CyberWire Daily - Daily: Android malware circulating in the wild. Did bears find Clinton Foundation servers just right? Help me, ObiWan.
Episode Date: June 22, 2016In today's podcast we talk about Android malware loose in the wild, crimeware-as-a-service (both ransomware and banking Trojans). We hear about the growing consensus that Russian intelligence services... were responsible for the DNC hack, and we note the latest report: those services also seem to have pwned the Clinton Foundation. Critical infrastructure jitters persist. Analysts look at cyber insurance markets, bellwether security stocks, and a new VC investment. Dr. Charles Clancy from the Hume Center at Virginia Tech discusses the cyber challenges faces the transportation industry, and Ayse Kaya Firat from Cloudlock shares key points from their recent report on the dangers of third party apps. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Android badness in the wild,
crimeware as a service courtesy of the Brazilian and Russian mobs,
the challenge of third-party apps,
the DNC hack still looks like the work of Russian intelligence,
and those two bears, cozy and fancy,
are now said to have taken up residence in the Clinton Foundation.
Critical infrastructure attacks surfaces and threats
from ICS to the grid to transportation.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, June 22, 2016.
We'll be following up on the DNC hack and related incidents later in the show,
but first a review of what's currently happening in the wild,
where criminals are currently wild about Android exploits.
Malwarebytes is tracking Pavost.
This is a bit of an odd one.
It makes calls to numbers
in area code 259. That's unassigned in the U.S., but if you use China's country code and try the
numbers with that area code, you get a busy signal. This leads Malwarebytes to think that
infected phones are calling China. Since, as Malwarebytes researchers put it, with Android
malware, motives usually answer the question, will this make me money?
The suspicion is that the calls are to premium numbers.
Pavost masquerades, by the way, as a stopwatch app.
Download with care.
Other Android capers are being tracked by Trend Micro.
Malware they're calling Godless is rooting smartphones for the most part in India and Southeast Asia,
although a few infections have been reported as far afield as Iran and the United States.
Godless affects Android 5.1, that is, Lollipop,
and has been found in a wide variety of apps from utilities like Flashlights to copies of popular games.
You're always best advised to download Android apps only from the Google Play Store,
but Godless has found its way even into that
walled garden. Third-party apps always pose the particular set of security challenges.
We spoke with Aisha Kaya Farat from CloudLock about their recently published report,
The Explosion of Apps, 27% are Risky. Two years ago, when we looked into this domain, we have found about 5,500 apps.
This year, at the same time, we found more than 150,000 applications that are connected to corporate cloud environments.
So this is a number that has increased by 30x in the last two years alone.
It's not just the increase in the number of apps that's cause for concern.
The apps that we cause for concern. their vendors programmatic access to their corporate data. These applications usually
have very extensive permission scopes, access scopes. They ask for permission to create documents,
delete all of your documents, externalize your documents, calendars, contacts. So they introduce
millions of backdoors into corporate environments. All of these backdoors can easily be exploited as potential gateways for cybercrime.
Third-party apps can be notoriously difficult for IT to track,
and the problem grows even more dangerous when they're being used by highly privileged employees.
Now, the employee might be the CEO of the company,
or they might be a super admin, a super privileged account
that sees all the documents in an environment, who can see passwords for everybody in the
environment.
So a super privileged admin giving credentials to an application, it changed the entire dynamic.
It's not just about the application itself, but it's also about the dynamic, you know,
how it is being used, who is using those applications, etc.
The sheer number of dangerous apps outlined in CloudLock's report makes it daunting for IT departments to try to deal with them on an individual basis.
Based on their research, Aisha Kayaferat has some suggestions.
What organizations need is to develop a very high-level strategy, and they also need a tactical, very specific application-acceptable use policy
to decide how they will write less or ban applications going forward,
a set of criteria.
And this cannot be secret.
This needs to be shared as a vision with the end users
because ultimately the end users are responsible.
They are the ones doing this. And automating workflows after this, so how we are going to identify applications,
how are we going to ban and rework applications in real time has become more important than ever.
That's Aisha Kaya-Ferat from CloudLock. You can check out the report on their website.
from CloudLock. You can check out their report on their website.
Another exploit trend micros following is Mongit, a commodity banking trojan being served up by their Brazilian mob. We note that Brazilian-organized cybercrime may soon be giving the Russian mob a
run for its money. Mongit does the sorts of things you'd expect from a banking trojan,
basically getting into accounts and making illegal transactions. It's noteworthy that this is being sold in the form of malware as a service,
and so is accessible to criminals who have limited or no technical capabilities.
Ransomware is also still with us, and it, too, is being offered as a service.
Cerber, in particular, is now an offer by Russian Organized Crime,
and Checkpoint says that two distinct waves of evolved server
have hit the UK and the US over the past month.
A survey of businesses suggests that most are no longer willing
to consider paying the ransom.
What effect, if any, this shift in attitude will have on the criminal market
remains to be seen.
The big story this week, of course, continues to be the hack
of the US Democratic National Committee.
