CyberWire Daily - Ex-employee backdoor. Stealthy DDoS. Anubis dropper looks for motion. Influence operations. Privacy actions. The curious case of the espionage arrest in Russia.
Episode Date: January 22, 2019In today’s podcast, we hear that the WordPress Multilingual Plugin was compromised by a disgruntled ex-employee. Stealthy DDoS might escape notice. Anubis droppers wait for the phone to move before ...executing. EU works against influence in its May elections. France fines Google for lack of transparency under GDPR. Facebook may face FTC action. And more emerges on the curious case of the American/Canadian/Irish/British citizen arrested in Moscow for spying.  Johannes Ullrich from SANS and the ISC Stormcast podcast on gift card scams. Carole Theriault speaks with guest Maria Varmazis about Fortnite vulnerabilities. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/January/CyberWire_2019_01_22.html  Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The WordPress multilingual plugin is compromised by a disgruntled ex-employee.
A stealthy DDoS might escape notice.
Anubis droppers wait for the phone to move before executing,
the EU works against influence in its May elections,
France fines Google for lack of transparency under GDPR,
Facebook may face FTC action,
and more emerges on the curious case
of the American-Canadian-Irish-British citizen
arrested in Moscow for spying.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday,
January 22, 2019. Much of the news that's developed today and over the long weekend
deals with government and corporate wrangling over privacy and influence operations.
We'll briefly cover a few of the other threats currently in circulation before we turn to those stories.
A former employee, evidently one of those proverbially disgruntled ones,
used a backdoor he created during his employment to compromise the WordPress Multilingual Plugin,
or WPAL. The developers of WPAL say that the hacker took customer data, including site keys,
and also sent mass messages to customers warning of critical vulnerabilities in the plugin.
WPAL.org says they've rebuilt their site, that payment information was not among the
data compromised,
and that customers should change their passwords.
No word on what's in store for disgruntled ex-employee,
but one assumes the proper authorities have been notified.
Security firm NexusGuard, in its third quarter threat report,
notes that there's been an increase in a relatively stealthy form of distributed denial-of-service attack.
In this technique, attackers go after ASN-level, that's Autonomous System Number, communication service providers.
They spread small amounts of attack traffic, junk the researchers call it,
across a large number of different IP addresses.
This avoids tripping the alarms more familiar volumetric attacks would trigger,
but it also produces troubling latency in the target networks and can, in some cases, deadlock
them. In the seesaw struggle between attack and defense, the attackers have taken a new tactic.
Researchers at security firm Trend Micro have found that some malicious apps dropping Anubis
banking malware onto Android devices
have been designed to activate only when the infected device's motion sensor indicates that, yes, the device is indeed moving.
This is thought to be an attempt to fly beneath the detection radar of emulators, which typically don't offer motion detection.
If it moves, the servants of Anubis conclude, then it must be a phone.
If it moves, the servants of Anubis conclude, then it must be a phone.
Being the father of a preteen kid, as I am, there's a lot of Fortnite gaming going on in our house.
News broke recently of some researchers discovering some significant vulnerabilities in Fortnite,
and our UK correspondent Carol Terrio has the story.
Checkpoint released research that uncovered a major flaw in Epic Game Fortnite. The researchers showed that the flaw could allow someone to log
into a user's account by taking advantage of authentication tokens assigned to single sign-ons.
This is from the likes of Facebook or Xbox or Google. Checkpoint, following the industry rules
of ethical and responsible disclosure, worked with Epic Games to remove the Google. Checkpoint, following the industry rules of ethical and responsible
disclosure, worked with Epic Games to remove the flaw before Checkpoint went public with their
findings. Had the flaw been found by ne'er-do-wells instead of responsible researchers, it could have
been a catastrophic data breach for its 80 million users. So Fortnite is no small potatoes. In fact, it made a reported $2.4 billion in 2018,
thanks in part to its inbuilt financial ecosystem.
All this money flying around makes Fortnite a valuable target to online criminals.
But there is something else.
Many Fortnite users are young.
They probably have less experience with money management and cyber scams.
And many, an account will be funded by a player's parent.
Could these young account gatekeepers be seen as an easier target than your cynical and watchful adult?
I pinged a good friend and cybersecurity journalist and avid gamer, Maria Vamarsis, to get her take on this epic Fortnite flaw.
Maria, thank you for coming here, especially when you're feeling a little under the weather.
I'm happy to do it, Curl.
