CyberWire Daily - Daily: It walks, it talks, it reports to Shanghai. Locky takes a run at US Army Cyber Command. CrySis decrypted. SpamTorte 2.0 is out. Adults should be warned off by "adult."
Episode Date: November 15, 2016In today's podcast we hear about a backdoor Kryptowire has found preinstalled in some Android phones. We speak with Ryan Johnson, the researcher who discovered the vulnerability.  The Locky ransomw...are takes a run at US Army Cyber Command. CrySis ransomware is decrypted. SpamTorte 2.0 is out, and it's thinking big. A Trojan may be implicated in the Tesco fraud campaign, and it may have more banks in its crosshairs. Emily Wilson from Terbium Labs shares the findings of their latest report on the Dark Web, and Ping Identity's Pamela Dingle explains the Digital Transformation Journey. And watch out for the AdultFriendFinder-themed spam that will follow in the breach's wake. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. CryptoWire finds a back door in some Android phones. Locky Ransomware takes a run at the U.S. Army Cyber Command.
Crysis Ransomware is decrypted.
Spamtort 2.0 is out and it's thinking big.
A Trojan may be implicated in the Tesco fraud campaign,
and it may have more banks in its crosshairs.
And watch out for the adult FriendFinder-themed spam that will follow in the breach's wake.
that will follow in the breach's wake.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, November 15, 2016.
We've heard a lot in recent months, more than anyone in a better world would like to hear,
about Russian cyber operations.
Today we'll hear about another nation's threat actors,
whether commercial,
criminal, or state intelligence service is so far unclear. Security company Cryptowire has discovered a significant vulnerability that affects many Android devices, especially prepaid
or burner phones. Essentially, pre-installed AdOps software amounts to a backdoor that collects text
messages and ships them every 72 hours to an address in China.
AdOps software enables phone manufacturers to provide remote firmware updates,
and according to Cryptowire, this isn't a bug inadvertently introduced into the software, but rather a deliberate installation.
Shanghai AdOps Technology Company, which according to the New Times, claims its product is in some 700 million devices,
says AdOps enables them to monitor user behavior for a Chinese phone manufacturer.
Two of its larger clients are Huawei and ZTE.
The software wasn't intended to have that functionality in U.S.-built devices.
in U.S.-built devices.
One U.S. manufacturer, BLU Products,
says it's updated its software to eliminate the backdoor from the 120,000 BLU phones affected.
Whether the backdoor is a data-scraping tool
intended for commercial marketing
or a state-directed espionage is unclear.
ADAPT's attorneys characterize it as the former
and tell the New York Times that, quote,
this is a private company that made a mistake, end quote, and not a business that's affiliated or colluding with the Chinese
government. We spoke with Ryan Johnson, the CryptoWire researcher who discovered the vulnerability.
So I usually like to take a look at what comes installed on the system image and I noticed there were essentially two applications. One is com.adubs.photo
and the other is com.adubs.photo.sysopper and those two were communicating. So I noticed in
one of the content providers it would provide access to the call log as well as the text
messages. So I thought that was a little strange.
So it was essentially like a wrapper.
So usually you would provide your own content,
but this was once you would query it,
it would query the phone calls and the text messages
and also allow you to write files and read files.
And it was open to any app on the phone.
Once I saw that it was
providing that, I looked to see what other applications were accessing it, because it
seems strange just to have that there out in the open. I noticed it was when you plug in the phone
or when there's a connectivity change broadcast intent. So like when you leave a Wi-Fi network
or come on a Wi-Fi network, it would send this out and the data was eligible
to be sent out every three days. And then once I saw that, looked at the URL, did an NS lookup for
it, saw that it was a server in Shanghai, China. It was pretty concerning once I saw that. And it
was sent out in an HTTP post where it was actually like a zip file in the
form data. So it could just extract that. And that was over HTTPS. And then also, at least for the
text messages, there was further encryption being used to conceal the actual content of the text
message, which the key was hard-coded as as well as the IV, so that was extracted.
