CyberWire Daily - Catphishing for spies. Banking Trojans. Spider ransomware. CoinHive comes to Starbucks. SEC stops another ICO. BrickerBot retired?
Episode Date: December 12, 2017In today's podcast, we hear that Berlin says Beijing's been catphishing, and that Beijing says no way. Banking Trojans in Google Play look for Polish accounts. Spider malware spins out of the Balk...ans. Transferring risk doesn't mean you can ignore it. The SEC calls cease-and-desist on another ICO. That venti in Buenos Aires may have come with a CoinHive miner. Rick Howard from Palo Alto Networks on DevOps vs. site reliability engineers. Marcelle Lee from LookingGlass on the Bad Rabbit ransomware. The Doctor puts down his tools and closes BrickerBot. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Berlin says Beijing's been catfishing, and Beijing says no way.
Banking Trojans and Google Play look for Polish accounts.
Spider malware spins out of the Balkans.
Transferring risk doesn't mean you can ignore it.
The SEC calls cease and desist on another ICO.
That Venti in Buenos Aires may have come with a coin hive miner.
And the doctor puts down his tools and closes BrickerBot.
I'm Dave Bittner with your CyberWire summary for Tuesday, December 12, 2017.
In an unusual announcement, Germany's security agency BFV revealed the results of their long counterintelligence inquiry into how Chinese intelligence services use social media.
intelligence services use social media.
LinkedIn drew particular attention,
and BFD director Hans-Jorg Massen said China is using the platform to collect information on targeted individuals.
The Chinese services are said to have catfished more than 10,000 Germans.
Most of the fictitious profiles used were swiftly taken down,
but some journalists got a peek before the catfish spit the hook and vanished,
and the profiles appeared to be what the BFV said they were. The Chinese foreign ministry
dismisses the German report as groundless and hearsay, desiring Berlin to speak and act more
responsibly. It would be surprising indeed if such an obvious way of prospecting people for
recruitment or other exploitation weren't being pursued.
This is just espionage tradecraft updated for social media. Instead of an intelligence officer telling a potential agent at a cocktail party, why, what a coincidence, I'm a stamp collector too.
Now they do it online. ESET reports finding two apps in Google Play, CryptoMonitor and StorySaver,
that in fact carry a banking trojan aimed principally at Poland's financial sector.
Crypto Monitor is an app that tracks cryptocurrency prices,
and Story Saver represents itself as a third-party tool for downloading Instagram stories.
Both of them scout infected devices for banking apps connected to 14 Polish banks.
If they find them, the apps
display phony login screens and steal user credentials. Netscope has identified a new
ransomware strain, Spider, that appears to originate in the Balkans, probably in Bosnia.
It's carried by an infected Microsoft Word document, and if an unwary user opens it, encrypts files and demands ransom in Bitcoin.
Taking out insurance against cyber attack is a sensible way of transferring risk, but
WatchGuard thinks it sees signs of small businesses in particular, thinking that insurance enables
them to rest easy with poor cyber hygiene.
This is particularly the case with respect to vulnerability to ransomware infestations.
Marcel Lee is a threat researcher at Looking Glass, and she recently authored a report on the bad rabbit ransomware strain.
She joins us with her insights on the malware campaign.
We have an international team, and one of our researchers is actually based in Ukraine,
which is where this bad rabbit activity first surfaced in Ukraine and
Russia. Bad rabbit, it's a multi-stage piece of malware. The way that it gets launched on a system
is through basically an infected website. So most of the websites that were infected were based in
Russia or Ukraine. And there's basically some malicious JavaScript that's running and has been
injected into these websites. Once a user visits the website, that malicious JavaScript will run.
And what the JavaScript does is basically harvest information about the host machine. So
operating system, location, things of that nature, it sends that
information off to a remote server. And then at that point, a Adobe Flash Player update window
pops up as they do. And if the user clicks on that, then that's basically the dropper for the
malware. So the malware will be loaded on the host at that point in time.
None of this is the actual malware itself, right?
It's just the mechanism to get the malware onto the host machine.
So once you've done that click of the fake update, the malware is dropped and all the ensuing activity begins.
