CyberWire Daily - APT32 activity reported. Florentine Banker’s patient BEC. iOS zero-days exploited in the wild. Sinkholing a cryptomining botnet. Intelligence services and gangs follow the news.
Episode Date: April 23, 2020Someone, probably Vietnam, is trying to develop intelligence on China’s experience with the coronavirus. Florentine Banker is an example of well-organized crime. iOS zero-days have been exploited in... the wild; a fix is promised. A cryptomining botnet is sinkholed. And intelligence services and criminals are tuning their phishbait to current events, as they always do. Malek Ben Salem from Accenture on encrypted DNS, guest is Russ Mohr with MobileIron on why the applications that excite us about 5G are the same applications that warrant the most concern. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_23.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Someone, probably Vietnam, is trying to develop intelligence on China's experience with the coronavirus.
Florentine Banker is an example of well-organized crime.
iOS Zero Days have been exploited in the wild.
A crypto mining botnet is sinkholed.
Malek Ben Salem from Accenture Labs on encrypted DNS.
Our guest is Russ Moore from Mobile Iron on why the applications that excite us about 5G
are the same applications that warrant the most concern.
And intelligence services and criminals are tuning their fish bait to current events, as they always do.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 23, 2020.
with your Cyber Wire summary for Thursday, April 23, 2020.
FireEye yesterday published a report describing their conclusion that APT32, a threat actor associated with the Vietnamese government,
was engaged in intrusion campaigns designed to collect intelligence
from Chinese targets concerning the pandemic.
The researchers say they found spear phishing messages
sent to China's Ministry of
Emergency Management and the government of Wuhan, where the pandemic is generally regarded as having
begun. Vietnam has denied involvement in cyber espionage against Chinese organizations involved
in controlling the COVID-19 virus. Reuters says Hanoi today dismissed the accusations as baseless.
Reuters says Hanoi today dismissed the accusations as baseless.
In fairness to Hanoi, and with all due respect to the plausible and implausible deniability intelligence services prize so greatly,
it does seem hard to fault any government for trying to figure out
just what in the world actually has been going on in Wuhan for the last few months.
Checkpoint has identified a gang they call Florentine Banker
that's involved in sophisticated theft from selected banks,
mostly investment houses.
The campaign is patient, does careful reconnaissance,
begins with spear phishing, and ends with wire fraud.
It's not so much organized crime as it is extremely well-organized crime.
The targeted firms are
British and Israeli organizations, and they all use Microsoft Office 365 as their main email
provider. The operation proceeded in six stages. First, obtain email credentials through spearfishing.
Second, observe the victim, read their emails to understand how the organization transfers money,
what its
relationships are with customers, banks, lawyers, and accountants, and what the key roles are within
the organization. Checkpoint says this stage can take months. Next, control and isolate. The attackers
do this by creating mailbox rules that divert mail with interesting content to folders the Florentine
banker is monitoring
and that the compromised individual isn't paying much attention to.
The fourth stage is to set up lookalike domains and begin using them to conduct email conversations.
The mark is likely to miss the small change in the domain name.
The next step is to ask for money, either by intercepting legitimate wire transfers
or generating new, entirely fraudulent ones.
And then, finally, the gang monitors the conversation and troubleshoots any problems until the funds are in their account.
Checkpoint doesn't know where the Florentine bankers are locating, but the bank accounts they use seem to have been either in the UK or Hong Kong.
For the most part, they seem to speak English.
The researchers observe that the criminals don't speak Hebrew.
If they did, they wouldn't have missed out on some of the opportunities that appeared in that language.
Researchers at the digital forensics shop Zekops reported yesterday
that they'd discovered two iOS zero days that were undergoing active exploitation
in the wild. Vice says the researchers think it likely that those doing the exploitation may be
working on behalf of a nation state and that they might have been purchased from an exploit broker.
Quote, it's someone who's spending budgets on buying exploits, but they don't really have the
technical capabilities to change those exploits for better OPSEC.
Apple declined to comment to Reuters on ZecOps research,
but did say that the vulnerabilities would be closed in the next release of iOS.
ESET has taken down and sink-holed the command and control servers for the VictoryGate crypto-mining botnet.
Some 35,000 machines are thought to have been infected, ZDNet reports.
