons I've not kind of liked
them. But I understand why they do it. They do it because their users are the priority.
And I have a genuine appreciation for that. And I like what Tim Cook is doing here. And I like the
idea that if you're going to offer single sign-on, then you have to offer the Apple single sign-on.
And then Apple's going to say, we're going to try to protect our customers' data.
Now, you're still faced with the same underlying problem.
You are trusting one entity with all your login information, right?
I'm not saying that this is a high-probability event, but if Apple gets compromised, a lot
of bad things can happen.
Yeah.
It's interesting.
They're allowing you to spin up randomly generated email addresses, disposable email addresses.
Disposable email addresses to sign up for these websites.
They are definitely going at this with a privacy-focused message, which appeals to me a lot.
If it weren't for all the other things I dislike about Apple, this kind of makes me want to go, hmm.
Can't help you. I could see the turmoil within you, Joe.
Right, yes.
I wonder if this could really be disruptive. I mean, Apple has a lot of devices out there.
They do. And by requiring folks to include this in their software.
They don't require you to include it in your software. They only require it if you
offer single sign-on from other vendors. Right, right. I wonder if there's enough incentive,
first of all, to get folks to switch over.
If you're already using Facebook or Google, chances are that's a bigger thing for you
to get someone to switch from something they're already using.
It's a bigger effort, I guess.
There's momentum there.
I think if Apple users see that it's available from Apple, they'll start using it.
Because Apple users generally tend to love Apple.
Yeah, that's true.
That's true.
Yeah.
Well, again, it's going to be
interesting to see how this plays out. I think there's the potential here for some disruption
in a good direction. Yeah. But I think it also points to this focus on privacy. I think there's
a recognition that people are hungry for this. Yeah. Yeah. And like I say with password managers,
you run the same risk with a password manager, to be fair. If you use one of the ones you pay for, or even the private one, those are all targeted
by malware.
And if those get compromised, they've got the keys to the kingdom.
Yeah.
So you're probably at the same risk that way for using Apple's single sign-on versus a
password manager.
But I just prefer using a password manager.
Mm-hmm.
Mm-hmm.
All right.
Well, we'll keep an eye on it.
It'll be interesting to see how it plays out.
Joe Kerrigan, thanks for joining us. My pleasure, Dave.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
It's a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out
our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.