And then from there, you can see the actual body of the text message.
And it also has the number, so they can see essentially who you're texting and who you're calling.
That's Ryan Johnson from Cryptowire.
We'll be sure to have more on this story as it develops.
State espionage services are,
of course, active in many ways, as electronic capabilities and the lives of people online
are assimilated to traditional espionage tradecraft. Motherboard reports that intelligence
agencies, their lead example comes from Brazil, are making foreseeable, and as Motherboard puts
it creepy, use of various social media platforms for traditional ends of infiltration, compromise, and recruitment.
Ransomware continues to circulate.
This week, U.S. Army Cyber Command reports that some of its personnel have been receiving phishing emails carrying locky ransomware payloads.
There's some good news, however, on the ransomware front.
Over the weekend, Kaspersky released decryption codes for the Crysis ransomware family.
Bravo, Kaspersky.
Verint has seen a new variant of Spamtort, an advanced multi-layered spambot, circulating in the wild since 2014.
Spamtort 2.0, as it's inevitably being called, operates with several command and control servers
compromised through vulnerable WordPress and Joomla extensions.
It's using several thousand spam mailers,
compromised websites,
and incorporates features that enable spam campaigns
to be more efficiently conducted.
Observers continue to harumph about how Tesco ought to have known better,
that it should have done more to prevent it.
Maybe so, but even if you think your security's pretty solid,
bankers, well, don't get cocky, kid.
ESET says that the Retife Trojan was involved in Tesco bank fraud.
Retife, usually spread via malicious email,
configures a proxy server for man-in-the-middle access
to traffic between customers and their online account.
It also installs a bogus root certificate to fend off warnings of interaction with a
spoofed site, and it has a mobile component that intercepts passcodes to subvert two-factor
authentication.
ESET believes other banks are being actively targeted with Retife.
Security vendors have begun their holiday season warnings for online shoppers.
Black Friday, the traditional start of the doorbuster shopping season, is less than two weeks away.
We'll have occasion to share some of that advice in upcoming podcasts.
In the meantime, you can read the advice on offer in today's issue of the Cyber Wire.
There's that old saying about the only constant in this world being change.
That old saying about the only constant in this world being change.
For many in the security biz, part of that change is deciding how much, if any, of your data and services to move to the cloud,
and how to make it possible for your users to access what they need on an expanding array of devices.
We checked in with Pamela Dingle, Senior Technical Architect at Ping Identity,
for her take on how companies are handling these challenges.
They call it the digital transformation journey.
The idea is to not just move your business into new technology paradigms,
but to embrace those paradigms and to change the ways that you do business to actually leverage these new capabilities of new technologies.
So digital transformation is not new.
Anyone who's been in the business for a
long time has seen initiatives to, you know, take advantage of mobile, to take advantage of,
you know, this new web 2.0 thing that came out a while back. But what's happened right now,
of course, is that because we have these incredible, stable, elastic platforms,
Because we have these incredible, stable, elastic platforms, and we also have these changing user paradigms of tablets and mobile phones and all of these amazing things, the juxtaposition of those two things has meant that everybody is thinking about what it means to move their infrastructure to the cloud and transform it at the same time to leverage the
abilities of the cloud. That's half of it. And then the other half is the front end pieces,
the user experience pieces. Those are moving to a device and anywhere device type of paradigm.
So when we're talking about a digital transformation, what part does security play in that?
It plays a massive part.
I don't believe that this kind of digital transformation
would even be possible or advisable,
except that there is a heightened security awareness today.
So if you can imagine people trying to do what we're doing now,
even a decade ago,
you would end up with silos of information
and you wouldn't be able to talk to anything
and you wouldn't have any visibility into what's going on.
But because we have really good security infrastructure around how to manage the front door of a lot
of corporate infrastructures or customer facing infrastructures, we have the ability to execute
or at least maintain some control over how people are using resources
that might now be splayed across various platforms and using various paradigms on the internet.
