CyberWire Daily - Espionage by password spraying, and espionage via peanut butter sandwich. Ransomware and DDoS warnings. Two journalists get the Nobel Peace Prize
Episode Date: October 12, 2021Teheran is running password spraying attacks (especially on Thursdays and Sundays). More on the renewed popularity of DDoS attacks. NCSC warns British businesses against ransomware. Two journalists wi...n the Nobel Peace Prize. Joe Carrigan shares his thoughts on GriftHorse. Our guest is Bindu Sundaresan from AT&T Cybersecurity football season and cyber risks. And watch out for small data cards in your peanut butter sandwiches, kids. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/196 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Tehran is running password spraying attacks, especially on Thursdays and Sundays.
More on the renewed popularity of DDoS attacks. Tehran is running password spraying attacks, especially on Thursdays and Sundays.
More on the renewed popularity of DDoS attacks.
NCSC warns British businesses against ransomware.
Two journalists win the Nobel Peace Prize.
Joe Kerrigan shares his thoughts on Grifthorse. Our guest is Bindu Sundarasan from AT&T Cybersecurity on football season and cyber risks.
And watch out for small data cards in your peanut butter sandwiches, friends.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, October 12th, 2021.
The Microsoft Threat Intelligence Center yesterday released a report on DEV-0343, an activity cluster Redmond connects to Iran.
DEV-0343 has been conducting password spraying attacks against more than 250 Office 365 tenants.
Fewer than 20 of the attempts were successful.
Targets include U.S. and Israeli defense technology companies,
Persian Gulf ports of entry, or global maritime transportation.
The target selection is unsurprising as it's consistent with Iranian intelligence requirements.
As Redmond puts it,
This activity likely supports the national interests of the Islamic Republic of Iran based on pattern-of-life analysis, extensive crossover
in geographic and sectoral targeting with Iranian actors, and alignment of techniques and targets
with another actor originating in Iran. Microsoft assesses this targeting supports Iranian government
tracking of adversary security services and maritime shipping in the Middle East to enhance
their contingency plans.
Gaining access to commercial satellite imagery and proprietary shipping plans and logs
could help Iran compensate for its developing satellite program.
Given Iran's past cyber and military attacks against shipping and maritime targets,
Microsoft believes this activity increases the risks to companies in those sectors,
and we encourage our customers in these industries and geographic regions to review the information
shared in this blog to defend themselves from this threat. End quote. In the course of its campaign,
Dev 0343 emulated a Firefox browser and used IPs hosted on Tor. It most often targeted Autodiscover and ActiveSync.
Those of you interested in schedules and workplace customs in and around Threat Actors will take
note that Dev0343 was most active on Sundays and Thursdays between 7.30 a.m. Tehran time,
when the factory whistled blue, and 8.30 p.m., which seems to have been
quitting time. Microsoft uses the dev prefix followed by a numeral to designate a threat
actor that isn't yet fully classified. Once it's categorized and identified the actor,
the company typically moves to one of its familiar elemental threat names.
the company typically moves to one of its familiar elemental threat names.
Microsoft also disclosed that in August it successfully mitigated a distributed denial-of-service attack against an unnamed Azure customer.
At 2.4 terabytes per second, the incident was, at the time, according to the record,
the biggest volumetric attack so far observed.
The Maris botnet broke the record shortly after the attack against the Azure customer.
Quote, the attack traffic originated from approximately 70,000 sources and from multiple countries in the Asia-Pacific region,
such as Malaysia, Vietnam, Taiwan, Japan, and China, as well as from the United States.
Microsoft continued their account of the incident,
The attack vector was a UDP reflection spanning more than 10 minutes with very short-lived bursts,
each ramping up in seconds to terabit volumes.
In total, we monitored three main peaks, the first at 2.4 terabits per second, the second at 0.55 terabits per second, and the third at 1.7 terabits per second.
Microsoft, who we note in a spirit of full disclosure is a CyberWire sponsor, has in general seen a year-over-year rise in the number of DDoS attacks.
a year-over-year rise in the number of DDoS attacks.
While the attack's total throughput is down a bit,
the number of attacks is up by about 20%. The BBC reports that the head of Britain's National Cyber Security Centre,
speaking at Chatham House Cyber 2021,
described Russian-tolerated criminal cybercrime, notably ransomware,
as a threat to the security of British
businesses. In this, as in other matters, the Five Eyes tend to see the threat landscape through
similar lenses, with both Russia and China bulking large. The NCSC's director, Lindy Cameron,
emphasized that ransomware, however, represented the most immediate danger.
emphasized that ransomware, however, represented the most immediate danger.
