CyberWire Daily - DarkHotel is back. So is Necurs, and it's distributing a modular malware dropper. Industrial espionage follows international trade. Election meddling. The use and abuse of data.
Episode Date: August 20, 2018In today's podcast, we hear that an evolved DarkHotel campaign is under way. A new malware dropper is out and about thanks to the Necurs botnet. Researchers demonstrate proof-of-concept exploits. Cyb...er espionage follows trade. Notes on election meddling. Google and Facebook encounter some regulatory and legal headwinds over data collection. Connected cars know a lot about their drivers, and there's money in those data. Robert M. Lee from Dragos on the notion of cyber attacks as a distraction. For links to all today's stories, check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/August/CyberWire_2018_08_20.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
An evolved dark hotel campaign is underway.
A new malware dropper is out and about thanks to the Nekor's botnet.
Researchers demonstrate proof-of-concept exploits.
Cyber espionage follows trade.
Notes on election meddling.
Google and Facebook encounter some regulatory and legal headwinds over data collection.
And connected cars know a lot about their drivers.
And there's money in those data.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 20, 2018.
Trend Micro, seconded by Kihoo360, reports that North Korean operators are exploiting a vulnerability in the VB script engine to compromise targets in Pyongyang's Dark Hotel campaign.
Dark Hotel is related to Dark Soul, and thence to the 2014 Sony Pictures hack,
which the US FBI unambiguously attributed to attackers working for the North Korean government.
Researchers at Proofpoint warn against a new malware strain, Merap,
which is being distributed in a large spam campaign run through the NICOR's botnet.
They noticed the campaign on August 10th and have been tracking it since.
The malicious payload is being distributed in email attachments that include Microsoft Excel web query files,
.iqi files, password-protected zip archives that also contain.iqi files,
PDFs with embedded.iqi files, and finally, Microsoft Word documents with maliciously
crafted macros.
Merap is a malware dropper, and it shows some interesting evasive capabilities.
It uses API hashing, which isn't uncommon,
but which can make it more difficult for analysts and automated tools to determine that the code is in fact malicious.
It also runs timing checks at the onset of important functions.
These can impede both debugging and sandboxing.
If the sleep time Merap detects is too short, the program exits.
It will also exit if it determines that
it's being run in a virtual machine. The current campaign seems directed largely against the
financial sector. Merap, being a dropper, can be used to deliver a wide range of modular payloads
to infected targets. One of the more notable payloads Proofpoint has observed is a system
fingerprinting module that collects and returns data to the Command and Control Center.
Those data include username, domain name, hostname, IP address, language, country, Windows version, antivirus software detected, and a list of Microsoft.ost files.
Two noteworthy proofs of concept have been reported.
Two noteworthy proofs of concept have been reported.
Researchers at Sakarma have described a PHP exploit that could be used against a variety of content management systems, including WordPress.
And Georgia Tech researchers have demonstrated a new side-channel attack
that could extract encryption keys from mobile devices
without requiring physical access to the device itself.
Again, these are demonstrations, not attacks observed in the wild,
but the vulnerabilities they exploit will bear watching.
Turning to cyber espionage, it appears that being a trading partner with China
doesn't put you on any do-not-hack list in Beijing, or Shanghai either, for that matter.
In fact, just the opposite seems to be the case.
Frequency and intensity of Chinese industrial espionage,
in fact, seem to correlate fairly directly with trading relationships.
This, at any rate, is the lesson observers are drawing
from recorded futures report last week on Chinese cyber activity.
A great deal of such activity is associated with countries involved
in the Belt and Road Initiative,
a trade strategy to develop a maritime silk road that would connect Chinese industry with partners in several belts across Eurasia.
Malaysia is among the countries reporting that it's seen an uptick in Chinese cyber activity directed against economically relevant targets.
against economically relevant targets.
Industry seems not to be buying the Australian government's contention that the country's new cybersecurity regulations
won't amount to the equivalent of mandatory backdoors.
The Digital Industry Group rejects claims
that the draft bill won't require communications companies
to build weaknesses into their products.
They think that the sort of technical capability notice the law requires
would in fact amount to a requirement to create weaknesses on the government's demand.
Dissatisfied with voluntary moderation,
the EU is preparing anti-terror measures that will require social networks
to yank radical content within an hour of notification.
Twitter confessed recently to having no good
ideas on how it might do rumor control, and the European legislators are unlikely to exhibit
much American squeamishness about restricting freedom of speech.
Russia appears likely to continue to attempt to influence U.S. elections, the Atlantic
Council and others warn. U.S. National Security Advisor
Bolton says it's not just Russia either. The other three members of the familiar four,
China, Iran, and North Korea, are interested in elections too. Techniques vary. Russia favors
media amplification of disruptive memes, China seeking influence through think tanks and
universities, and Iran and North
Korea probably building on past hacking successes.
So has data become an attractive nuisance for companies?
Sure, there's money to be made there, but they certainly come with their share of headaches.
Google's turn-offable but easily overlooked location tracking is one example.