There's a number of different things that happen, but the primary thing, of course, is the file encryption. So after it goes through the whole encryption process,
then the system basically reboots and you get the message saying, actually, it's kind of an
amusing message because it says, oops, your files have been encrypted, like it happened by accident
or something. So yeah, so then you're instructed with that message to visit an Onion site, Darknet, to obtain the decryption key.
And you're instructed to pay using Bitcoin, which is pretty typical for ransomware.
Some interesting things about this malware were the Game of Thrones references.
We're not really sure if the author just liked Game of Thrones and thought it'd be fun to throw some references in there or what the deal was with that.
But just something kind of out of the ordinary.
There's definitely some similarities with the NotPetya malware that came out earlier this year.
The message that pops up on the screen looks virtually exactly the same.
Is this a situation where if you pay the ransom, you will get your files back? So maybe I would say, but really, if you if you look at the Bitcoin
wallets that were associated with this malware, or at least the ones that we've seen, there's been
very few transactions, like basically nothing new has happened in those wallets since the end of
October when this first came out. Typically, the recommendation is not to pay ransom because it
just really kind of encourages further activity of that nature. That's what we recommend is not
to pay the ransom. And BadRabbit is engineered to spread through your network. It just doesn't
park itself on a single host. Correct. Correct. So one of the things we observed in our analysis
was it was leveraging SMB to reach out to other hosts.
So if it did find other hosts on the network, then it would literally spread itself to those.
So sort of that worm aspect as well.
What are your recommendations for how people can best protect themselves against bad rabbit?
First of all, keeping software updated.
And that's nothing new, right?
Everybody knows you should keep your software current to hopefully prevent any vulnerabilities being leveraged. And then just disabling JavaScript in browsers
is a good thing to do. Whether or not people want to go to that effort is another thing,
but you can disable JavaScript and just whitelist applications or websites that actually need it.
Utilizing browser security tools is another good practice.
So a lot of browsers do have built-in security mechanisms
that you can leverage.
But again, that's something that typically has to be turned on.
Of course, user education is always good.
Helping our users understand when something is potentially malicious,
what not to click on, which in my humble opinion is everything.
But yeah, so I mean, the user education piece is always tricky.
And I'm a huge advocate of making users part of the solution and not just always considering them part of the problem.
Because I think if there's better awareness, more meaningful awareness, then they're more apt to help.
It's a positive reinforcement versus negative reinforcement, way more effective.
That's Marcel Lee from Looking Glass.
You can read her full report on the bad rabbit ransomware on the Looking Glass blog.
The U.S. Securities and Exchange Commission has stopped another ICO,
this one for an operation called Munchie.
Munchie had set up a $15 million token sale that would have funded the MunCoin,
which would have been a payment system for restaurant reviews.
The SEC reviewed them yesterday with a cease and desist order.
The problem was that offering an instrument for sale with an expectation of return
makes that instrument, legally a security and if you're offering securities in the u.s you ought to be registered
with the sec munchie also struck regulators as using what techcrunch called the typically spammy
and scammy marketing efforts most ico floggers use now in any event voppercoin was there first
and besides the sec's writ doesn't run to Moscow,
so there was no similar issue with Burger King Russia's invitation to eat your way to riches,
sandwich by sandwich. Munchie's site calls the company the new decentralized blockchain-based
food review and social platform. The site is still up, but the links behind the homepage
don't appear to be working. This isn't the only blockchain-based activity going on in cafe society. The blockchain apparently
came to the barista, and it seems the barista knew nothing about it. At least one Starbucks
Wi-Fi provider may have used the coffee shop's network to install a Monero miner in unwitting
patrons' devices. It appears that patrons who belong to the coffee shop's rewards program in Argentina
were unwittingly enlisted in CoinHive, whose JavaScript cryptocurrency miner extracts Monero.
This seems to be the work of a third-party vendor, and not Starbucks itself.
The vigilante known variously as The Doctor and The Janitor, the one responsible for BrickerBot,
has indicated he's retiring.
He claims to have bricked more than 10 million vulnerable IoT devices, thereby preventing
them from being herded into malicious botnets.
Dr. Janitor never got much love, he was regarded by many as a destructive, self-righteous pest,
and a lawbreaker too.
He himself felt misunderstood.
As he put it in his valediction,
reproduced in part by bleeping computer, quote, there's only so long that I can keep doing
something like this before the government types are able to correlate my likely network routes.
