CyberWire Daily - ARCHER incident. Contact tracing smishing. Malware vs. air gaps. A surcharge for deletion. Anti-creepware. 5G coronavirus delusions.
Episode Date: May 14, 2020ARCHER goes offline after a security incident. Scammers smish victims with bogus contact-tracing messages. Ramsay malware goes after air-gapped systems. Ako ransomware now places a surcharge on deleti...on of stolen data. Google boots creepware apps with the help of the CreepRank algorithm. Johannes Ullrich explains that when it comes to malicious binaries bypassing anti-malware filters, size matters. Our guest is Pat Craven, Director of the Center for Cyber Safety and Education on the security social media apps. And kooky 5G conspiracists go after cell towers in the US. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/newsletters/daily-briefing/9/93 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Archer goes offline after a security incident.
Suspicions of espionage against COVID-19 research.
Scammers smish victims with bogus contact tracing messages.
Ramsey malware goes after air-gapped systems.
AKO ransomware now places a surcharge on deletion of stolen data.
Google boots creepware apps with the help of the CreepRank algorithm.
Johannes Ulrich explains that when it comes to malicious binaries bypassing anti-malware filters, size matters.
Our guest is Pat Craven, Director of the Center for Cyber Safety and Education on the security of social media apps.
And kooky 5G conspiracists go after cell towers in the U.S.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, May 14, 2020.
The UK-based Archer Academic Supercomputing System has sustained what the network calls a security exploitation that led its administrators to rewrite passwords and SSH keys.
They also took Archer offline while the incident was investigated, the Register reports.
Archer's managers have warned that computers in Europe may also be affected
and that users should not expect access to be restored before tomorrow at the earliest.
The Register says that knowledgeable speculation points out
that Archer is an obvious resource for research work by
computational biologists, as well as those modeling the potential further spread of the novel
coronavirus, which also makes it an obvious target for espionage. Yesterday's joint statement by the
U.S. FBI and CISA warning that Chinese intelligence services are engaged in a far-reaching campaign to collect against
COVID-19 research has elicited the foreseeable response from officials in the People's Republic.
It's slander, Reuters quotes a foreign ministry spokesman as saying. Spokesman Zhao Lijian also
said that any interference with research ought to be condemned. The joint warning is interesting
for the way the bureau and CISA connect espionage
with damage to the research itself.
Quote,
The potential theft of this information jeopardizes the delivery of secure,
effective, and efficient treatment options.
End quote.
So the risk appears to be more than the usual competitive threat to intellectual property
that the U.S. has typically complained of in connection with
Chinese espionage. The NHSX-sponsored contact tracing app the scammers are mimicking is now
undergoing a closed beta trial on the Isle of Wight. Gizmodo says that the Isle's MP, Bob Seeley,
has offered a generally optimistic appraisal of how the app's doing. He notes that it's, quote,
throwing up lots of really good information, end quote.
Of course, it's only to be expected
that any application developed and deployed
under emergency conditions would experience problems,
and this one is no different.
Preliminary reports from users complain
that the app is a battery hog
and that the permissions it asks for are confusing.
Researchers who've looked at the system say that they've found other issues,
in particular problems with iOS-Android interoperability.
ESET has described Ramsey and a tack designed to exploit air-gapped computers.
It's not that Ramsey defeats air-gapping in some spooky or exotic way.
Instead, it concentrates on other infection
vectors like removable media. ZDNet says that Ramsey appears to collect Word, PDF,
and ZIP documents in a hidden folder where they're staged for later exfiltration.
Few victims have so far been identified, which suggests to ESET that Ramsey remains in a
relatively early stage of development. There's no attribution,
but Ramsey appears to share artifacts with Dark Hotel's retro malware.
Ransomware gangs routinely steal victims' data to gain additional leverage.
Bleeping Computer reports that one gang, the operators of AKO,
are now also imposing a surcharge for deleting their copies of stolen files.
also imposing a surcharge for deleting their copies of stolen files.
If you've got school-aged kids, chances are they are home from school these days,
thanks to the COVID-19 shutdowns.