Google's threat analysis group has a report on how nation-states are using COVID-19 as fish bait.
TAG says it's tracked over a dozen government threat groups fishing with coronavirus lures.
The goal of the attackers has been either delivery of malware packages or credential harvesting.
Many of the targets were U.S. government employees.
These were often baited with bogus offers of free fast food,
presented as a generous gesture from various hospitality chains.
These attempts were, on the whole, indiscriminate mass-mailed spam,
interesting in part because of what they suggest about hostile intelligence services' views of what interests and motivates American civil servants.
Burgers and fries, mostly.
TAG doesn't offer any attribution of these fishing expeditions,
but they do identify two threat groups by name,
both of which are prospecting international health organizations,
including the WHO, the UN's World Health Organization.
These are Charming Kitten, associated with Iran,
and PACRAT, a South American group whose sponsorship is less clear.
Charming Kitten has been sending emails that spoof WHO as the sender.
PACRAT has been running bogus WHO pages.
Google doesn't see this trend as representing an increase in the amount of state-run operations.
It's a shift in tactics and choice of bait, not a significant increase in operational tempo.
We continue our exploration of the benefits and potential unintended consequences of the transition to 5G mobile technology.
Russ Moore is with security and compliance firm Mobile Iron, and he makes his case for why the applications that excite us about 5G are the same applications that could warrant the most concern.
I think for the majority of people, what they understand is it's an order of magnitude faster than 4G.
It's great you could download videos quicker, but there's also a lot of other benefits to 5G.
And one of them that we commonly talk about is smart cities.
So when we have a really high density of devices that are connecting, like when you're running an
electrical grid, when you have traffic lights, when you have gas and water services and things
that cities tend to run, there can be a lot of devices connecting to those networks.
So they handle density very well.
And that's a technology called
Massive Machine Type Communications or MMTC.
So you can connect a lot more devices
than you can on a traditional 4G network
when you're using 5G.
The other thing that's really interesting about 5G
is the latency.
So we can bring latency right down to about one millisecond of delay.
That's really important if you are running self-driving cars or drones or you have an autonomously guided vehicle that needs to stop very quickly, like, let's say, within 20 milliseconds.
So you can actually carve out networks that have very low latency with 5G that allow you to run
applications that just weren't possible in the past. So what are some of the areas of concern,
then? Well, there are many, right? Like, first of all, I mentioned we're going to be running vehicles and drones, and we might be doing things like telemedicine with 5G.
And so the applications become much more crucial, much more dangerous if they actually don't function the way that they're supposed to.
So you can imagine that if a hacker were able to infiltrate a 5G network that was running drones
and repurpose those drones to do something else, that could be dangerous.
Or if they were able to penetrate a smart city and get into the grid and, you know, turn all the red traffic lights green
or, you know, get into the water supply and turn it off or, you know, shut off the electricity.
Those things can be, you know, really very serious. So it's actually taking ransomware to the very
next level, right? It's not just holding our data, but it's also holding our infrastructure at ransom.
So I think that because it's so risky, we really need to have an approach that's going to allow us to operate in this new environment.
And it's not the traditional approach that we've been taking.
5G is critical infrastructure.
Our usage is going up a lot. So Verizon published a report saying that
I think in the middle of March, they had a 75% spike in usage. That's Verizon. I mean,
I guess that's like 100 million customers, 50 million customers, something like that.
And then it went up again the next week. And then it went up again the week after, and people are doing things that
require a lot of bandwidth, like gaming or Zoom sessions that eat up a lot of bandwidth.
And so 5G becomes really important because if we're not connected right now, it's dangerous.
That's Russ Moore from Mobile Iron.
Cyber criminals are showing a similar shift in tactics.
According to Fifth Domain, the FBI says it's received more than 3,600 complaints about COVID-19-themed scams.
Threat Post reports a study by Forcepoint in which the security company's researchers evaluated three months of coronavirus-related cybercrime,
they determined that criminals in the aggregate have reached a peak of 1.5 million malicious emails a day.
Palo Alto Network's Unit 42 has been tracking this trend,
and their findings are entirely consistent with what one might expect.
Their report says,
The traditional malice-abusing coronavirus trends includes domains hosting malware, phishing sites, fraudulent sites, malvertising, crypto mining, and black hat search engine optimization for improving search rankings of unethical websites, end quote.
