CyberWire Daily - Android vulnerability exploited in the wild. Careless spycraft. The Eye on the Nile. A new Chinese threat actor. A spoiling attack in the CryptoWars. Take election interference, please.
Episode Date: October 4, 2019Project Zero warns that a use-after-free vulnerability in widely used Android devices is being exploited in the wild. Uzbekistan’s National Security Service continues to get stick in the court of pu...blic opinion for sloppy opsec. Check Point reports on what appears to be an Egyptian domestic surveillance operation. Palo Alto reports on a newly discovered Chinese state threat actor. A new volley in the Cryptowars. And Vlad gets out the rubber chicken. Guest is Paige Schaffer, CEO of Generali Global Assistance’s Identity and Digital Protection Services Global Unit, on the University of Texas ITAP report. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/October/CyberWire_2019_10_04.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Project Zero warns that a use after free vulnerability
and widely used Android devices is being exploited in the wild.
Uzbekistan's National Security Service continues to get stick
in the court of public opinion for sloppy OPSEC.
Checkpoint reports on what appears to be an Egyptian domestic surveillance operation.
Palo Alto reports on a newly discovered Chinese state threat actor.
A new volley in the crypto wars.
And Vlad gets out the rubber chicken.
the crypto wars and Vlad gets out the rubber chicken. From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Friday, October 4th, 2019.
Google's Project Zero has determined that at least 18 widely used Android devices are vulnerable to
exploitation of a use-after-free condition, and that this
vulnerability is being exploited in the wild. It's a local privilege exploitation vulnerability
that exposes susceptible devices to full takeover. Ars Technica points out that there are two ways
in which the vulnerability could be triggered. A user could install a malicious app, or the
attacker could combine the exploit with a second one
that takes advantage of an issue in the code the Chrome browser uses to render content.
Ars Technica also cites Google as pointing to either Herzliya-based NSO Group
or some of its customers as the actors behind the attacks,
but NSO Group has said that the whole affair has nothing whatsoever to do with them,
and their reply to Ars Technica is worth quoting in its entirety,
quote,
NSO did not sell and will never sell exploits or vulnerabilities.
This exploit has nothing to do with NSO.
Our work is focused on the development of products
designed to help licensed intelligence and law enforcement agencies save lives,
end quote.
The October Android update is expected to address the issue.
Watch for it in the next few days.
Uzbekistan's National Security Service, whose cyber espionage tools were blown in the course
of testing them against Kaspersky security software, is being credited with developing
its own malware, possibly because none of the lawful intercept companies out there are willing to sell to them.
But that assessment may be premature.
Kaspersky thinks that the Uzbek service, now named after its totem animal Sandcat,
was in fact buying tools from a vendor which they name as Tel Aviv-based Kandiru,
which specializes in developing and selling lawful intercept tools for Windows systems.
Their wares, Forbes reports, have been found in use before by both Saudi and Emirati intelligence services.
It may be time for Candiru, if they were indeed selling to Sandcat, to consider firing the customer.
Sloppy customers are bad customers, Kaspersky researcher Brian Bartholomew told Forbes.
That's as true of the cyber sector as it is of the hospitality industry. Selling exploits to
Uzbekistan, where the customer proceeded to set up a test machine exposed to the internet
with an IP address of military unit 02616, is a little like the Holiday Inn renting rooms to the Who.
As happened, as a matter of fact, in Flint, Michigan back in 1967, the Flint Chamber of Commerce is still talking about it, or so we've heard.
Checkpoint has linked a domestic surveillance effort to Egyptian intelligence services.
The campaign used spyware embedded in security apps, that is, apps that advertised themselves as offering security enhancements, but which in fact contained spyware.
The apps were made available in Google's Play Store and included SecureMail, a Gmail extension that promised security but which in fact socially engineered people into providing credentials,
iLoud200%, a smart storage solution that freed up space on your phone
and also sent location info to external servers, and IndexY, a caller ID service that collected
and reported users' call logs. Checkpoint calls it the eye on the Nile and says that the targets
were carefully selected hand-picked political and social activists, high-profile
journalists, and members of non-profit organizations in Egypt. They don't exactly
attribute the activity to the Egyptian government, but they do note that whoever's behind the eye on
the Nile speaks Arabic, is familiar with the Egyptian ecosystem, and is most interested in
domestic Egyptian targets. But the Register and others are happy to connect the dots and call the operation for Cairo.
Palo Alto Networks has published an adversary playbook for PK Plug,
a recently identified Chinese state espionage actor that's concerned itself with domestic surveillance of Uyghurs
and international espionage directed against countries opposed to Belt and Road.
The group is behind the Henbox Android malware distributed through third-party app stores.
Cabinet members in the U.S., the U.K., and Australia have jointly asked Facebook
to hold off on plans to implement end-to-end encryption.
BuzzFeed yesterday obtained a copy of a letter U.S. Attorney General Barr,
U.K. Home Security Secretary Patel, Australian Home Affairs Minister Dutton, and acting U.S.