And if you're listening to this podcast, chances are those same kids have access to a variety of online social media services,
which they are using to keep in touch with their friends and classmates during the shutdown.
services, which they are using to keep in touch with their friends and classmates during the shutdown. And all that increased time spent online opens up the potential for bad things to happen.
Pat Craven is director of the Center for Cyber Safety and Education.
What's amazing, Dave, is that it's possible for our kids to actually spend more time online.
You know, who thought that was going to be the situation? And now, practically by law, they're supposed to be spending more time online. And so it's just,
it's ramped up tremendously, all the challenges from a safety standpoint with our children and
what they're doing. And parents are working from home and they're busy and they're trying to teach
kids in homeschool and there's less, even less supervision than we had just months ago.
So it's been a pretty fascinating thing and a pretty dangerous.
The kids are utilizing, and adults as well,
we're utilizing different apps, different ways to connect
and to be social with people and try to have fun.
And there comes risks with all of that.
What about, you know, as people have had to go home and start doing their work from home
and using their home networks for business uses, what's the concern of your kids having
some of these apps on their devices on a network that's shared with the work you're doing for
business?
Well, that's a great point.
And something we try to really stress with people is that,
yes, you're now sitting at home
and you're working on potentially confidential materials
for the office.
And you're on that same network, on that same Wi-Fi
that the kids are out exploring the internet with.
And that opens you up to so many more vulnerabilities
that we don't think about,
that we think of everything being separate, but they're all running through that same router, through that same Wi-Fi.
And any kind of breach could come back and actually get into you, into your laptop, and then you eventually even send a document that could be corrupted to somebody in accounting.
And it just, the line goes down and down.
So it's something that we really
have to think about tremendously. Is it reasonable to do occasional audits of these devices to go
through and just check through the apps and see what permissions have been granted and just do a
little reality check there? Absolutely. Even if you've done it at the beginning, if you've gone in and set it to private
or that they can't just have anybody part of the conversation, that it's friends only,
go back and check that. There's constant updates to these apps. And also too, of course, the child
might switch something thinking they're making it better and easier to use, and then they have allowed more vulnerabilities.
So it is.
It is something that we need to do with all of the different platforms
that the kids are on or even ourselves.
Again, we're using all these different apps for social stuff or for work even
to make sure that our settings haven't been changed or adjusted
or a new update came down that
set things back to default. So we have to make sure of that.
That's Pat Craven from the Center for Cyber Safety and Education.
According to ZDNet, Google has used an algorithm CreepRank developed by a university industry team to identify 813 creepware apps for removal
from the Play Store. Creepware is similar to spyware or stalkerware, only generally less
aggressive. ZDNet explains that it's used to stalk, harass, defraud, or threaten another person,
directly or indirectly. And finally, the Luddites and weirdos who've been trashing cell towers in the
UK, Belgium, and the Netherlands because they've heard that 5G causes coronavirus have inspired
their conspiracy-minded soulmates in the States to take similar action, and all we can do is wonder
why it took everybody so long. There have now been incidents reported in the U.S., and the Washington
Post says the U.S. Department of Homeland Security is working on an advisory and a plan to help
telcos protect their equipment. The Post mentions disinformation in their coverage, but this seems
likelier to be a case of misinformation. It also provides a discouraging case study of rumor
convergence. The strange bedfellowsows passionate commitment to a cause can make,
the reach of influencers, and the sad futility of much rumor control.
One wonders how much the use of virus for both a class of pathogen
and a kind of malware have contributed to the popular mania.
The Post quotes Eric Van Rongen
of the International Commission
on Non-Ionizing Radiation Protection
as saying, quote,
it is physically impossible
that electromagnetic fields
transfer particles like viruses,
end quote.
Needless to say,
the activists whacking cell towers
know better.
Of course, it stands to reason
viruses could travel that way.
Do your own research, sheeple.
And so on.
Some of the attacks, sources say, may have been acts of ecotage,
taking opportunistic advantage of the pandemic to damage counter-to-nature infrastructure.
And there's been no shortage of celebrity influencers sharing the dope that 5G causes COVID-19.
The British light welterweight boxer and philanthropist Amir Khan, of celebrity influencers sharing the dope that 5G causes COVID-19.
The British light welterweight boxer and philanthropist Amir Khan,
the singer Anne-Marie, responsible for Ciao Adios and Rockabye, among other hits.
