CyberWire Daily - Daily: Cybercrime campaigns. States hope ISIS overplayed its violent hand. No indictment of Clinton over email.
Episode Date: July 6, 2016In today's podcast we hear about Yingmob's HummingBad Android malware, what it's up to and where it might be headed. We also learn about Eleanor, a Mac OS-X backdoor masquerading as a document convers...ion app, and we hear about the shifting form of the pseudo-DarkLeech ransomware campaign. The ThinkPwn zero-day may have a wider scope than originally thought. Observers wonder whether ISIS may be overplaying its bloody hand, and, of course, we find out what the FBI concluded in its investigation of former Secretary of State Clinton's emails. Joe Carrigan, from the Johns Hopkins University Information Security Institute, reminds us to take care when setting up a new router. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. Eleanor and pseudo-Dark Leach are also circulating in cyber-criminal circuits. The ThinkPone Zero Day has a wider scope than previously thought.
Industry notes and responses to ISIS attacks, inspiration and command and control.
The FBI closes its investigation into the former Secretary of State's emails.
No indictments, but some harsh words for State and its former leader.
leader. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, July 6, 2016.
Many security types are mulling the significance of Hummingbad, an ad fraud campaign that's believed to have infected some 85 million Android devices worldwide. The infestation
amounts to something of a pandemic in the Android population. According to researchers at Checkpoint, Hummingbad is a criminal operation
that's bringing in some $300,000 a month for the Chinese Ying mob. According to Checkpoint,
Hummingbad has been installed by drive-by download. Adult sites were also common infection vectors.
Once exposed, Hummingbad first deploys a rootkit
able to exploit several vulnerabilities.
Should the rootkit fail to establish access,
Hummingbad delivers a fake system update notification,
which often succeeds in duping victims
into granting the attackers system-level permissions.
Fortune and others characterize Yingmob as an ad firm,
which seems right, if not particularly exculpatory.
While Hummingbad at
present seems to be sticking to its click fraud last, observers worry that the malware could
easily be turned to other uses. Infected devices could easily be herded into a botnet, for example,
and the surveillance potential of Yingmob's product has surely not escaped the usual array
of state and non-state actors. Many conclude that Ying Mob would welcome fresh
market opportunities. Bitdefender reports having found a new strain of Mac malware. They're calling
it Eleanor and say it's downloaded under the guise of a bogus document conversion app,
EasyDock Converter, which the unwary download. Needless to say, EasyDock Converter doesn't
convert docs or do much of anything else beyond opening a backdoor in infected OS X devices.
Eleanor checks its potential victim for Little Snitch, a Mac OS X application firewall,
and also for previous Eleanor infections.
If it finds neither, infection proceeds, installing a Tor hidden service,
a PHP web service, and a Pastebin agent.
Bitdefender doesn't say what the malware's
purpose is, but it could easily be used for data theft or spamming. Bitdefender does note that
EasyDock Converter isn't an app that Apple signed, so as always, download outside the app store only
with extreme caution. The ThinkPone Zero Day, which poses a controversial but non-negligible
risk, has been found to have a wider scope than
first believed. Originally held to affect UEFI drivers on laptops, mostly Lenovo but also HP,
it's now been found in the firmware of motherboards sold by Gigabyte. There's no fix
out yet, although security analysts seem to think Lenovo may be, or should be, working on one.
Pseudo-DarkLeach, the campaign Sucuri discovered in March 2015,
continues morphing to evade detection.
SANS says the ransomware campaign has eliminated large blocks of telltale code
and shifted the exploit kit it uses from Angler to Neutrino.
Angler, as we've seen, has essentially disappeared from the crimeware toolbox.
Researchers are keeping an eye out for its potential return in some revenant form. These retail threats are the sort of thing any ordinary user might be
concerned about. We've often heard about the importance of backing up your data to protect
yourself against the most serious consequences of a ransomware attack. Today we hear about another
way of protecting yourself or your business, what you should consider when choosing and setting up
a router. The Johns Hopkins University's Joe Kerrigan shared some advice with us,
and we'll hear from him after the break. In industry news, Symantec's stock price
enjoyed a strong June surge, driven principally by investor optimism over its $4.65 billion
acquisition of Bluecoat. Shares rose by more than 18%. In the UK, startup Darktrace picked up $64 million in its latest funding round.
