CyberWire Daily - Coordinated inauthenticity with a domestic bent. Preinstalled malware in discount phones. Evilnum and the Joker continue to evolve. Incidents at FreddieMac and RMC.
Episode Date: July 9, 2020Facebook takes down more coordinated inauthenticity. Preinstalled malware is found in discount phones available under the FCC’s Lifeline program. The Evilnum APT continues its attacks against fintec...h platforms and services. Joker Android malware adapts and overcomes its way back into the Play store. FreddieMac discloses a third-party databreach. Johannes Ullrich from SANS on defending against Evil Maids with glitter. Our guest is Rohit Ghai from RSA with a preview of his keynote, Reality Check: Cybersecurity’s Story. And the Royal Military College of Canada’s hack attack remains under investigation. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/132 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Facebook takes down more coordinated inauthenticity.
Pre-installed malware is found in discount phones available under the FCC's Lifeline program.
The Evil Num APT continues its attacks against fintech platforms and services.
Joker Android malware adapts and overcomes its way back into the Play Store.
Freddie Mac discloses a third-party data breach.
Johannes Ulrich from SANS on defending against evil maids with glitter.
Our guest is Rohit Ghai from RSA with a preview of his keynote,
Reality Check, Cybersecurity's Story.
And the Royal Military College of Canada's hack attack remains under investigation.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Thursday, July 9th, 2020.
Facebook yesterday took action against several networks for violations of the social media's
policies against foreign interference and coordinated inauthentic behavior.
The networks were based in four countries, Brazil, Canada, Ecuador, Ukraine, and the U.S.
The takedown was noteworthy for the prominence of political messaging directed at domestic audiences.
The networks in Canada and Ecuador exhibited both inauthenticity and foreign interference
aimed at audiences in El Salvador, Argentina, Uruguay, Venezuela, Ecuador, and Chile.
The messaging here had a political dimension as well, but few obvious political commitments,
often coming down on opposite sides in matters of electoral politics.
Facebook said it was able to connect the activity to political consultants and former government
employees in Ecuador and also to Estraterra, a Canadian public relations firm. They spent about
$1.38 million on Facebook ads. Estraterra is no longer welcome on Facebook's platform.
But the networks in Brazil, Ukraine, and the U.S. are in some ways more interesting because they
were taken down for using coordinated inauthenticity to engage domestic audiences.
The activity in Brazil, Facebook said, was linked to individuals associated with the social liberal party,
including Jair Bolsonaro, who is, of course, Brazil's current president.
This network also bought Facebook ads, but only to the chicken-feed amount of $1,500.
ads, but only to the chicken feed amount of $1,500. In Ukraine, the coordinated network was particularly active during the 2019 presidential and parliamentary elections. It posted about
various issues of domestic interest, including Russia's occupation of Crimea and Ukraine's
relationship with NATO. It also appeared to support some candidates. They spent about $1.93 million on Facebook and Instagram ads.
Finally, the activity in the U.S. was connected to the already banned Proud Boys group,
whose attempts to get back onto Facebook the social network was watching.
In the course of that investigation, they identified a number of inauthentic accounts
that the Washington Post connected to former political consigliere Roger Stone, who until his conviction for lying and witness tampering
had been an advisor to President Trump. Facebook credits sealed court records in the case of the
United States v. Stone, released after a petition by several news organizations with helping it
recognize the coordinated inauthenticity.
This network also bought ads, more than the Brazilians but less than the others,
not quite $308,000, according to Facebook.
Researchers at security firm Malwarebytes report pre-installed malware on ANS, that is American Network Solutions, UL40 phones running Android OS 7.1.1. The devices are
among those sold by Assurance Wireless under the U.S. Federal Communications Commission's Lifeline
program, which makes budget phones available to low-income consumers. This is the second time
this year Malwarebytes has found pre-installed malware in discount Lifeline devices.
Back in January, the company found similar issues with UMX U683CL devices produced by Unimax Communications,
which Malwarebytes says officially removed all pre-installed malware from its phone in February.
ESET has a report out on the Evil Num APT, a little-discussed group that's been active against financial technology companies since 2018, at least.
The security firm's researchers say that the threat group uses a mix of internally developed and commodity attack tools.
They steal financial information from trading and investment platforms.