The actor Woody Harrelson, known for Cheers and Zombieland,
have been particularly mentioned in Dispatches.
For our part, we're going with Mr. Van Rongen over Mr. Harrelson. Thank you. Alas. faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich.
He's the Dean of Research at the SANS Technology Institute.
He's also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back.
Something you all have been tracking
is the use of very large malicious binaries
to bypass some anti-malware filters.
What's going on here?
Yes, so when you're looking at most malware, it's relatively compact.
It's this little basic macro or something like this that then downloads maybe some other
little bit of malware.
But we're often talking about a couple megabytes only.
of a matter, but we're often talking about a couple megabytes only.
Now, what we ran into was a malicious binary that actually was a few hundred megabytes in size.
And everyone was wondering why.
Why wouldn't it hack or bother with this?
Because that's going to get stuck in mail filters, for example.
Most mail systems will not deal with binaries like this.
Now, this was downloaded via HTTP, but even then, often large downloads like this fail.
But the advantage of these large downloads is that a lot of anti-malware systems have essentially an upper limit to what's the largest piece of binary software they're going to inspect.
And they're probably going to bypass that limit by essentially just, in this case,
adding some kids' drawings to the binary.
Right, just some junk to just bulk up the size of the file.
Yeah, like what happened in this case was we pulled it out.
It looked like kids' drawings could be, well, maybe the Malware author wasn't really the greatest artist,
but some scribbles, some faces you could make out and such.
But that's basically what made up the bulk of this binary.
And of course, any kind of NML, they're looking just at that additional code,
but probably not considered malicious.
And that wasn't really the malicious part.
The malicious part was the usual malware code,
I think a download or something like this
that was attached there.
It reminds me of just in day-to-day use
of things like Google Drive.
If you have a file that you're storing there
and you want to download it,
if it's larger than a certain size,
Google Drive will pop up and say,
hey, this is too large for our usual virus scan.
Do you want to grab it anyway?
And, well, yeah, I want to grab it anyway.
I need that file.
Yeah, and there's definitely another option.
It's not that you can say, hey, it's large.
Let me wait a couple minutes until you scan it.
That's not an option here.
It's really just, do you want to get work done
or do you not want to get work done?
That's sort of how that dialogue really looks to the user.
Yeah, do you feel lucky?
Yeah.
Which is, I guess, ironic coming from Google.
Yeah, and of course, Google is a trusted site in some ways.
So you consider this more like a document coming from Google, yeah. Yeah, and of course, Google is a trusted site in some ways. So you consider this more like a document coming from Google in this case versus something coming from an untrusted source.
Yeah.
Now, they were not only using large malicious binaries, but you were also seeing corrupt documents as well.
Yeah, that's the other thing we saw. And that's really an issue that keeps popping up,
not just with malware, but also network traffic,
that software has gotten pretty good in dealing with corrupt documents.
Like I was joking when I talked about sort of web applications.
It's pretty much unknown that someone has sort of a
completely standard compliant HTML page.
They always do something weird and tricky.
Here was a Word document that sort of started with a newline character.
And it turns out certain versions of Word just ignore that newline character.
And it will nicely display the document, which was malicious in this case.
But some of the scanning tools, well, they say, hey, this is not malicious.
This is an invalid document.
I don't really bother scanning it. And they may even have problems parsing the document
because of these additional characters.
Oh, that's interesting. So the anti-malware software lacks the sophistication that the native software has
to deal with a document that's out of spec.
Correct. And since this also depends on the exact version of Vert you're running,
this is something that one user may open and nothing happens because they're using an older
or newer version of Vert, while another user that uses that version of Vert that is able to open a
document will get infected. So this makes analysis of malware much more
difficult. Also, of course, if you're running, and that's sort of how we came across this,
if you're running a document in a sandbox, you often use a fairly specific version of
that just runs well in the sandbox, that you have sort of instrumented to work well
within the sandbox. If that version is not the same that your end users are running, then
of course you may miss attacks like this.
Right, right.
Alright, interesting stuff as
always. Johannes Ulrich, thanks for joining us.
Thanks for having me.
Cyber threats are evolving every
second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep
your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow.
Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.