Despite the best efforts of Guccifer 2.0, including his brief and somewhat high-flown
interview with Motherboard, the smart money is increasingly on Cozy Bear and Fancy Bear,
as CrowdStrike affectionately calls the responsible teams at Russia's FSB and GRU.
Fidelis and Mandiant are in substantial agreement with CrowdStrike on this attribution.
Fidelis and Mandiant are in substantial agreement with CrowdStrike on this attribution.
The spore the attackers left behind is too sophisticated for script kiddies, as Fidelis put it.
So what of Guccifer 2.0, the lone hacker who claimed responsibility?
There are several possibilities.
First, he may simply be hoaxing, claiming responsibility for an attack he had nothing to do with. Or second, he may be a false flag, a disinformation operation designed to afford the actual hackers with plausible deniability.
Or finally, he may be a third hacker, having romped in coincidentally with the bearers.
This is entirely possible. Some high-profile cyber attacks take on the qualities of a riot,
with several independent actors striking the same target set. CrowdStrike has been darkly suggesting the second middle option, disinformation, and
since, after all, we're dealing with bears, it seems appropriate to remark that this one
would be just right.
More interestingly, especially for those waiting for more documents to drop, Bloomberg reported
yesterday that unnamed sources tell them
that the DNC hackers, presumably cozy and fancy, also gained access to the Clinton Foundation
systems. Observers expect more files to leak over the coming weeks. We heard a presentation from a
senior NSA official this morning at the Cyber 7.0 conference. Renee Tarrin, special assistant to the
director NSA for cyber and deputy chief
of the NSA's Cyber Task Force, spoke at length about the threat nation-states pose to critical
infrastructure. She specifically discussed Russia, China, Iran, and North Korea, and she wasn't
telling tales out of school, since these are the same threat actors U.S. Director of National
Intelligence Clapper has singled out in recent congressional testimony. Her two sample cases were the now-famous Bowman Street dam hack in Rye,
New York, and December's takedown of a portion of Ukraine's power grid. Industry observers note
increasing worry about industrial control system security across many sectors, with the power
industry particularly concerned about a repetition of the Ukraine hack, this time in North America.
Consensus on that likelihood is a soft, well, maybe, probably, or at least maybe, but the concerns are widespread.
Other forms of infrastructure present their own distinctive attack surfaces.
We spoke about those in the transportation sector with Charles Clancy, director of Virginia Tech's Hume Center.
We'll hear from him after the
break. In industry news, analysts assess the needs of the cyber insurance market.
Traders are looking at the prospects of bellwether publicly traded security companies,
especially those who, like Cisco and Symantec, have recently made acquisitions, and those who,
like FireEye, have recently declined to be acquired. Venture Capital is also active, as behavioral
analytics shop LightCyber gets $20 million in Series B funding.
Finally, let's return to the problem of attribution for a moment. It strikes us that this is often
done the way Obi-Wan Kenobi would do it. It's a small step from, this code, too sophisticated
for mere script kiddies, only nation-states are so capable, to, these blast code, too sophisticated for mere script kiddies, only nation states are so capable,
to these blast points,
too accurate for sand people,
only imperial stormtroopers
are so precise.
Now if you could only see if they hacked in single
file to hide their numbers,
then we'd really have something. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And I'm joined once again by Dr. Charles Clancy. He's the director of the Hume Center for National
Security and Technology. They're part of Virginia Tech. Dr. Cl Clancy. He's the director of the Hume Center for National Security and Technology.
They're part of Virginia Tech.
Dr. Clancy, I know one of your areas of research is dealing with some of the cyber challenges regarding transportation.
Indeed.
As we see the growth of autonomous vehicles and certainly connected vehicles right now,
there's a growing risk of cyber threat to those vehicles, principally due to the interconnectedness of them.
Previously, your car was not connected to the cloud, and now it is.
And once that connection's in place, it creates a threat factor.
So what are some of the specific dangers involved with vehicles?
Well, I think most people probably saw the report a couple months ago
about the group that hacked the Jeep.
And Wire had an article on it showing that they could hack in via the cellular interface
and cause a Jeep to drive off the side of the road.
Obviously, concerns like that are significant.
There's also a wide range of privacy concerns.
If hackers are able to access the microphones in your cabin of your vehicle, for example, and be able to listen in on conversations, there's significant privacy concerns as well.
And it's not just with autos. There are concerns with aviation as well.
Indeed, there have been a number of well-publicized reports recently about people proposing that they can hack into different segments of, in particular, the civil aviation ecosystem, whether it's air traffic control systems or individual aircraft.
So we have a research portfolio at Virginia Tech that's looking specifically at things like air traffic control
and how we might make the next generation air traffic control systems more secure against such attacks.
That ecosystem is being complicated significantly by the growth of UAVs
and the intersection between the civil aviation and the UAV ecosystem.
Obviously, many of these UAVs are relatively unsophisticated devices and have cyber threats of their own that need to be contended with.
All right, Dr. Charles Clancy, thanks for joining us.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.