CyberWire Daily - Clickfraud and third-parties (both SDKs and stores). Trojanized TOR browser steals from Russian users. WiFi bugs. Sketchy jailbreak. Big Tech on free speech. Cooperation against terrorism.
Episode Date: October 18, 2019Clickfraud arrives via a third-party SDK, and the app developers who used it say they didn’t know nuthin’. Maybe they didn’t. A Trojanized TOR browser warns its bro’s that, whoa, you’re out ...of date and the police might see you, but it’s really just stealing the bros’ alt-coin. WiFi bugs are fixed in Kindle and Alexa. Don’t try to jailbreak your iPhone from a sketchy Checkrain site. Two Big Tech companies take different directions on free speech. And Russia gets an assist from Uncle Sam. Craig Williams from Cisco Talos on a Tortoiseshell creating a fake veteran’s job site. Guest is Caleb Barlow from Cynergistek on the challenges of securing medical records. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/October/CyberWire_2019_10_18.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Click fraud arrives via third-party SDK,
and the app developers who used it say they didn't know nothing.
A trojanized Tor browser warns its bros that,
whoa, you're out of date and the police might see you,
but it's really just stealing all the bros' altcoins.
Wi-Fi bugs are fixed in Kindle and Alexa.
Don't try to jailbreak your iPhone from a sketchy check-rein site.
Two big tech companies take different directions on free speech.
And Russia gets an assist from Uncle Sam.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, October 18, 2019.
Upstream says it's caught the popular Android app SnapTube engaged in large-scale click fraud.
TechCrunch says that SnapTube has some 40 million users who employ it to download video and music from major video sites like YouTube and Facebook.
Users receive silent ads that run in the background, racking up clicks that, while remaining invisible to the user, drain device battery and Goose SnapTube ad click rates.
More seriously, they also purchase premium digital services,
also silently and in the background.
Upstream says it's blocked more than 70 million suspicious requests
from almost 4.5 million unique devices over a six-month period.
SnapTube isn't offered in Google Play,
but is instead downloaded from third-party app
stores.
The problem appears to lie in malicious code embedded in a third-party software development
kit SnapTube uses.
This code, known as Mango, had earlier been implicated in a click fraud campaign involving
Vidmate, another downloader app accused of ad fraud back in May.
involving Vidmate, another downloader app accused of ad fraud back in May.
For its part, Mobius Space was shocked, shocked, to learn that click fraud was going on,
and they say they're considering legal action against Mango's developers.
This incident illustrates at least two things.
First, while official stores aren't perfect, they're usually a better security bet than third-party app stores.
And anyway, perfection is an unreasonable standard, even for Google Play.
Second, it illustrates the problem of software supply chain security. It's not the first time SnapTube has been the object of complaints about click fraud. Sophos reported finding it back in
February, and later this year some Android devices began flagging it as containing suspicious code.
and later this year some Android devices began flagging it as containing suspicious code.
The ease of using SDKs may be a fatal temptation,
assuming, of course, that claiming the SDK ate my brand reputation isn't a dot-com equivalent of the dog ate my homework.
ESET describes a trojanized Tor browser that warns victims that they're vulnerable to police snooping
because their browser is out of date.
The bogus update page, to which the unwary are redirected,
installs malware that enables the crooks to steal cryptocurrency,
mostly Kiwi but some Bitcoin as well.
The caper is conducted in Russian
and is directed against Russian-speaking visitors to various darknet sites.
Many of these sites, but we'll hasten to add not all of them,
are likely to be the home of nastiness and contraband,
likely to give visitors an uneasy conscience.
The warning page goes for a chummy one-dude-to-another tone,
not the sort of we-see-what-you're-up-to manner
that's so often associated with scareware.
For example, it addresses the victim as bro and
offers a sympathetic fix to keep the militia off their back. And it's worth recalling here that
the victims are Russian speakers. For all the news of Russian hacking we see, there are plenty of
Russian victims in cyberspace too. ESET has also reported that older and unpatched versions of
Amazon's Kindle and Echo are vulnerable to key
reinstallation attacks that exploit Wi-Fi vulnerabilities to achieve man-in-the-middle
status that could enable a range of bad activities from snooping to distributed denial of service.