The specific content of the come-ons also varies with news.
As emergency assistance to businesses becomes available in many countries,
criminals will bait their appeals with references to such government aid.
IBM's X-Force has studied the ways in which criminals are exploiting small business awareness
of and concerns about stimulus relief packages. Several of their findings strike us as particularly
noteworthy. First, more than half of those responding to IBM's survey
said they would engage with an email
related to their eligibility for stimulus relief.
The recently unemployed are even more likely to do so.
About two-thirds said they would engage.
A great many small business owners said they were unsure
of how to process applications for relief,
and the uncertainty would tend to render them vulnerable
to phishing emails that purport to guide them through the process.
So, expect familiar crime dressed up in COVID-19 garb.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Malek Bensalem.
She's the America's cybersecurity R&D lead for Accenture.
Malek, it's always great to have you back. again is Melek Bensalem. She's the America's cybersecurity R&D lead for Accenture. Melek,
it's always great to have you back. I wanted to get your take today on encrypted DNS. It's been a hot topic lately, and I wanted to see where you stand on things.
Yeah, as you know, Dave, there has been this public debate over encrypted DNS and how to encrypt
DNS. The question is not whether DNS should be encrypted or not.
I guess all parties agree that DNS traffic needs to get encrypted.
But the question is how to do that.
And the options we have are using DNS over HTTPS
or using it over TLS, the Transport Layer Security Protocol.
As a reminder, you know, DNS traffic is, using it over TLS, the transport layer security protocol.
As a reminder, DNS traffic are the network queries that translate human-friendly domain names into server IP addresses.
When you type a URL in your browser, the browser asks nearest DNS server for the IP address
associated with that domain name.
And currently, that query is currently sent in plain text.
So security administrators are able to tell which sites users are visiting. That also means that
these queries can be intercepted. So you can get the wrong answer back from an adversary.
So it actually makes sense that these DNS queries get encrypted,
both from a security perspective, but also from a privacy perspective.
Now the question is, how to do it? So with the DNS over HTTPS approach,
that gives you good privacy, right? First of all, it gets done by default. You know, in the settings of
your browser, the browser can just, you know, encrypt all traffic, whether it's DNS, whether
it's HTTPS traffic, everything gets encrypted. As a user, you don't necessarily have to do anything.
And this is the approach that has been taken by Google, for instance. Google is encrypting all DNS lookups in the Chrome browser.
The other approach, the DNS over TLS approach, which cable companies and telecom industry groups and ISPs are arguing for, emphasizes security.
size is security. And it gives the network operators more control to decide, you know,
what's the DNS server and which traffic goes further beyond their DNS server or which sites can be blocked. From a usability standpoint, users won't notice any difference with either
approach. But from the perspective of network administrators,
this, the DNS over TLS approach,
puts security first against privacy.
If you had to choose, would you choose that one?
As a user or as a network administrator?
Well, let's start with the professional side.
As a network administrator,
which one would you prefer? So I think what I would advocate for is DNS over TLS. And I would
let the user get more control, right? Have them, first of all, decide, go for TLS, but also decide which DNS
server they want to use. The problem with DNS over HTTPS, obviously it gives the user perfect
privacy because everything gets encrypted. You can't tell even the traffic is DNS traffic.
As a network administrator looking at that traffic, you can't even know that there is DNS traffic going on, right?
Because it's all encrypted.
So that gives the users, the end users, perfect privacy.
But on the other hand, if you think about this,
this is also a war about who gets that user data.
So, you know, if Google is encrypting all traffic over HTTPS,
it's getting all of those DNS queries.
Same thing, Firefox, if it's encrypting that traffic,
it's making Cloudflare get all of that data.
If you're doing the TLS way,
you know, those ISPs are getting some of that data. So that data is not
just delivered just to one entity. And so the fight is more, it's not really about users'
experience and how easy it is. It's more about accessing the user data. And that's why for me as a professional, I would love to have the user
have more control and decide where their data should go. All right. Well, it's an interesting
one. We'll have to see how it plays out. Malek Ben-Salem, thanks for joining us.
Thank you, Dave. My pleasure. Thank you. I approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
cybersecurity teams, and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.