Most of Evil Num's targets have been in the EU or the UK,
with a few in both Canada and Australia. The commodity tools they use are for the most part
purchased on the criminal-to-criminal market from the Golden Chicken's malware-as-a-service vendor,
whose other customers include Fin6 and the Cobalt Group. The information EvilNum has taken includes spreadsheets and documents holding customer
lists, investments and trading operations, internal presentations, software licenses
and credentials for trading software and platforms, cookies and browser session information, email
credentials, and customer credit card information, including proof of address and identity documents.
The group has also been interested in information that could prove useful in subsequent attacks,
like VPN configurations.
They identify the group as an APT, that is, an Advanced Persistent Threat, but ESET doesn't
connect EvilNum with any particular government.
And while it notes that EvilNUM buys some of its tools from
the same vendor as Fin6 and the Cobalt Group, it says it found no other connections among those
threat actors. Security firm Checkpoint today outlined a new variant of Joker Android malware
hiding inside apparently legitimate apps, some of which circulate in the Play Store. Forbes
summarizes the findings as more evidence
of Joker's dangerous sophistication. It hides itself in the manifest file of infected apps,
which Checkpoint explained is the file every Android app must have where the developer
declares permissions needed, usage of servers, and so on. The actor pushed encoded malicious
payload into metadata fields in that file,
only to be decoded and loaded when on a victim's device. That way, no configuration or payload
needs to be pulled from the internet. Google has ejected the malicious apps from the Play Store,
but the Joker operators are adaptive, and once they are detected, they return.
Continuing our media partnership with RSA and their upcoming Asia Pacific and Japan conference,
our guest today is RSA President Rohit Ghai with a preview of his conference keynote,
Reality Check, Cybersecurity's Story.
The theme for the RSA conference this year is the human element.
And I reflected on what it is that makes us human.
You know, I think the unique trait that humans have is that we are a storytelling species.
And as such, I reflected on what the story of the cybersecurity industry is and what impact it has
in terms of the future of the industry. So that's sort of the thought process that led me to
taking a storytelling perspective to the industry and the domain of cybersecurity.
Can you give us a little bit of a preview of some of the things you're planning to talk about?
Absolutely. is I talk about, you know, I set it up first in terms of human element being a key theme for
cybersecurity and why the human element is important. And the net of it is that while we
obsess so much about the technology infrastructure that we are looking to protect in the cyber world,
intrinsically, this is a very human challenge. What we protect at the end of the
day is the trust that we as humans have on technology and data. That's at the end of the day
what our mission is. So I think just framing the mission from a humanistic lens is the first thing
that I hit on. Next, what I see, you know, the overall story
are comprises of three episodes, if you will.
I talk about the story we had in the industry,
the story we have in terms of how we tell our story today.
And then I close out with saying the story we want
in terms of how we should tell our story,
because the way, in my view,
the way you change the future or change the world
is to tell the story that you want. You have to first tell the story. The story comes first and
the future next. You know, it strikes me that many of us got together for the RSA conference in San
Francisco earlier this year. And for, I imagine, most of us, that was the last big get-together
that many of us had. That was the last opportunity for the industry to really get together. And for, I imagine, most of us, that was the last big get-together that many of us had.
That was the last opportunity for the industry to really get together. And so much has changed in
just the few months since then. I imagine that that must have played into your thoughts here
as you were putting this presentation together. Absolutely, indeed. It was top of mind. And,
you know, the way I weaved it into the story is like a plot twist, right?
Every great story has a plot twist. And boy, did we have a plot twist in the last few months.
Who would have thought that, you know, right on the heels of the San Francisco edition of the conference,
we would all be sort of quarantined, sheltered in place and kind of the world going through what it's gone through.
are put in place and kind of the world going through what it's gone through.
What I've reflected on in my talk is some key learnings.
What have we learned through this global pandemic that we've all been living through?
And I've tried to draw inspiration, you know, in terms of those learnings into the field of cybersecurity.
So that's sort of the overall flow of the talk that I intend to give.
That's RSA President Rohit Ghai.
The RSA Asia-Pacific and Japan Conference kicks off July 15th.
Freddie Mac, the U.S. Federal Home Loan Mortgage Corporation,
has disclosed a data breach.
It's apparently a third-party incident.
Borrowers whose loans were serviced by one of Freddie Mac's due diligence vendors
have received letters warning them of the breach.
And Canada's Department of National Defence is continuing its investigation
of last week's hacking incident at RMC, the Royal Military College of Canada,
the Kingston, Ontario College, that's the equivalent of the US Military Academy of Canada, the Kingston, Ontario College,
that's the equivalent of the U.S. Military Academy at West Point,
or Britain's Royal Military College at Sandhurst.