Homeland Security Secretary McAleenan were to publish today. The open letter, which ZDNet says
will be issued in conjunction with announcement of a new data-sharing agreement among the three
countries, specifically asks that the social network not make it impossible for authorities to legally access content
related to child sexual exploitation and abuse, terrorism, and foreign interference in democratic institutions.
The letter is framed as a response to Facebook's Privacy First initiative.
The officials write quote we support strong encryption which is used
by billions of people every day for services such as banking commerce and communications
we also respect promises made by technology companies to protect users data quote but they
go on to remind facebook that they also have a responsibility to protect people from various
forms of harm that can be detected or stopped if the authorities can
read the traffic when they need to do so. They are looking, they write, for balance with privacy and
security on one side and public safety on the other. Specifically, they ask Facebook to do these
things. First, embed public safety into their system designs. Second, enable lawful access to content.
into their system designs,
second, enable lawful access to content,
third, consult with governments on the matter,
and fourth, not implement the changes proposed under Privacy First until Facebook has ensured it can maintain the safety of its users.
Facebook is clearly in a tough position,
under pressure from both sides of the privacy-security balance.
And finally, it was evidently open mic night at
Russian Energy Week. President Vladimir Putin did a little improv about American concerns over
election interference. When asked about Russian meddling in U.S. elections, Vladimir Vladimirovich
said, in an appropriate stage whisper, I'll tell you a secret. Yes, we'll definitely do it. Just don't tell anyone.
Oh, the guy kills it, doesn't he? Be sure to catch his act if you happen by the chuckle hut in the
Arbat. Come to think of it, we think it's just around the corner from the Burger King.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Justin Harvey. He he's the global incident response leader at accenture
justin welcome back we wanted to touch on threat hunting today why don't we start off what is
threat hunting and and what is it not so threat hunting is is looking for adversaries that are
already present within your network or or endpoints. Enterprises today are spending money on things like antivirus and firewalls
and intrusion detection and prevention systems for their network.
But what do you do if any of that fails?
It really only takes a couple systems for an adversary to move around or to subvert,
and then they're in and persistent within your environment.
And so what threat hunting is,
is the constant and continuous searching for basically two things, Dave.
Number one, it's looking for the anomalous.
So it's looking for things that don't smell quite right,
So it's looking for things that don't smell quite right, but it could be a new patch that has changed that registry key or a new program has shown suspicious being someone logging in directly into a Linux
system using a root login instead of logging in as a user and then becoming super users. So
threat hunting is really looking for the things that are misplaced or shouldn't be there.
So is this an expensive thing to spin up within an organization?
When do you know when it's time to activate this process?
been up within an organization? When do you know when it's time to activate this process?
Well, I think all enterprises of sufficient size, meaning really in the SMB market,
I think threat hunting is going to be too spendy to do it yourself. I think that most managed service providers or managed detection and response providers should be
supplying that for the SMB market. but for the larger enterprises that are managing their
own infrastructure, it should absolutely be a part of their cyber defense program.
The barrier to entry to threat hunting is there's simply not enough people in the industry today
in order to not only run the threat hunt program, but develop the threat hunt program. Many of my clients are
struggling with saying, okay, I know we need to do threat hunting and I kind of have some people
to do it, but what do I do? And really, there have been some vendors out there, they are automating
their EDR systems in order to codify things like the MITRE attack matrix and putting that in their
agent or in their software so that human beings don't have to remember every little nitpicky thing
that the attack matrix for MITRE presupposes. And so with that automation, it still gives our
threat hunters a leg up in order to find the anomalous and the suspicious.
So what's your advice? So what's the best way for someone to get started?
The best advice here is to bring in a trusted third party, hopefully one that has a threat
hunt methodology in order to give to the threat hunters. In my experience, or at least in the old
days, the old days being several years ago, threat hunting was just merely hiring a bunch of smart infosec people and throwing me against a problem saying,
go find evil, go find the anomalous and the suspicious.
And that hasn't been working at scale.
So I think number one is to settle on a threat hunting methodology.
on a threat hunting methodology.
Ours, the one that we've developed amongst my team,
is what we call Intel-driven hypothesis-based threat hunting methodology.
But there's a lot of other types of methodologies
out there that are just as good.
The second step, Dave, would be focusing
on a technology set that will support codifying things
like the MITRE ATT&CK matrix into an EDR product.
So not only do you have to have the people, the methodology, but you also have to have the tools
and the visibility amongst the endpoints and the networks in order to surface that telemetry
and then to analyze it. So some of our customers utilize EDR products that send all their
data back to a centralized source. Perhaps it's Splunk, perhaps it's their SIM, perhaps it's the
EDR console. And then they hunt within that environment in order to find those adversaries
latent within the network and the endpoints. All right. As good information as always,
Justin Harvey, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
My guest today is Paige Schaefer. She's CEO of Generali Global Assistance's Identity and
Digital Protection Services Global Unit. Our topic today is the recently published University
of Texas at Austin Identity Threat and Assessment Prediction, or ITAP, report. We've been involved with the University
of Texas for the past several years, and I really don't think there's anyone like them that does,
really from a research standpoint, looks at those relays for identity compromise and abuse in as many different ways as they can.