The method of attack is the crack approach discovered in 2017, which takes advantage of
endemic issues in the WPA2 standard. Users should note, first, that Amazon has patched the problems,
so they should update their devices.
And second, the vulnerability, as is almost always the case with Wi-Fi issues,
is one that's exploitable only at close range.
Nonetheless, Alexa, go update yourself.
People who are for reasons of their own enthusiasm about jailbreaking their iPhones
have been interested in CheckRain,
a jailbreak that makes use of the Checkmate vulnerability found in some older iOS devices.
They've been drawn to a site that says it's got the goods,
the real deal CheckRain jailbreak.
But they don't.
The only thing you'll get from going there,
Cisco Talos warns, is enrollment in an ad fraud campaign.
While Apple CEO Tim Cook mollifies Chinese authorities, as Wired and other media outlets
describe, Facebook CEO Mark Zuckerberg came out swinging yesterday like a First Amendment
true believer. The Telegraph and many others report that he said,
in an address at Georgetown University, that his company is not only uninterested in returning to
business in China, but that it intends to resist calls to moderate political speech.
Facebook, he said, was unable to reach an accommodation with China because it's been
unwilling to knuckle under to Beijing's strong position on state control or at least approval of Internet content.
Zuckerberg expressed Facebook's strong commitment to free speech as grounds for refusing to moderate political content.
He argued that the Chinese government's values ought not to set the norms for the Internet as a whole.
He also observed with some concern that freedom of speech seemed to be under assault in the West as well,
where too many people have come to believe that their political objectives are so important
that opposing views should be suppressed.
In any case, he said that Facebook won't censor political ads,
even when they contain what its fact-checkers decide are lies.
This week has seen a kind of quick reputational role reversal for Apple and Facebook.
Apple has been famously committed to privacy,
but that commitment seems to have eroded a bit in the solvent of China's repressive actions in Hong Kong.
Facebook, on the other hand, which has had to master the art of apology for data mishandling,
may have had a complicated relationship with privacy,
but it seems now to be committed to freedom of speech.
And finally, back to Russia.
TASS is authorized to state that, while the enemy of my enemy may not exactly be my friend,
they could at least be maybe a helpful legal attaché at the embassy.
The Moscow Times has some information on U.S. assistance to Russia's FSB in a Russian domestic counterterror operation.
What terrorist group was implicated isn't publicly known, but the U.S. has in the past given Russia intelligence on Islamist operations.
Nevertheless, Russo-American relations in cyberspace aren't all rainbows and unicorns.
Cozy Bear, after all, has resurfaced in the news.
But the notes from TAS are a reminder that even opponents sometimes find common ground.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Craig Williams. He's the head of Talos Outreach at Cisco.
Craig, it's always great to have you back. You all recently published a blog post,
and it's titled, How Tortoise Shell Created a Fake Veteran Hiring Website to Host Malware.
A lot to unpack here.
Describe to us what's going on.
Well, this is basically another great example of an attacker finding a really clever social engineering angle to make victims become more susceptible
to a traditional malware campaign. I mean, you know, if you look back on it, this is not too
dissimilar from other things we've seen in the past, right? Like you see things like attackers
pretending you have a bill due and you should immediately click and log in, right? And so
when they go for these types of emotionally charged issues, right, be it you're going to help out heroes, you've got a bill due, you know, your password's been compromised.
All those are really designed to have you react emotionally.
The thought process is basically the faster and more quickly you can react emotionally, the less likely you are to think it through.
And then the bad guy is much more likely to get their way.
Yeah, we're going to short circuit your skepticism here.
Right. And so in this particular case, you know, the bad guys actually found,
you know, a relatively convincing sounding domain, you know, hiremilitaryheroes.com.
It sounds legit, right?
I'm surprised it was available.
It's one of those domains where a bad guy finds it. It's not taken.
And so they take it and they put up a page that looks legitimate on there.
And then they just start their scam. And in this case, it was a malware campaign designed to target people who wanted to help out members of the military.
Well, let's walk through it step by step.
I get sent to this website.
I get lured to this website.
What do I see and what
happens next well you see a nice little logo right you see the soldiers i think it's the d-day picture
putting the flag up um and it's got you know we make america safer in red orange and green you
know once you go through that um it basically starts to trick you into downloading a desktop app right
so like number one right there you know don't don't go to a website and install their app
yeah but i could imagine if i'm somebody looking for work i might do whatever has been asked of me
here and that i'm sure is part of the thought process of impersonating a site like this.
