CyberWire Daily - Daily: Buhtrap raked in the rubles. Dridex is back. So are Stagefright and Rowhammer.
Episode Date: March 18, 2016More on Buhtrap and its sophisticated spearphishing of Russian banks. There are more reasons (as if they were needed) not to jailbreak your iPhones and iPads. Also, stay away from "adult" apps on your... Android. And we hear from the University of Maryland's Ben Yelin, who brings us up to date on the lingering fallout of the Snowden leaks. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
More on Boot Trap and its sophisticated spear phishing of Russian banks.
They may have failed to snap a billion rubles in one caper, but they did get 600 million. We'll hear more reasons not to jailbreak your iPhones and iPads, and still more
reasons not to download adult apps on your Android. And we hear from the University of Maryland's Ben
Yellen, who brings us up to date on the lingering fallout of the Snowden leaks.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Friday, March 18, 2016.
The Russian cyber mob that impersonated FinCert now has a name, Bootrap, and a tally sheet.
Thirteen banks hit since August, with their biggest single take being 600 million rubles.
That's just over $8.5 million.
Group IB has been reporting on the incident.
Losses in smaller regional banks were particularly heavy,
although the biggest single attempted theft, to the tune of a billion rubles,
was foiled when a typographical error in the email aroused suspicions.
The exploit proceeded roughly like this.
Once the mark bit on the emailed fish bait, convincingly spoofed FinCert communications,
the malware payload then exploited the automated bank customer system
that connected to the regulator.
Dmitry Volkov, the head of Group IB's Cyber Intelligence Department,
explained that this system is a highly critical one for Russian banks.
Drawing a comparison to a comparably important American system,
he told Bloomberg, quote,
This is the same as if hackers were to get access to the SWIFT system at Citibank, for example, end quote. Proofpoint's warning earlier this week that Carbonac is back
suggests that other segments of the Russian criminal underground remain active against
the financial sector. Trend Micro points out that notorious revenant Drydex is also active
and bothering banks, despite the many takedowns the criminal botnet has suffered.
Various outlets say that FireEye has given the Indian government a report detailing extensive cyber espionage campaigns by actors based in Pakistan. It's unclear from media reports so far
whether the attacks are state-run or state-inspired, hacktivist or criminal, or some mix of all these.
The campaign is said to involve distribution of C-door malware through email attachments.
The targets are reported to be Indian military and government personnel, as well as Pakistani
dissidents.
Again, the target set is consistent with the interests of a range of possible threat actors.
Ace Deceiver, the iOS vulnerability Palo Alto Networks described this week, should give
users another good reason
not to jailbreak their iPhones or iPads, as if sensible, ordinary users needed any good reasons
to leave well enough alone. There's some evidence that Ace Deceiver could affect non-jailbroken
iPhones, but you, user, would really have to work at installing a pretty obvious dodgy app to suffer
an infection. Wired puts the issue into perspective with a quotation from security researcher Jonathan Zdzarski. In its current form, Zdzarski says, this isn't dangerous except to the
exceptionally stupid. The real risk, as Palo Alto has pointed out, is that Ace Deceiver's clever
tricks might be integrated into some future exploits that could draw the normally bright
as well as the exceptionally stupid. In the meantime, don't jailbreak your
devices. Speaking of the dodgy internet stuff and reckless users, Zscaler would like everyone to
know that you're shooting dice with malware when you download what appears to be a player for what
we, being a family show, will delicately call adult content. It's a Chinese-named app, but consumers
of adult content tend to be visually oriented
anyway, so opinion characters aren't likely to put off even those more accustomed to Roman,
Greek, Cyrillic, Hebrew, Arabic, etc. Again, just stay away. The stage fright vulnerability may prove
to be realistically exploitable after all, according to Northbit, which describes a proof
of concept attack that the security company says could readily work in the wild. Google closed stage fright bugs in response to Zimperium
research, but unpatched devices remain vulnerable. Rowhammer, another vulnerability from the past,
may also be riskier than long thought. Third.io research suggests that bit flipping might indeed
work against dual inline memory modules.
The black market continues to act like a market as supply and demand meet opportunity. The ready availability of cheap Steam stealers is driving a long-running uptick
in criminal hijacking of Steam gaming accounts.
Observers think the FBI is more worried about precedent
than a single iPhone's contents in the dispute with Apple.
The Bureau, say many, is concerned that encryption really will enable criminals and terrorists to go dark,
but their arguments still aren't convincing Apple supporters
that weakened encryption wouldn't prove to give criminals and terrorists a large net advantage.
NSA looks back on the last three years of Snowden leaks,
and while the agency still feels the pain, that pain's getting duller with time.
We had a chance to talk about this with Ben Yellen from the University of Maryland Center for Health and Homeland Security,
considering whether the passage of time has made the Snowden revelations less relevant.
We'll hear from him after the break.
And finally, we're still two weeks short of the April 1st H-Hour,
when Anonymous intends to kick off its actions against U.S. presidential candidate Donald Trump.
But some of the hacktivists may have crossed the line of departure prematurely.
People claiming to be from Anonymous have posted phone numbers and PII they claim belong to Donald Trump.
But disappointed tweeters say their texts to the number seem to have just wound up in a full mailbox somewhere.
Where's the Anonymous help desk when a social media Joe Sixpack or Janie Lunchbucket slacktivist needs one?
The disappointed tweeters were hoping to hear the Donald tell them,
You're fired.
Alas, no joy.
Maybe later. Couple trying to beat the winter blues. We could try hot yoga. Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply. Air Transat.com or contact your Marlin travel professional for details. Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
I want to welcome to the Cyber Wire podcast Ben Yellen.
He's a senior law and policy analyst for the University of Maryland Center for Health and Homeland Security.
Ben, welcome to the show.
Thanks so much for having me.
I want to talk about the fallout from the Edward Snowden spying revelations.
There was an interview on NPR recently with Richard Leggett, the NSA's deputy director,
and he said that the fallout from the Snowden leaks isn't over, but the information is getting old. I think there's a lot of truth to what Mr. Leggett is saying there.
For one, one of the major programs that Snowden uncovered was the Call Detail Records Program
under Section 215 of the USA Patriot Act.
So the act itself actually was about business records. It allowed
the FBI to compel companies to turn over business records that were relevant in an ongoing terrorism
investigation. What we didn't know until the Snowden disclosures is that that law was being
used to justify the bulk collection of phone metadata. So phone metadata includes
not the content of the conversation, but who made the call, who received the call, the duration,
etc. That program has since been repealed as of this past November and replaced with a new program,
the USA Freedom Act. So in one sense, one of his major two revelations is the program is no longer active.
So that's one aspect of the disclosures maybe going stale a little bit. The other aspect,
and for the program that hasn't since been amended, which is the content of communications
under Section 702 of the FISA Amendments Act, the NSA has been able to switch some of its methods and tactics,
I think, largely just with the passage of time. It's been three years. I think they've been able
to adjust tactics knowing what information has now been released to the public. Three years is
a long time, especially when we're talking about signals intelligence, where the technology itself
changes so drastically over a short period of time that the methods, even without the disclosures,
are going to necessarily have to change. We'll hear more from Ben Yellen on the Snowden leaks
in our Friday Week in Review podcast later today.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.