The Nobel Committee Friday announced that two journalists, Maria Ressa of the Rappler in the Philippines and Dmitry Muratov of Novea Gazetia in Russia, would be awarded this year's Peace Prize.
The Washington Post describes both journalists' critical engagement with their
respective governments. Both, and especially Mr. Muratov, have worked at considerable personal
risk. Congratulations to them. A Maryland couple have been charged with violations of the Atomic
Energy Act. Jonathan and Diana Tebbe are said to have sold restricted data related to submarine nuclear propulsion systems
to an FBI undercover operative they believe to be an agent of a foreign power.
Jonathan Tebbe is an engineer employed by the U.S. Department of the Navy.
The Tebbes are said to have asked for $100,000 in Bitcoin, of course,
in exchange for the restricted data they were offering.
Restricted data is a term of art described in the U.S. Atomic Energy Act as, quote,
all data concerning design, manufacture, or utilization of atomic weapons, the production
of special nuclear material, or the use of special nuclear material in the production of energy.
Restricted data is not itself a classification, and data so marked may be controlled at any
number of levels, running at least from the relatively low-level confidential classification
up through Top Secret. The Baltimore Sun reports that the information was stored on SD cards, which were
then hidden in a Band-Aid wrapper or a peanut butter sandwich, no word on whether jelly was
included, before being deposited in what spies call a dead drop, which the FBI told them would
be out in West Virginia. CBS News and others report that the FBI was tipped off by the unnamed foreign power.
Who might that unnamed power be?
There's reason to think, from the internal evidence of the indictment,
that the unnamed power was itself an operator of nuclear submarines.
There are six nations who operate nuclear subs.
Russia, China, India, the UK, France, and the US, with Australia to
join the club as a seventh member in a few years under an agreement recently concluded with the US
and the UK. Assuming that a wannabe spy would be likeliest to approach a rival submarine power,
that leaves Russia, China, India, the UK, and France. It's unlikely in the extreme
that either Russia or China would tip off the FBI about anything. India might, but on the other hand,
it might not. You'd have to be an extraordinarily stupid spy to offer American secrets to the
British and think this would go unremarked, and so, while stranger things have happened,
we can probably rule out the UK and, for that matter, Australia, since the five I's generally
see eye to eye. So France? Maybe. It would still require a degree of cluelessness to approach a
close U.S. ally like France, but a newbie spy might well decide that was a good bet,
especially given French irritation about the Australian agreement with the U.S. and U.K.,
which cut French builders off from a potential market.
The timeline's not clear, but it's a nice theory.
Dmitri Alperovitch, who's been tweeting about this a little,
thinks on other evidence that it was France.
Quote,
Oh, and he told his fake handler that he wants to one day meet them in a café and have a bottle of wine.
Case closed, Mr. Alperovitch tweeted.
If it was the French, we hope the FBI said merci and sent over a nice bottle of bourbon.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's Vanta.com slash cyber for a
thousand dollars off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals
to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks,
and connected lives.
Because when executives
are compromised at home,
your company is at risk.
In fact,
over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Are you ready for some football?
That's American football for our international listeners,
not the Ted Lasso football-is-life variety you all play in the majority of the world.
I have been informed by loved ones who track such things that it is indeed football season.
Bindu Sundresan is director at AT&T Cybersecurity,
and she reminds us that when it comes to the security of personal information,
it's important to keep your eye on the ball.
When you have, you know, sports events, you know,
the football season like we're talking about,
you know, it really does garner attention from the malicious actors. So, you know, we all have to have our guards up
and make sure that, you know, the information that we are sharing on social media, on, you know,
ticketing platforms that we are using to buy these tickets, or, you know, even at stadiums,
when we go to watch, you know, everything is automated today with every technology and
innovation that we have, you know, think of it as yet another attack vector and avenue for
the militia actor to use to go after. How many of us, you know, truly use different user IDs and
passwords for different things, right? Most of us don't. So, you know, that's why we see an uptick
in credential stuffing attacks. So what this really means is, you know, the credentials that you're using to watch,
you know, the football games
versus to shop online
versus for your social media,
if they're all the same,
you know, anywhere where I could,
you know, really get access
to that, you know, credentials,
I will now use it maliciously
and think about, you know,
all of the, you know, websites
that we, you know, go to as we are really looking forward
to these games and we're trying to get, let's say, tickets or posting on social media. We fall
prey to social engineering in the sense that we really may not be thinking about it from a
cybersecurity point of view, but keep in mind that, you know, it is exactly that moment
that the malicious actor wants to prey on, right? It is that, you know, you've let your guard down,
you are not thinking about it as like cybercrime, you know, type of, you know, mode, right? All the
security awareness and training that you've gotten, you know, at work and, you know, what you've read
about, you know, sort of goes goes out the window when you're sort of
being entertained and you're watching a game. So the key is, even public Wi-Fi hotspots,
so we know that you're not supposed to connect to just public Wi-Fi hotspots and have all the
transactions happen on guest Wi-Fi. But you know that, but then when you're at a stadium,
how often are you thinking?