I'm excited about the fact that it doesn't matter how so much anymore. It only matters that what
you do is well audited, that you're watching it properly, and that you've got a decent risk profile as to why you're doing things the way you're doing them.
That's Pamela Dingle from Ping Identity.
The Digital Transformation Survey report is available on their website.
In industry news, Nehemiah Software acquires Siege Technologies,
specialists in forecasting attacker capabilities. Finally, a U.K. court has approved Lori Love's extradition to the U.S. where he'll face hacking charges.
And if Ash Carter has his druthers, there'll be no 11th hour pardon for Edward Snowden as President Obama prepares to leave office.
It's safe to say that Mr. Snowden isn't exactly flavor of the month with the U.S. Defense Secretary.
Predictably, adult-friend-finder-themed spam has begun to appear.
Warn those 339 million friends of yours who were incautious enough to avail themselves of that service
that they'll have other worries soon enough.
We note with regret that some 78,000 of the compromised accounts our
U.S. military addresses. We've said it before, and sadly we have to say it again. Straighten up and fly right.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta
brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And joining me once again is Emily Wilson.
She's the Director of Analysis at Terbium Labs.
Emily, welcome back.
You all have a new report out called The Truth About the Dark Web,
Separating Fact from Fiction. Take us through the report.
What kind of stuff did you find?
So yeah, we've been working on this report for
the last few months, and kind of
basic overview of the report. We did a
random
sample of Tor hidden services,
and kind of took a look at the proportion
of different content types on the dark web.
And kind of the most
interesting thing to come out of that, contrary to popular opinion, types on the dark web. And kind of the most interesting thing to come out of that,
contrary to popular opinion,
is that the dark web is mostly legal,
to the tune of 55%, we saw.
Of that 55%, that's made up of both kind of normal legal content
and then what we called explicit content,
so perfectly legal porn.
And that's just not something you hear about very often.
People are quick to talk about how the dark web is a place full of danger and crime and drugs.
And that's definitely true.
It's just only half of the story.
But just because something on there is legal, that doesn't mean that it's not problematic.
Potentially, definitely.
And I think that's one of the struggles that we have as analysts is looking at material and trying to determine whether or not it's potentially damaging.
And that can come in many forms, right?
So is it slander that's technically legal?
Or do you have someone who's discussing proprietary information that they either shouldn't have access to or that they shouldn't be discussing?
to or that they shouldn't be discussing. You know, that's one of the reasons that we kind of try to remove a lot of the human analysis from the work that we do and focus on being a data company is
to avoid situations where we may overlook something that may actually be important,
because unless you're the organization involved, you really don't know what can be sensitive.
And is that driven by the fact that a lot of people are on here anonymously?
And is that driven by the fact that a lot of people are on here anonymously?
Absolutely.
You know, the kind of tour hidden services by their nature are anonymous and people by and large will choose not to identify themselves.
There's really no benefit in providing information about your identity.
You might say, I work in health care or you might say, I work in technology, but there's
a very broad definitions.
Health care can be manufacturing. It can can be retail it can be pharma if you work in technology you could be doing
everything from you know working at kind of a technology retailer up to working on very sensitive
kind of technological advancements at you know an intelligence institution and people are quick to
build their own reputation but there is a fine
line between establishing yourself as an authority in a space and avoiding giving too much away about
yourself. I think a good rule of thumb here is that anyone who wants to go on the dark web and
announce that they have a secret probably doesn't, unless they are, you know, you're dealing with
people who are more prolific in this space,
people who have built up a reputation over time.
Someone who says, you know, take a look at this space at 11 o'clock tomorrow morning,
you're probably going to listen to them.
So it's more subtle than that.
It's more subtle.
You know, if you need to say that you have a secret, do you really have one?
Yeah.
Emily Wilson, thanks for joining us.
The report, The Truth About the Dark Web, Separating Fact from Fiction, can be found on the Terbium Labs website.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your
executives and their families at home. Black Cloak's award-winning digital executive protection
platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.