The Department of National Defense has said,
all early indications suggest this incident resulted from a mass phishing campaign.
The Financial Post cites sources at the college as saying it was a ransomware attack.
MSISOFT told the Financial Post that assuming it was ransomware,
the gangs responsible were probably either Doppelpamer or Netwalker,
both of which steal data before they encrypt drives and submit their ransom demand.
Netwalker tends to add its victims to its public list and then remove them once they begin negotiating payment,
whereas Doppelpamer's style is not to disclose its victims until they refuse payment.
Given that RMC hasn't shown up on anyone's list of victims yet, they're betting it's Doppelpamer.
The Department of National Defense said that certain systems of the Canadian Defense Academy,
the umbrella organization for Canadian military education,
were also affected.
But the locus of the attack was RMC,
whose networks have remained offline as a precaution.
No classified information, the department says, is at risk.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich. He is the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, it's always great to have you back.
You know, we've heard a little bit about these evil maid attacks
in the context of the Thunder Spy vulnerability.
You've got an interesting angle to this.
Can you unpack what's going on here?
Yeah, so Thunder Spy was a fairly technical,
difficult-to-pull-off vulnerability
where you essentially have to open up a laptop,
you attach a little device to it
to flash the Thunderbolt firmware on the motherboard.
But the effect is quite devastating
if an attacker is able to do that,
because they essentially sort of destroy the trust that your system has in its hardware.
These attacks are often sort of called evil mate attacks. And the reason they're called evil mate
attacks, well, back in the old days, when we were able to travel, we stayed at hotels and,
of course, sometimes had to leave our laptops in a hotel safe that we all know is
not all that great. And an evil mate that comes not to clean the room, but to clean all of our
secrets of our laptop may be able to have enough time in the room with the laptop to pull off an
attack like this. So the difficult part here is it's really hard to prevent this attack
other than carrying your laptop with you at all times,
which of course is difficult and really inconvenient.
So another approach is really to think about how to detect these attacks.
All right. So what do you propose here?
Well, one simple trick that I've read about myself many years ago
and forgot actually where I picked it up,
but is you can buy this glitter nail polish
or maybe you have a significant other that uses glitter nail polish.
And then you just put a little dab of glitter nail polish on the screws.
The attacker has to remove the screws from the laptop.
And by putting this glitter nail polish on the laptop, on the screws, well, if they open it, they will break that seal, so to speak.
And it's really difficult, of course, even if they happen to have the same brand nail polisher, to get it back just the right way.
So you would take a picture of these screws
after you apply the nail polish.
I also recommend covering it up a little bit,
not necessarily to hide it,
but to prevent it from being damaged accidentally.
You know, many of us have like little cases
or so we put on our laptops to protect them better.
They may also work here,
but just put a little piece of paper on it,
maybe some tape to prevent accidental damage here.
I could imagine also that if someone were going to
break into your laptop and they flipped it over
and they saw glitter on the screws,
they might think twice about it
because the possibility of them being discovered.
Correct, and that may also discourage them.
On the same note, hotel safes are known to be not secure.
I prefer a little backpack with a Pelican case attached to it where I can put my own padlock on it.
Again, this is not perfect. They can just cut the plastic.
They can still steal the laptop.
this is not perfect, they can just cut the plastic, they can still steal the laptop. That's not your worry. You're worried about them modifying the laptop without you knowing.
So this is really more about adding some temper evidence than tamper proof or theft approving the
laptop. Yeah, I always wonder with these sorts of things, it strikes me that if you are someone
whose risk profile includes this sort of evil
maid attack, I suspect you would probably know it and have these sorts of protections put in place,
or you'd be the person who wouldn't leave a laptop behind if this was something that
you knew you were perhaps going to fall victim to. Correct. That's definitely the case here. And I've seen companies
that for high-risk individuals
have like x-ray machines
where they periodically x-ray laptops
to make sure they haven't been tampered with
sort of on a circuit board level.
What I always recommend
is have two laptops,
one for the company secrets
that you leave in the hotel,
one with your personal secrets
that you keep with you
so that nothing important gets stolen.
That's a heavy backpack, Johannes.
It's a heavy backpack.
TSA loves me.
Yeah, that's right.
That's right.
All right, Johannes Ulrich, thanks for joining us.
Thank you.
Cyber threats are evolving every second, Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing
at thecyberwire.com.
And for professionals
and cybersecurity leaders
who want to stay abreast
of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.