CyberWire Daily - BlackWater snoops through the Middle East. TeamViewer hacked. Android app behaving badly. A misconfigured database with scraped Instagram data. Ransomware notes. Huawei updates.
Episode Date: May 21, 2019BlackWater is snooping around the Middle East. It’s evasive, and it looks a lot like the more familiar MuddyWater threat actor. TeamViewer turns out to have been hacked, and the perpetrators look li...ke the proprietors of the Winnti backdoor. An Android app is behaving badly. Another unsecured database is found hanging out on the Internet. There’s a free decryptor out for a strain of ransomware, but  also it won’t help Baltimore. And the market’s look at the Huawei ban. Craig Williams from Cisco Talos discussing honeypots on Elasticsearch. Guest is Dave Venable from Masergy on cyber vulnerabilities at the infrastructure level. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_21.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Blackwater is snooping around the Middle East.
It's evasive and looks a lot like the more familiar Muddy Water threat actor.
Team Viewer turns out to have been hacked, and the perpetrators look like the proprietors of the Winty back door.
An Android app is behaving badly.
Another unsecured database is found hanging out on the internet.
There's a free decryptor out for a strain of ransomware, but it won't help Baltimore.
And the market's looking at the Huawei ban.
and the markets looking at the Huawei ban.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, May 21, 2019.
Researchers at Cisco's Talos unit have released a report on the Blackwater cyber espionage campaign that's currently active in the Middle East.
Talos associates Blackwater with the previously known persistent threat actor Muddywater.
There's the usual ambiguity about whether Blackwater is to be regarded as a campaign or an actor.
We'll follow Talos and call it a campaign.
Blackwater seems to be unusually evasive.
It's added, Talos says, three steps to Muddy Water's familiar pattern.
First, it uses an obfuscated Visual Basic for Applications, that's VBA script,
to establish persistence as a registry key.
It then installs a PowerShell stager that's designed to look like a red-teaming tool,
which will presumably induce many defenders to overlook it.
Finally, its communication, once installed, goes back to a different command and control
server than the one used in the initial attack stages.
Talos doesn't say who's behind either Blackwater or Muddy Water.
Their purpose is to describe behavior and not to answer whodunit.
But Muddy Water has for some time been attributed by MITRE and others to Iran.
TeamViewer, the German firm that provides remote connectivity solutions to business customers,
turns out to have indeed been compromised in 2016 and perhaps as early as 2014.
Der Spiegel says the firm did not disclose the incident at the time because, in TeamViewer's
opinion, this was unnecessary,
since the intrusion affected only its infrastructure as opposed to its customers.
The attack is attributed to Chinese intelligence services, largely on the strength of the use of WinT malware, a backdoor trojan favored by Chinese government cyber operators since
its introduction in 2009.
It's thought that the threat actors responsible may have been APT-10,
also known as Red Apollo or our favorite, Stone Panda,
which is what CrowdStrike calls them,
or APT-17, sometimes associated with the name Deputy Dog,
not to be confused with Deputy Dog, the Terry Toon's hero,
who suppressed varmints misbehavior down in the swampland.
APT-10 has often been linked with attacks on cloud service providers,
APT-17 with incursions into supply chains.
In any case, ZDNet reports, the tactics, techniques, and procedures
look like those belonging to those two APTs.
Winty malware is no stranger to German industry.
It was found in attacks on both chemical and pharmaceutical giant Bayer and heavy manufacturer ThyssenKrupp.
As the 5G build-out continues to gain momentum, how it will ultimately affect the security of critical infrastructure has become a topic of concern.
Dave Venable is vice president ofsecurity at security provider Masergy.
I tend to think of it as anything from electrical power plants, the electric grid, communications infrastructure, things that society relies on to function in a normal way.
We're not talking about some website or something like that, although a website certainly could be a part of infrastructure.
But I typically think of it as the things that let that website exist in the first place.
Those everyday things we've come to rely on, the power and water and all those sorts of things.
Exactly. Or even, you know, telephone service or Internet connections at this point.
And so what are the challenges that we're facing here
as the demand for those systems increases?