It seems poised to draw regulatory attention from the U.S. Congress
And witness Facebook, again in a bit of legal and regulatory hot water
Over the powerful data collection and aggregation tools it offers marketers
There's a lawsuit pending against Facebook
Filed by people who claim that the social media giant's collection and analysis of data has enabled housing discrimination. The U.S. Department of Justice is effectively
supporting that suit, having joined Fair Housing Group's attempts to block Facebook's efforts
to have the lawsuit dismissed. In a separate but related action, the U.S. Department of Housing
and Urban Development has begun the process of lodging a complaint against Facebook for violating the Fair Housing Act
by creating advertising tools that facilitate discrimination on the basis of race, gender, zip code, or religion,
or whether a potential renter has young children at home or a personal disability.
As the Washington Post characterizes the controversy, the moves by HUD and Justice, quote,
mark an escalation of federal scrutiny of how Facebook's tools may create illegal forms of discrimination,
allegations that also are central to separate lawsuits regarding the access to credit and employment opportunities,
which, like housing, are subject to federal legal protection.
The federal actions also suggest limits on the reach of a key federal law,
the Communications Decency Act,
that long has been interpreted as offering technology companies
broad immunity against many legal claims related to online content.
End quote.
Facebook says it's no place for discrimination,
that it's aware of HUD's statement of interest,
and that it looks forward to working with HUD to address the department's concerns.
Yet other opportunities for data collection and monetization continue to arise.
Smart cars, for example, know an awful lot about their drivers.
Companies perceive gold in them their data,
and it seems that this sort of information is about to succeed free services like Google and Facebook, as the Klondike succeeded Sutter's Creek.
Newer models, and these are cars on the streets now, not those newfangled Jetsonesque robot cars so much talked about, but they collect a lot.
partial list from the Wall Street Journal of the system's now-developing data, odometer, ignition,
engine status, engine temperature, RPM, oil level, gear position, coolant temperature, fuel and battery levels, GPS, speed, LIDAR, camera, brake, wheel position, horn, seatbelt, airbag, doors,
tire pressure, blinkers, and wipers. The initial uses are thought to be an improving safety,
driver experience, and so on.
But insurance rate incentives are following closely behind.
And of course, there's thought being devoted to delivering in-car advertising.
One hopes Detroit, and Nagoya, Stuttgart, and Milan too, for that matter, watches the experience of Google and Facebook closely.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7,black-cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Robert M. Lee. He's the CEO at Dragos.
Rob, welcome back. You had an interesting series of tweets recently. You were talking about
the debate on coal, the importance of having a diverse energy portfolio. But one of the things you dug into was this notion that cyber is often thrown in
as an excuse for decisions, and sometimes that can throw people off the direction
where they should be headed.
What do we need to know here?
Yeah, absolutely.
So in this case, there was a debate about coal and on nuclear energy,
and I think that those two also should not be lumped together. They're very much different things. But the discussion
came out from the Department of Energy to talk about the need for diverse energy portfolios,
which is a completely fair topic. Anytime that you're producing a lot of electricity
for any purpose, like the American power grid, you very much want to know that you can draw
energy from lots of different sources. And so there's a debate right now on if keeping coal around is
useful to the resiliency of the North American power grid. And I think there are pros and cons
and lots of discussions going on. I think that the grid tends to be far more resilient than people
make it out to be, but that's a debate that people can have. My only sort of quip into that was when people started throwing in the discussion of cybersecurity.
And one of the positions taken by various senior officials was, well, we need to keep coal around
because what happens if a cyber attack happens? And we need to have the ability to use coal to
pump energy into the grid because of cyber.
And my perspective on that is simple, where you have to think of the risk to your infrastructure a little bit more holistically and not just flavor the discussion of cyber.
It's not that it's technically inaccurate.
It's not that we don't want to think about cybersecurity.
But it's that the answer isn't bound
to a cybersecurity-related task.
Whether or not we keep coal around
really has nothing to do with cybersecurity
because we adapt, we change,
we come up with different methods
to do protection and defense.
And it's kind of just this topic
that gets thrown around a lot,
especially in D.C.
because it perks people's ears up.
And nobody wants to vote against or petition against the choice that leaves us less cyber secure.
And it's kind of this distractionary tactic that I think we need to be very careful to call out and move away from.
And who are the people who bring it up?
I could be cynical here and say, is it the folks who have a vested interest in the
cyber? Yeah, I think it happens by a lot of different parties. And I'm not so willing to
say that anybody's being malicious. I mean, I would happily call people out when they are.
I feel that people who know me would know that I would absolutely burn people to the ground on
a Forbes article or something. But that's not what I'm seeing here. I'm seeing various folks
on both sides of the discussion positioning, including the ones that have a vested
interest, positioning around cybersecurity because they've been reading
headlines and talking about cybersecurity. They're concerned about it, especially
for the ones that don't necessarily understand it very well or aren't as
technical. And they're seeing all this discussion of threats, and it's completely natural to say,
hey, well, what about cybersecurity?
But that's where we need to get and educate folks and move the community away from the fear, uncertainty,
and doubt aspect of this discussion and more of where cyber should be considered or not considered in the discussion.
We don't have to be at every boardroom.
Cyber security professionals don't need to be involved in every decision.
And if we try to be, it very much waters down our position.
We need to be adults in the room to say,
hey, this does or does not relate to where we can offer value.
Yeah, we can't end up crying wolf.
Mm-hmm.
Yeah.
All right.
It's interesting, as always.
Robert M. Lee, thanks for joining us.
just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can
keep your company safe and compliant. And that's the Cyber Wire. For links to all of today's
stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team
is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick
Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer
Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.