The investors were led by KKR.
Existing investors Summit Partners and new investors 1011 Ventures and SoftBank also participated.
The funding puts Darktrace almost halfway to unicorn status.
Turning to conflict law and politics, many observers think
ISIS's end-of-Ramadan wave of massacres may have gone too far. States opposing the self-proclaimed
caliphate, notably France, are revising their intelligence approaches to counterterrorism,
but it remains unknown whether murder displayed online is losing its appeal to the caliphate's
core demographic of the disaffected in search of transcendence. While ISIS-controlled territory continues to shrink, the group has shown
no decrease in its ability to inspire lone wolves, and the recent round of attacks has led many
analysts to conclude that ISIS has shown a new ability and propensity to directly control and
coordinate terrorist cells. In the U.S., the FBI yesterday declined to recommend
indictment of former Secretary of State Clinton for mishandling classified information. FBI Director
Comey said in an unusual public statement that former Secretary Clinton and her associates did
indeed mishandle such, and that foreign intelligence services probably gained access to her private
emails. But, the director said, other elements that would normally warrant prosecution were lacking.
Comey said, quote,
In looking back at our investigations into mishandling or removal of classified information,
we cannot find a case that would support bringing criminal charges on these facts.
All the cases prosecuted involve some combination of
clearly intentional and willful mishandling of classified information Beyond the decision not to recommend indictment,
the Director's statement hardly constituted a letter of recommendation,
citing, as it did, extreme carelessness in handling classified information.
The FBI also had some starchy words for the State Department,
finding State's security culture a lot more loosey-goosey
than the culture prevailing elsewhere in the federal government.
Given that the federal government includes, for example, OPM,
well, we note in fairness that the State Department publicly dissented from that assessment in its own statements. the status of your compliance controls right now? Like, right now. We know that real-time
visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Joe Kerrigan from the Johns Hopkins University
Information Security Institute. Joe, we're talking about setting up a new Wi-Fi router in our house.
What are some of the basic security steps that we need to take to make sure that that router is
secure as it needs to be? First thing you need to do is when you connect to this router, you go into the web interface
and you change the admin password from the default.
That is paramount importance because it's very well known what these admin usernames
and passwords are.
And if someone can get on your network and you haven't changed that, they can do whatever
they want to your router.
It's remarkable how many people don't do that and keep, you know, usually it's admin password or the
username and default password, right? Right. Yeah. And it's very common. There's a lot of
times where things are just even not necessarily routers, but say IP cameras that just have
outward facing IP addresses that have the default username and password on
them. So there's some other settings you should go in there and check. You got to make sure your
encryption is turned on. Correct. You got to make sure that your Wi-Fi encryption is turned on
and set to something better than WEP. That's already been cracked. And I think there are
tools that can do it in 45 seconds, depending on your processor speed and how much time and bandwidth you have. Also, I changed the password to access the network.
Make sure the password to access the network is not the same as the one that's printed on the
outside of the router. Oh, right, right, right. Because the most, particularly from your cable
provider that come with a password printed on there. Right. Like I have a Verizon router
and the Wi-Fi password for the default settings is printed on the outside of that router.
And also, what about controlling inbound traffic? That's something you want to check out, right?
Right. Yeah, exactly. You want to keep that turned off.
You want to make sure that there's no way for somebody to access the web interface to manage that router from the outside. Most of the routers I've seen in setting up these routers for myself and my family,
that's disabled by default.
You can't access the management interface from the outside.
But you can enable that, and I would recommend you don't enable that
because you really don't need to manage your home Wi-Fi network from work.
Right, right.
And, you know, some of these things, they are sort of basic things,
but it's remarkable how often people don't think of them.
They overlook them or they're just in a hurry and don't bother to change them.
So it's a good reminder.
Yeah, take the time to make it right.
All right.
Joe Kerrigan, thanks for joining us.
Thank you.
My pleasure.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.