One of the big issues today
is that a lot of these systems were designed
50-plus years ago,
and security was not really held in mind at that time.
So when these things were being developed,
it just assumed that if you had access
that you were trustworthy. And as we know today, that's definitely not the case. Now,
there's been a lot of progress made in sort of segmenting these things and building up security
around it in the last several years to where we're not typically facing problems at this level very often, although as you've seen with Baltimore, a lot of what would probably be termed as infrastructure there has been impacted recently.
So what are we looking at in the future here? I see a lot of talk about how 5G is going to enable things when it comes to infrastructure. What's your take on
that? 5G certainly will be a huge game changer and in a positive way. But we have to do it right.
I mentioned a minute ago that a lot of these like industrial control systems and things like that
were designed years before anyone was really thinking about real security.
And today we have this fairly unique opportunity to build up a new infrastructure
with a modern way of thinking about it.
I mean, as we've seen with the Huawei cases and some things like that recently,
there's certainly a lot of potential for this to go in very, very negative ways.
We just need to proceed with caution, I would say, and keep security and integrity and all of those things in mind throughout the process.
As we're on the leading edge of this transition, what are your recommendations for people to prepare themselves from a security point of view?
What are the best practices they should adopt? So one of the biggest things that you can do is
enable multi-factor authentication. From a privacy point of view, that actually makes a huge impact.
This is where you type in a password and then an app on your phone or something along that line provides a code that you then
type in as well.
Now, that applies kind of ubiquitously across any infrastructure, but I always like throwing
that out there.
With looking at the future of 5G and big data and all of these concerns, there's unfortunately
not a lot that the individual
can do.
Altering your habits to be essentially, the way I like to think of it is with personas,
right?
So if you have your public persona, then here's all the things that I don't care for everyone
in the world to know.
If you're mindful of that and just kind of keep
that out there at all times, you're far better off. There's certainly a number of ways to kind
of create alternate personas that you only use at certain times, sort of an operational security
perspective. But with 5G, I mean, sort of becoming a prepper, having a bunch of water at home and a generator and things like that,
there's really not much you can do to try to prevent sort of being impacted by an infrastructure attack or things like that.
Kind of demonstrates part of the problem, I think.
That's Dave Venable from Macergy.
There is an app behaving badly in the Android ecosystem.
Upstream system security lab SecureD says that VidMate,
an Android app with about half a billion downloads,
is up to a lot of not-so-good things.
VidMate allegedly serves adware,
subscribes users to paid services without their knowledge,
and sucks down their mobile data.
These things are all bad.
Vidmate told BuzzFeed it was investigating the matter,
but declined to say much more than that.
Vidmate facilitates downloads of video from YouTube, WhatsApp, and other sources,
but we think we'll do without it.
An unsecured AWS database,
apparently belonging to a Mumbai-based social media marketing outfit Chatterbox,
has exposed information on millions of Instagram influencers, celebrities, and brand accounts, TechCrunch reports.
The data seemed to have been obtained by scraping.
Bravo Emsisoft, which has released a decryptor for JSWorm 2.0 ransomware.
The decryptor is available for free from the New Zealand-based security firm.
If you're a victim, Emsisoft urges you not to pay, but to visit their site and use their decryptor.
That decryptor won't help the city of Baltimore, alas. Charm City was afflicted almost two weeks
ago with Robin Hood ransomware, and while reversion to manual backup has restored some
city services, most notably the ability to transfer deeds in real estate transactions,
recovery is looking like a long and probably costly process.
The new mayor, Jack Young, said at the end of last week that he had no precise timeline for recovery,
but that the city was hard at work rebuilding systems in a way that would enable Baltimore to restore its business functions securely.
It's going to be pricey.
Apparently, Baltimore doesn't have insurance against this kind of attack.
The taxpayers will be even more unhappy than usual.
The U.S. continues to be serious about strictures against Huawei as markets sort out the ban's consequences.
