CyberWire Daily - Ewind adware infesting Android third-party app stores. Influence operations. Russian state use of organized crime. Finspy a payload in Word zero-day exploits.
Episode Date: April 13, 2017In today's podcast we hear about how Ewind adware infests cloned apps in the Android ecosystem. Influence operations rise to prominence amid increased Russian and Islamist activity against Western tar...gets. Accused Russian traitor makes jailhouse denunciation of Russia's coziness with cyber organized crime. Finspy found distributed via Word zero-day. And suppose you're doing a nickel in Ossining or San Q (not that you would be). Webroot’s David Dufour warns of tax-season phishing. Fred Wilmot from PacketSled explains the convergence of OT, IT and IoT. And, how do you stay connected in the big house? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
E-Wind Adware infests cloned apps in the Android ecosystem.
Influence operations rise to prominence amid increased Russian and Islamist activity
against Western targets. An accused Russian traitor makes a jailhouse denunciation of
Russia's coziness with cyber-organized crime. FinSpy is found distributed via a word zero day.
And suppose you're doing time in the big house. How do you stay connected?
Stay connected.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, April 13, 2017.
Palo Alto Network's researchers warn that an aggressive strain of e-wind adware is afflicting Android users.
As much Trojan as conventional adware, e-wind clones popular apps, installs malicious code, and inserts them into third-party stores.
Some of the noteworthy apps so cloned include Grand Theft Auto Vice City, AVG Cleaner, Minecraft Pocket Edition, Avast Ransomware Removal, and Opera Mobile.
This is one more reason, should anyone still need another, to restrict your app purchases to authorized and reputable stores, in this case, Google Play. Those too can be and have been
wrangled into hosting malicious apps, but on the whole they're a far safer bet than the freelancing
alternatives. If you were wondering about the emergency siren hack in Dallas over the weekend,
it turns out that it wasn't a network intrusion at all.
Dallas public safety authorities are understandably tight-lipped,
but they're saying the sirens were turned on by a spoofed RF signal.
Exactly how, they're not saying,
but it's worth noting that warning sirens are typically controlled by tone combinations received over UHF radio.
controlled by tone combinations received over UHF radio.
In industry news, the Mach 37 cyber accelerator has announced its new class of startups.
They include Automated DL, Broadbridge Networks, Ekren Systems, Neo-Eyed, Secure Home, and Trovalone.
Good luck to all of them.
Operational technology, or OT, refers to the use of computers to control things in the real world,
things like power plant control systems or the switching systems in a railroad.
Fred Wilmott is CEO and CTO at Packet Sled,
and he warns that the ongoing convergence of OT, IT, and IoT requires special attention from security professionals.
Well, I think there's a couple of dimensions here where IT and OT are converging in what
we refer to as IoT and the relation of the technologies being put out into the environments
today and the wearables and things as devices in your home, your Alexa, your Siri, all of these components
all become operational technology at some level, but we really refer to those as IoT devices.
And, you know, the OT devices, what we know is, you know, operational technology that runs for
things like, you know, planes, trains, automobiles are really also entering the same foray of a slightly different
challenge. But nonetheless, they are converging in the sense that the requirement for us to protect
our intellectual property or the keys of the kingdom are all sort of the weakest link being
the supportable problem space that we're trying to avoid or mitigate the risk of. And so that's
where those pieces do seem to come together.
One of the challenges we've had historically in the security industry is collaboration and
consensus. And the first thing that I advocate for here in this particular case is with your vendors
and with your organization, spend time going to the source of where this conflict begins. And that
is, if you haven't been out to an airplane
and that's what you're looking to defend, go to an airplane, sit down, figure out all the potential
parameters around that, and then characterize that in a way that your vendors could understand
and operate on in action and look to help influence legislation that's associated with that.
That's obviously for very large organizations. For small organizations, you've got to look at,
first of all, getting an understanding of what that problem looks like.
I think getting visibility on what happens on those OT environments where you can't put endpoints, deterrents, technology, things like that is critical.
It's also, again, looking at responsible evaluation and disclosure with your partners in the business that manufacture your technology.
responsible evaluation and disclosure with your partners in the business that manufacture your technology, holding them accountable and allowing them to have the room to navigate to continue to
make you successful and transparency around that. And I would say the final piece is,
so we've done some iteration around the technology itself and how it works and the process of
evaluating, continue to iterate on it. Now we also have, I've implemented that,
and how do I test and validate the assertions I'm making around whether or not that is or is not
safe and secure, or that is or is not something that will affect a larger risk profile for the
business? You've got to tabletop those exercises. You've got to spend time looking at causing some
of the scenarios you expect to have happen with purple teams that do a
little bit of assessment and testing work and allow your operational team to try to find and or
mitigate what's happening on their infrastructure. And it's a cyclical process that everyone needs
to continue to go through. As we all know, this is no different than what we've done in IT for years.
all know, this is no different than what we've done in IT for years. But the types of attacks that OT environments are vulnerable to are much lower quality and or complexity. So we want to
make sure we can, you know, capably understand what the implications are when they do happen
and take action as a result of them. That's Fred Wilmot from Packet Sled.