So they just capture thousands of details, and they're really looking at the aggregation of the information
to kind of trend risks and head them off at the pass, if you will.
Well, let's go through some of the key findings together.
What were some of the things that caught your eye?
One of the first things that kind of leapt out, which really shouldn't be a surprise,
but that really 45% of identity compromise is from an inside threat.
Now, that could mean a lot of things where companies are
concerned, but, you know, it makes sense that employees have intimate knowledge of organization
networks, their infrastructure, their practices. And so it's almost like it's too easy. And I,
you know, unfortunately, there can be employee ignorance, which gives way to cyber threats.
So really just unwittingly giving access with unauthenticated users, folks clicking on attachments or opening up links that are malicious.
Some are phishing emails.
Some of it is not malicious intending to be by the employee. It's just kind of dumb luck
and not being savvy to it. And much of that has to do with the type of culture that an organization
establishes where cyber protection is concerned. And so if you've got a culture that puts cybersecurity at the forefront,
then that company is going to be harder to penetrate and less vulnerable to all of the
threats, including the ones inside. But if you don't have the mentality to kind of drive that
culture, that cultural shift to kind of empowering a cyber secure organization, it's going to be tougher to
do. And it does strike me that it has been a bit of a shift that in years past, you know, the IT
department, the security folks, you know, it was up to them to handle these sorts of things. And
it was their responsibility. And it seems to me like this has shifted to being a company-wide
responsibility these days. You know, it really is. It could be anything from, well, first of all,
everything that we trade in is information. And so whether it's employees coming on board with
human resource information on employees, whether it is client information that's out there selling to particular audiences.
It's not only about kind of the technical cyber threat. It is about information security. So
now, you know, you've started to see over the past couple of years, you have clear delineation between
kind of IT infrastructure and info security. And so you see more and more roles
in larger companies that have huge divisions that are really looking after the information
that they are responsible for. The other thing I thought that was interesting is,
and also not surprising, is that almost 75% of the cases that have happened where identity theft is concerned, they are
cyber vulnerability. So it is, folks are getting information online through computers, through
software. And I think that there is a little bit of a delusion around folks that say, oh, well,
I've got antivirus software. Well, antivirus software doesn't
necessarily protect you from an identity theft. There were a few things in the report that were
really surprising to me. One of them was that the victims were most often college graduates.
That's counterintuitive to me. It's true. Most are college graduates. And I would
say that we have a large percentage of seniors that are victims as well. Identity theft thieves
are going to make it easier for themselves. And I would say college graduates as well as
seniors, if you look at the age range now, those college graduates today are very dialed into social
media and all sorts of things on social media, whether it's Facebook, whether it's Snapchat,
all of these things, they're engaging and sharing lots of information. And so putting that
information out there makes it easier for identity thieves to kind of piece together a profile that whether
you have your birth date or graduation or where you're from, your address that you're sharing
on a particular social media site, and then they go after credit card information or tie that with
birth date, it just makes it easier. I think there's some different tactics
that folks take with seniors in that they're maybe not as technically savvy, but they are a little,
you know, if I think about my mother, who's very active on email and the web,
quick to say, hey, this looks serious. Should I share this information? Now she's got a daughter
that works in this business. So she's gotten better about saying, hey, I probably shouldn't
do this. But there are a lot of folks that, quite frankly, thieves are savvy about and kind of scare
them into, well, if you don't do this, the latest was the IRS scam where we've got a warrant
out for your arrest kind of thing.
I think the other thing that was really kind of glaringly interesting in the study is when
you think about all of the types of losses experienced by victims, financial loss, property
loss, reputational damage, by far, it is emotional distress that's
most frequently reported by victims. So over 80% ranging from medium to high levels of really,
truly emotional trauma. So where almost 50% felt like they had a medium level of emotional distress,
level of emotional distress, another 32% experience really high level of emotional stress. And this is in sync with, we also, generally, we conducted a survey, a global cyber barometer
survey early this year in February, and over 82% of global respondents consider a cyber attack extremely stressful,
and almost 50% of respondents wouldn't know how to fix their situation if they were compromised.
So again, really another reason why full service resolution services are important,
and really knowing what next steps to take so you can
alleviate some of that stress. Again, I would kind of hammer home how important it is that
organizations are really working towards a culture that embodies cyber safety. And those that don't
will just increasingly fall further behind as those criminals get more and more sophisticated.
So I would say for these market sectors, we see an opportunity to leverage today's age of data
breaches and the need for information security by really providing their members, customers,
employees with identity protection services. They can really differentiate themselves while also creating a culture of information security from within,
and we see that to be a win-win.
That's Paige Schaefer.
She's CEO of Generali Global Assistance's Identity and Digital Protection Services Global Unit,
and we were discussing the University of Texas ITAP report.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Thank you. back here tomorrow. Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI
and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.