The Commerce Department has relaxed some of its restrictions Huawei's
placement on the entity list imposed, but those relaxations are designed for the convenience of
some U.S. businesses and don't come close to amounting to a get-out-of-jail-free card for
the Chinese tech giant. U.S. companies including Google, Qualcomm, and Intel were quick to cut
Huawei off. Huawei, for its part, has warned everyone not to take it
lightly, that it has resources to draw upon, and that it doesn't intend to go quietly. How the
markets ultimately regard the companies enmeshed in U.S. sanctions remains to be seen. Huawei
suggests that its customers and vendors are likely to feel the bite more than Huawei itself,
but others aren't so sure. There's also some pointing with alarm at the emergence of a new Cold War in cyberspace,
but the first non-lethal shots in that particular war were fired so long ago
that this hardly counts as news. Calling all sellers, Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. And joining me once again is Craig Williams. He's the director of Talos Outreach at Cisco.
Craig, it's always great to have you back.
I wanted to touch base with you on some of the stuff that you and the Talos team are monitoring out there on the net.
What do you see in these days?
Well, so we actually did have some really interesting data.
One of our researchers, Chris Evans, has been out there trying out different types of honey nets, honey pots,
putting out things to see if people fiddle with them.
And one of the more interesting things that we've seen recently
is attackers specifically targeting Elasticsearch clusters.
Describe to me what you're seeing.
Well, so they're basically trying to use older attacks.
So we're looking at CVEs from 2015 and 2014.
But I'm sure you realize a lot of people who run these massive elastic
search clusters don't really keep them up to date, unfortunately.
During the period we looked at this, we were able to identify what we believe were six
distinct actors basically poking at these servers to see what they could do.
Now, that's interesting, because I guess my first inclination would be to think that if
folks were using techniques that were that old, then they wouldn't be that effective, but that's not the case?
Definitely not.
Unfortunately, a lot of times companies set up these servers, and then as long as things are working, they don't tend to mess with them.
It's kind of the uptime thing, right?
If it didn't break and don't fix it, unfortunately, they don't realize that's not always true with software, because as time goes on, even if your server was perfectly functional, well, people are going to
discover problems in the software. They're going to develop ways to exploit the software.
And so if you don't put mitigations in place or patch it, you're going to have a bad day,
particularly for those systems connected directly to the internet.
And are there any patterns that are emerging here in terms of who you might think is up to this or what they're after?
Actually, yes.
There are some very interesting little weird patterns that they're doing.
One of them that allowed us to track one group is they're trying to download a file with a very specific name.
Now, hilariously, the server they're trying to download it from is no longer hosting that file. So basically what that means is it was, you know, it's an automated worm type
thing just hammering on and hammering on, even though the entire campaign is really broken since
that file is no longer there. You know, one of the other things we thought was funny was that
it echoed a specific command into the server. and we believe that part of the command is actually a social media identifier.
And when we looked up the account for that social media identifier,
it's a particular Chinese social media account,
and it posts about cybersecurity and attacks periodically.
Now, you know, I want to be clear here, right?
This could be somebody trying to frame that particular user. It could be someone just goofing around. It could be
completely coincidental. So, you know, on these types of things, you've really got to look at
that type of information with a little bit of a grain of salt, because you can never
really say that that would be that person, right? Why would it make sense for the attacker to
drop their social media account?
I mean, I guess it's true.
Bad guys have horrible opsec and love signing their work to make it easier for us.
But seriously, really?
Like, it's going to be that simple?
So where does it go next for you all?
You have this honeypot out there
and you see this activity.
Where do you take it next?
Well, you know, that's why we basically
come on shows like yours and we post things to our blog so that people are aware that this is happening. Honeypots
are a useful tool, but honeypots are usually very easy to detect. And so our team will go to great
lengths to try and make it very difficult for people to detect them. You know, we have customized
software, we deploy it around the world, we deploy it in IP spaces not attributable to the company or any company that people associate us with. And so when we see these type of things,
we're very confident that this is representative of basically the background attack traffic of the
internet. And so we alerted our customers, we're alerting all your listeners and our listeners
that if you're running this software, you need to be aware that it's being targeted.
and our listeners that if you're running this software, you need to be aware that it's being targeted.
And so if you're running Elasticsearch 1.4.2 or lower, you've got to upgrade or you've got to get some sort of intrusion prevention system like Snort in place to protect you against those threats.
All right. Craig Williams, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.