Yeah. You know, but as a user of the internet, you need to realize, well, why would I need to
download this app? What does it do? What permissions does it need? Right. You know,
do I have to install it? Can I just fill out a form? And those are the types of questions that
will probably help a user or a victim realize that maybe everything's not
on the up and up here. So what does it download and then what happens? Well, the very first things
it does is it'll try and reach out to Google. And if you basically have a tool like Little
Snitch or another type of firewall that'll say, hey, you downloaded this binary from the internet
and then Little Snitch, sorry, that's an OSX firewall,
but if you had something equivalent for Windows,
it would say, hey, you know, you've got a binary
trying to reach out to the internet,
do you want to allow it or not?
And potentially it would stop it,
and that actually would stop the malware from terminating.
So that's, you know, a traditional type of check
that we've seen in a lot of software
to try and determine if it's being meddled with or if it's being run in an environment
where it might be subject to more analysis.
So, you know, a pretty conventional check.
And if that check succeeds and the malware is able to reach Google and execute,
normally it installs a RAT.
And that RAT basically is a reconnaissance tool.
And here's the interesting part.
It sends the information over email. Really? That's kind of unusual. But it sends an email to a Gmail
account with hard-coded credentials. Actually collects a surprising amount of data. We were
discussing this the other day. And, you know, a lot of times when you see reconnaissance malware,
this the other day and you know a lot of times when you see reconnaissance malware it does collect a lot of data but it's very targeted data right like it'll collect all the mac addresses all the
machine names and installed programs and then you know abandoned ship well this particular campaign
i've got to wonder if maybe these attackers didn't really know what they were targeting
they just wanted as much information as possible about every machine that were possible. And so then potentially they could determine how to group the machines
and then sell them off to the highest bidder. But it gathered everything. I mean, if you look in the
blog post, I think we have three pages of screenshots of commands that it's harvesting
the output from. Now, the fact that it's sending off this information to an email account and there
are hard-coded credentials, does that give you all the opportunity to go poke around in that
email account to see how successful they've been? That would be against U.S. law. I see. I'm with
you. I'm with you. However, if another potentially malicious... But you like the way I'm thinking, right? I love it. And I didn't say don't do it. I just...
I'm not offering any sort of opinion or judgment here.
Okay. Very good. Very good.
But my understanding, I've been told that it would not be a thing that we could do.
I see.
And so, you know, while it does gather all that data, it also does maintain persistent access.
So, and, you know, this is in line with them doing reconnaissance and then potentially grouping these machines through whatever thing that the, you know, potential buyer would have in common and then allowing them to take over the machine through the remote access Trojan.
Wow.
So do you have any sense for how widespread this is or what sort
of success they're seeing? We believe we caught it fairly early. We didn't see a ton of emails.
We didn't see a lot of activity. It was actually fairly narrow. We didn't have tons of telemetry
on it. So we're cautiously optimistic we caught it early. All right. Well, once again, the post
is titled How Tortoiseshell Created a Fake Veterans Hiring Website to Host Malware.
Craig Williams, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default-deny approach
can keep your company safe and compliant.
I recently spent some time at our local community hospital,
not as a patient, but keeping a family member company
while they went through a bunch of tests.
Everything turned out fine, by the way, but while I was there, I couldn't help noticing the number of hospital employees who came and went
and how they were accessing information on the computer in our treatment room.
I got curious about how that kind of access works, so I reached out to Caleb Barlow.
He's been on our show a few times before, and he recently took on
the role of CEO at Synergistech, where they know a thing or two about monitoring healthcare data
privacy. One of the things that's very unique about healthcare records is that they need to
be open and accessible all the time, because you never know when you're going to show up at the
emergency room or what pharmacy you're going to go to. You know, you've got to be able to tap into those medical records. And that's part of how we facilitate
care today in the United States. I guess I'm imagining in an ideal situation where
there would be something tracking which health care professionals were actually working on me
and would somehow limit that they would be the ones to have access to my records
or at the very least authorize or be notified when someone who was outside of that circle of access
was either accessing my records or requesting access?