I've already been active far too long to remain safe. For a while now, my worst case scenario
hasn't been going to jail, but simply vanishing in the middle of the night, as soon as some unpleasant government figures out who I am."
Please.
Dr. Janitor was always far likelier to face public prosecution and a nickel in Oakdale than to vanish as an unperson down some Ministry of Love memory hole.
At any rate, the janitor says he's retired and presumably moved to a nice active senior residence at Dunhacken.
He did publish some of his source code in his exit manifesto,
but not his SSH crawler, which he deemed too dangerous to publish.
The way Tony Stark always insisted Iron Man's armor
was just too overwhelming to place into the hands of the common man.
That armor had the power of the transistor, after all.
He did leave some advice behind, however, that's worth reading.
It's most easily accessible at bleeping computer,
because it advocates hygienic and policy measures
for taking some of the DDoS risk out of the IoT.
He urges the community to start using Shodan audits
to find vulnerable ports and services,
pushing IoT vendors to do vulnerable ports and services, pushing
IoT vendors to do better at security updating, working toward IoT security standards, and
volunteering to fix vulnerable systems.
And hackers, a pro tip, that kind of volunteer work may be a better outlet for your energies
than a license plate shop at Virginia Correctional Enterprises, not to mention breaking rocks
in the hot sun.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Rick Howard.
He is the chief security officer at Palo Alto Networks, and he also heads up Unit 42, which is their threat intel team.
Rick, welcome back.
Not long ago, you and I were talking and singing the praises about DevOps,
but you are someone who continues to evolve with your views and your opinions,
and today you wanted to present to us that maybe it's time to think twice about DevOps.
What are we doing here, Rick? Not exactly that. I would just say that DevOps is a philosophy.
That's how I've come to terms with this, right? And it's this idea that we should look at the
way we deploy things and the way we update things in our environment as a system of systems,
just like car manufacturers make cars, right?
The leaders of those manufacturing plants, they watch the system move through until they
make the car.
And they are very specific about taking every piece of inefficiency out of that system.
The way we do it in automation, the way we do it in IT is some marketing guy comes up
with an idea.
We throw it over to a proof of concept developer.
They build stuff.
They throw it over the fence to the quality control folks, and they get it up to version 1.0.
Once they get it there, they throw it over the fence to the operators who install it and maintain it.
And none of those people talk to each other in that process.
And so the glue that moves it from process to process is not there. So DevOps is this idea
that we should automate the entire process and view it as a system of systems.
So I still believe in that philosophy. But when you read the
literature about DevOps, it's kind of highfalutin and not a lot of specifics
about how you might go around doing this. What's emerged in the
last six months that I've seen
is this idea of site reliability engineers.
And they originated out of the Google team back in 2004
when they were trying to figure out how to scale this, you know,
search engine that they had come up with, right?
And what they did was they handed the network manager off
to a bunch of developers.
That's an interesting idea.
Because when developers get stuff, they automate it. Okay. So the Google site reliability engineers, right? They scale this
operation. They automated everything, the glue that moves the part from piece to piece to piece
so we can get it installed and maintained. They are so good at what they do. It's almost autonomous
and not just automatic. It's almost autonomous,
meaning that their software can look for problems, roll it out, fix it, roll the fix back in all
within the same day, all within the same couple of hours, right? Their philosophy on how to do
this with their IT admins is that the Google IT admin shouldn't touch a box to fix anything
more than 50% of the time,
because they want those folks to be automating the next process so they can scale even further.
So DevOps, in my mind, is a philosophy where site reliability engineering is really the how-to to get it all done. And here's my concern. All that is fantastic, and there's lots of people
working on it. Google and Netflix and Salesforce and Facebook, these are all examples of organizations who do this really well.
But security people are still on the outside of that whole movement.
And it doesn't make sense to me that as we automate the process from front to back, that you're leaving the security expertise out of the system.
So my advice to everybody listening is they need to get
engaged with this conversation. They need to insert themselves into this DevOps philosophy
and the site reliability engineering how-to stuff. Become very useful to the whole process so that
security is not left out. Or in a couple of years, our whole network defender community is going to
be irrelevant because we're not
contributing to the effort.
Did I convince you?
Well, you know, I'm definitely going to check it out.
I'm going to read up on site reliability engineering.
I can tell you that.
Great.
My work is done here.
There you go.
All right.
Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.