Are you just going to be doing all types of transactions
and on your mobile phone while you're watching a game at a stadium?
Most likely you are, right?
So it is about being aware of how the malicious actor is looking to leverage any and all
opportunity that they can, it happens, right? So it's key that, you know, with the new season and,
you know, with all of us, you know, also coming off of the pandemic, you know, we are all ready,
you know, for some entertainment and for, you know, sort of, you know, not being locked up,
right? So I think, you know, that's exactly the point where, you know, we become more vulnerable
to data loss, because all of that data that we are tracking, whether it is the performance of
athletes, you know, using it for competitive advantage, you slowly, you know, sort of lose
sight of the fact that it can be used for espionage and sabotage.
And identity theft is becoming more and more prevalent because of all this information that is out there.
I think you bring up a really interesting point, which is that of trust.
And I think many of us have kind of an inherent trust in our favorite teams.
We feel an affinity for them. And so
it's likely that if we get some sort of communication from them or maybe one of our
favorite players, that could lead us to having our guard down just because of that affection we have
for them. Oh, yeah, definitely. The thing is, because I've been doing this for over 20 years, I have to say that, you know, security is people, process and technology.
Right. It is as much of, you know, psychology play as much as it is a technology play.
Right. So if I were to tell you, hey, you know, can you just share your date of birth, your phone number?
date of birth, your phone number, you know, I'm not asking you for your credit card. And, you know,
can you share enough of your personal information so that you can win a raffle where, let's say, you know, you get to spend a day with your favorite player. How many of us will really
refrain from doing that, right? And, you know, you think about all these Facebook and, you know,
social media games that we play, right? You know, funny pet names, favorite pet names, right?
Where did you go to school? You know, which year were you born, right? All of this is a digital
footprint of you, right? So when you're asked all of these pieces of information in the context of
spending time with your favorite player, you know,
you really don't even think again, right?
It's key that we not only invest in secure payment system and, you know, we are really
doing sort of two-factor authentication, you know, we are filtering emails, right?
But in addition to that, the awareness of would you even know how to spot a fake app?
addition to that, the awareness of would you even know how to spot a fake app? Would you know how to, you know, be able to really, you know, let's say you got a call that talks about, you know,
you bought a ticket to your favorite game. And now, right, we do have, you know, as a fan,
we engage with these sports teams. And at the same time, the sports teams have to think about it in terms of
cyber risk, you know, trust and resilience. That's Bindu Sundresan from AT&T Cybersecurity.
Cyber threats are evolving every second, and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant. And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
We have been covering here on the
Cyber Wire this campaign, this scam campaign called Grifthorse, which the folks over at
Zimperium have been tracking. Interesting story over on Wired written by Lily Hay Newman that
outlines it. I recommend people check out. But I wanted to dig in with you as well. This is the
kind of thing we cover over on Hacking Humans pretty regularly.
What's going on behind the scenes here, Joe?
So what's happening is these guys, these bad actors,
don't really know who they are,
but they have used a development framework called Apache Cordova.
And what Cordova does is it allows you to develop cross-platform applications.
Why would you put a lot of energy into developing both Android and Apple iOS applications when you can just develop one application using standard web technologies like HTML5, cascading style sheets, and JavaScript, to essentially build a web-based experience for the user
that translates across different platforms.
Okay.
Okay, so that's the tool they're using is Apache Cordova,
and it does just that.
So it's a great tool for application developers.
Okay.
But because you're using a web-based technology,
I can just put
anything I want on the servers that the application accesses, right? So the malicious code in this
case does not actually exist in the app. From the perspective of the Google Play Store and all the
people that analyze the apps, and there's a bunch of them, and Zimperium is actually one of the Google Play Store and all the people that analyze the apps, and there's a bunch
of them, and Zimperium is actually one of the people that looks at the apps before they get
published, there's nothing malicious in the app until the user activates the app and the app goes
out to a command and control server and downloads HTML and everything that it needs to show the user things. Okay. And that also enables new functionality.
And behind the scenes, it has access to a lot of different pieces of information about you,
like your Google advertising ID, the equipment identification number, the EI,
whatever that long string of numbers is that represents your phone uniquely.
Right, right.
It has access to that.
It also has a capability of signing you up
for premium services automatically.