Russo-U.S. relations continue to be chilly with information
operations believed to continue unabated even amid high-level talks between
Washington and Moscow the new information operations center being
established in Helsinki Finland is a sign of the more tough-minded allies
resolution to do something about Russian influence operations against elections
that concern isn't confined to the partners who are establishing the allies' resolution to do something about Russian influence operations against elections.
That concern isn't confined to the partners who are establishing the Helsinki Center, either.
German authorities advocate widespread control over online media to combat fake news,
and Berlin hopes that all of Europe will follow.
Essentially, the plan is to impose heavy fines on social media providers, in particular, who failed to
satisfactorily police hate speech. Addressed as much to concerns about terrorism as they are to
influence operations, the German plans are being met with a predictable degree of skepticism.
There are few signs that policy or technical fixes offer much prospect of short-term success.
offer much prospect of short-term success.
Ruslan Stoyanov, the Kaspersky researcher and former FSB officer, whom Russian authorities have charged with treason, has condemned the Russian state practice of co-opting and using
cybercriminals.
In a statement he dictated to his lawyers, who released it to independent television
station Dozed, Stoyanov says patriot thieves are given immunity from prosecution to attack foreign targets,
and this practice is unsustainable.
The protected hoods will eventually unleash a wave of crime against Russia itself.
Observers have long commented on close ties between Russian security services and organized crime.
The biter may have already been bitten with one of the Word Zero Days patched this week.
According to FireEye, CVE-2017-0199 appears to have been exploited to deliver FinSpy to
Russian-speaking targets.
FinSpy is a controversial lawful intercept product developed by the Gamma Group.
The vector was a weaponized document, a military manual,
from the Ukrainian pro-Moscow separatist group Donetsk People's Republic.
The same vulnerability has also been used to spread the more obviously criminal
Leightonbot and Turdot payloads.
American criminals enjoy a rather different relationship with law enforcement.
Suppose you've done something kind of bad in, for example, Athens, Ohio, to pick a town at random.
Maybe a wildcat party gets too frisky and, well, your honor, just one thing just led to another.
And before you know it, you're invited to a medium security sabbatical in Marion, courtesy of the governor.
Naturally, you want your internet.
I mean, who wouldn't?
Well, here's some news you can use from Motherboard,
which has looked into exactly how some gentlemen of fortune stayed connected in the joint.
Essentially, they pieced the machines together bit by bit,
using parts they pilfered from a computer disassembly program
they'd been working in, as an alternative, we suppose,
to lifting weights and working in the
license plate shop. We'll let one of the inmates speak for himself. As Motherboard quotes his
statement to investigators, it went something like this, quote, I imagine the drive with the
Cronus. All you got to do is take that drive, plug it into any computer, and it will boot up.
I took a network card out of another computer and put it in the illegal computer,
plugged it into the inmate switch, remote desktop into the computer,
and then bam, I'm on the network.
So there you go.
Bam.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off. Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Night Bitch, January 24, only on Disney+. Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
safe and compliant.
And joining me once again is David DeFore.
He's the Senior Director of Engineering and Cybersecurity at Webroot.
David, welcome back.
You know, tax season is upon us.
You had some points you wanted to make about being wary of phishing emails and sort of how to know what to expect, what's normal from the IRS.
Well, David, it's great to be back and yes with tax season upon us uh we're seeing a huge growth in
in the phishing scams around uh the irs and and taxes in general the irs is never gonna gonna
send you an email or call you uh that's just, that's not something cybersecurity related. It's just,
they just don't do it. They're going to send you something via paper, mail. That's how they
communicate. So if you're getting emails saying that you owe money or getting phone calls saying
that the IRS is going to put a lien on you, you know, you probably want to just ignore those
because you're going to get something in the mail from the IRS directly.
Yeah, you know, I have a friend who recently went through this where someone was absolutely just pestering them,
hammering them with, you know, fake calls from the IRS and just really ratcheting up the threats that, you know,
if they didn't pay and pay right now, the world was going to end.
Yeah, that's exactly right. And again, you're going to want to block those, probably report them. So also, you need to be very aware that third parties
may try to contact you as well, saying that they've actually analyzed your taxes and you're
going to get this amount returned or they need to speak with you about your tax situation because
they're working with the IRS. You know, the IRS is not going to work with third parties.
And this, again, isn't necessarily cybersecurity related.
It's more scam focused.
And so just be aware, the IRS will contact you, good old U.S. mail.
They're not going to email you.
They're not going to call you.
And they're not going to use third party agents to communicate with you.
So the IRS is old school when it comes to communication.
They are. All right. David DeFore, thanks again for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.