Well, first of all, Dave, let's acknowledge that most healthcare professionals,
in fact, the vast majority, are not only highly ethical of what they do,
but are as concerned about the privacy of their patients as they are their health care.
Right.
That's a really good point.
That being said, there are a few bad apples in the bunch and people are curious.
So when you show up at the emergency room and your neighbor who happens to be a nurse or a physician, they actually might check out why you're there. But we also found that sometimes employees are even more curious. So oftentimes
we've witnessed with young doctors, residents, and students that might use a medical record as
a phone directory, a dating site, or a place to even check up on that special someone
and see if maybe they've got an STD in their past. The privacy of this information is really key.
And there are a bunch of ways we can trigger off of the activity in that record to say,
wait a second, why was this person in this record? They work in pediatrics. Why are they
looking at an adult record? They didn't prescribe
anything. They didn't provide a note on the patient. You know, what else is going on here?
So I think what we're learning here can be extended across many industries. But if we look,
for example, Dave, at what were some of the more common levels of unauthorized access,
levels of unauthorized access, 74% of what we find is insider snooping, meaning that it's someone within the practice that's checking up on a neighbor.
That's followed by VIP and confidential patients being about 10%, co-workers being 8%,
neighbors, interestingly enough, are 8%.
So we find people that happen to be in the
same school district and guess what? They're checking out their friends. This is happening
a lot. Now to put this in perspective, let's say that you have an institution, let's say a large
healthcare system with maybe 50,000 provisioned users. Okay. So, you know, a couple dozen hospitals,
users. Okay. So, you know, a couple dozen hospitals, pharmacies, et cetera, will generate 100 to 300 cases a week out of a volume of that size. And I think what we all have to realize is
that this isn't just about drawing those security fences and boundaries around our data. It's also
about understanding how is the data being used and is it being used for the intended purpose?
Now, is there a regulatory component here? I'm thinking of things like HIPAA.
If you discover something like this, is there an obligation to report?
There is. So under HIPAA, organizations must, quote,
implement policies and procedures to prevent, detect, and contain and correct
security violations. HIPAA also says that you have to implement procedures to regularly review
records of information system activities, such as audit logs, access reports, security incident
tracking, et cetera. So yes, this is covered under HIPAA. It's also covered in many cases under the
individual breach disclosure laws that we'll
see in various states around the United States.
Now, here's the thing you have to keep in mind, though.
It doesn't say how you have to do it.
So the way this has historically been done is someone runs a report.
They run a basic report and say, OK, did anybody in the hospital look up records of anyone
else in the hospital?
And was there a reason why, as an example, right?
So they maybe run that report, they find a few issues, they go investigate them,
maybe those individuals get counseled, or worst case, they get fired.
But that's historically happening several months after the incident has occurred.
What we're doing is we're applying all the thinking
that you put over Security Operations Center
to do this in real time using UEBA tools.
And I think part of what we're learning
that can be extended across the security industry
is that, first of all,
anytime you have large volumes of private data,
you probably have this inappropriate access.
But in addition to that, we're finding security incidents that the security teams aren't finding.
So a bad guy doesn't act in a, you know, a bad guy that's intent on stealing data out of a healthcare record actually doesn't act like a doctor.
And it shows up like a big red flare really quick.
And if we can catch that at the first couple of records and go, wait a second, why is this
person in here coming from the outside, maybe a vendor, they've accessed 50 records all
at once, they've provided no notes, no prescriptions, and it doesn't even look like they're treating
the patient.
Why are they in there?
If we can detect that at maybe the first few records and stop it, that's something the security team couldn't catch.
So what's your recommendation here for folks who are looking to explore this?
How do they get started?
explore this? How do they get started? Well, I think the big point here is we're learning that UEBA tools can be used in a totally different way, not just for security, but for monitoring privacy.
And that there's probably something to be said for continuously monitoring privacy on large data
sets. You know, think of not just healthcare, but also think of all of
the implications of GDPR. Why wouldn't you want to be in those records looking for those
inappropriate accesses all the time? But I think also, certainly for healthcare institutions,
there's an important wake-up call here that we need to be monitoring this, and we need to be monitoring it in real time.
Because again, if we can find that problem early, we can hopefully stop the large-scale breach
or correct the behavior before it really goes sideways. That's Caleb Barlow from Synergist Tech.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.