Well, not really automatically.
It does ask you to claim your gift.
Yeah, so let me just interject here
because it says, basically, you go and you download
what you think is a benign app,
a translator app, a heart rate monitor,
that sort of thing.
Yeah, and they have a chart of these apps on the Zimperium report and it's amazing. They have 200
apps that were equipped this way. Now it says after downloading one of the malicious apps,
a victim would receive a flood of notifications, five an hour, that prompted them to confirm their
phone number to claim a prize. Joe, if my phone were pestering me
five times an hour to claim a prize, I would take it out in the parking lot and run over it with my
car. I don't know which app. This happened a long time ago. I got some app that started doing this
to me. And first off, it was a nightmare to figure out which app was sending it to me because it was
an older version of Android. Now it says, hey, this notification is from this app.
Okay.
Right?
And they have pictures of that.
Yeah.
But back in the Android 2 days, that wasn't the case.
I just got notifications on my phone.
Drove me batty.
Yeah.
Hated it.
Yeah.
So, in this case, they get you to verify your number, but what you're really doing is you're
signing up for a premium SMS service for 42 bucks
a month for something or other. Now, I think that's a little high and greedy, don't you? I mean-
Who knows? Maybe they're fans of the Hitchhiker's Guide.
Right. But if you, these guys infected or distributed 10 million copies of these things.
Yeah. You know, if you can just go like a dollar a month, maybe that slips under the radar. Well, yes, but I think what they're counting on here is that most people,
by the time someone gets their bill and reviews it. Right. And then, you know, cancels or whatever,
they've got their 42 bucks. Right. And they just keep it. Yeah, exactly. So, but it's interesting
to me that, you know, Zemperian points out that this has been active since November of 2020. That's a long time for something to be hanging around in the Play Store at this scale.
undetected by any of the antivirus companies out there. They had developed more than 200 of these apps, and they had that sophisticated architecture where they download the malicious code from a
website, right? And they had a no-reuse policy to avoid the blacklisting of these servers or
these strings. Right. They didn't reuse URLs. Right. So they say that that level of sophistication,
and when I say they, I mean Zimperium says that that level of sophistication, and when I say they, I mean, Zimperium says
that that level of sophistication, the use of these novel techniques and the determination
displayed by these guys allowed them to stay undetected for several months, for almost
a year.
Yeah, almost a year.
This is a long-term campaign.
They've got, uh, close to 10, 10 million installs.
And I don't know if they're counting that from the Google Play Store or from
also third-party apps. Now, all of these apps have been removed from the Google Play Store.
And that doesn't mean there aren't more apps out there that they haven't found yet. There may be,
but they can't make the same claim about third-party app stores, which is one of the
things that I frequently tell people is don't use third-party app stores, and this is exactly why. Yeah. But so let's talk about potential protection here, because these were on the
Google Play Store. These were on the Google Play Store, right.
There's your walled garden, and so you, you know, I think rightfully have a sense that things are
more secure there, that they've been through some sort of check before you can download them. So
what do you do here? First off, the risk is really kind of minimal
from the American perspective, right?
42 bucks, maybe I lose it and just cancel the service
and I'm done.
Yeah.
So it's not devastating or world-ending for us.
But that may not be the case elsewhere in the world.
I mean, what do you do?
I would say pay attention to your bill
and fight every charge that you don't expect.
Google's usually pretty good about refunding premium service charges.
Apple's also very good about that, but this didn't affect any of the Apple Store products.
At least they don't say it did.
I guess security awareness, too.
I mean, whenever you see one of these prize-winning things, they're generally a scam.
Yeah, you want a prize.
I mean, if you've got an app that's sending you prize notifications all the time, uninstall the scam. Yeah, and prize winning. Yeah, you won a prize. I mean, if you got an app
that's sending you
prize notifications all the time,
uninstall the app.
Yeah.
If it sends you one
prize winning notification,
uninstall the app.
That's my policy.
Yeah.
I don't want you
to try to give me a prize.
I just want you
to deliver me functionality.
I like apps that you pay for,
that you pay a one-time fee for
to not have ads on it.
Right.
I do that with a couple of apps I really enjoy.
And I don't generally like the subscription model for phone apps.
Yeah.
All right.
Well, again, the campaign is called Grifthorse,
and the folks over at Zimperium have been leading the way on describing it.
This article is from Lily Hay Newman over in Wired.
Joe Kerrigan, thanks for joining us.
It's my pleasure.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security Ha.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
And check out the Recorded Future podcast, which I also host.
The subject there is threat intelligence,
and every week we talk to interesting people about timely cybersecurity topics.
That's at recordedfuture.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karpf,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your