Now tell me about Fortnite and this big vulnerability that AV company Checkpoint notified us all about.
It all happened within a legit version of the game that allowed an attacker to log in as
they basically could steal a login token and they were they could log into a legitimate player's
account and when they have access to that player's account they could then buy a whole bunch of stuff
within the world assuming that that person has a credit card attached to their account which they
probably do so they could then buy a bunch of stuff or buy a bunch of bucks and then you can
send stuff to other players within the world so essentially rack up a huge bill buy a whole bunch of stuff and then send it to like a
master account somewhere else like like the one that you own you you as a scammer it's your
personal account and suddenly your scammer account has all this ill-gotten goods uh but essentially
the the person who's been scammed can't really do a whole lot to get that back like they can
file a report or a ticket or something but a lot lot of times the answer is tough luck, kid.
So wouldn't two-factor authentication mitigate
or at least help account holders
be able to verify their authenticity?
Yeah, 2FA is always a great idea.
I know Fortnite offers it
and they even incentivize people to use it.
They give you some exclusive stuff
within the Fortnite world, which is great.
I'm sure that would help a lot. And I know that Fortnite does encourage people to use it. But
again, you're talking to kids with poor impulse control. A lot of them don't want to go through
that step. Yeah, because enforcing rather than recommending might be a way to resolve these
issues. A lot of these games have the same problem.
Blizzard has an authenticator for World of Warcraft, for example.
Right.
Similar problems happened in that world for years and years
and probably are still happening now.
And Fortnite's having the same issue.
When you have millions of people on these platforms,
it's just going to happen.
But the adoption rate is much lower than it should be for 2FA.
So that is a challenge for sure.
Okay, so what advice do we have for the user?
Try to use common sense.
That might be a hard one for a kid who's still learning what that is.
But use that cynicism, I suppose.
And when you're thinking about getting free stuff in the game,
just remember that there's never anything free, even in these free-to-play games. So unless you're getting something through the official website or through the official game, there's something off with that. And if you don't see what the hitch is, it's probably access to your credit card data or giving up some sort of sense of information that could be helpful in the black market. Don't give that up. And just question why you're getting something for free. Yeah, trust me, mom will not be happy if she finds this huge bill on her credit
card. So you could be actually very diligent about doing this kind of stuff and still have your
account get compromised. With 2FA, it's a lot less likely, but it can still happen.
One little trick that a lot of people use is to not put a legit credit card on
your account to buy things. Use a gift card or a card that has a set amount of money on it.
Like one of those gift cards that you can charge a certain amount of money onto.
Really an idea.
Yeah. So that way you can't rack up like an infinite bill. You just have however much money
on that credit card you need to buy what you're getting. And if you want to buy some more,
you have to put a new credit card on.
You know, that's really good advice for many online accounts that we use.
Thanks, Maria.
Thanks for having me on.
This was Carol Theriault for the Cyber Wire.
Returning to influence operations, privacy rules, and arrests for espionage,
Politico reports that EU elections
scheduled for this May are thought to present an attractive target for nation-state hacking
and influence operations. For one thing, the elections are unusually protracted by European
standards, and they also amount to a number of distinct votes, with disparate member nations
presenting various attack surfaces. Voting will take place May 23rd through 26th
in the 27 member nations of the European Union. The principal concern is with disinformation and
influence operations in the form of online trolling. The principal suspect is, as usual,
Russia. Google, Facebook, Twitter, and Mozilla have agreed to provide reports on influence operations during the election season.
These can be expected to concentrate on transparency and on the exposure of inauthentic accounts of the kinds previously deployed by Russian state-directed actors, the Internet Research Agency prominent among them.
The threat isn't solely Russian, however.
In at least one case, a disaffected individual also succeeded in roiling political waters.
German authorities recently arrested a 20-year-old student
in connection with a fairly long-running doxing effort
that exposed correspondence of political figures,
including President Steinmeier and Chancellor Merkel.
Facebook COO Sheryl Sandberg says that her company intends to work with Germany's BSI,
the Federal Office for Information Security, to impede influence operations designed to sway the elections.
The BSI hasn't commented, and Facebook's situation in Germany has been a touchy one,
with some official suspicion of the company's data handling and privacy practices.
There's also a renewed legal wrangling in the U.S. over Russian cyber operations.
The Democratic National Committee has amended its civil complaint against Russia and a number
of others to include allegations of post-midterm hacking attempts.
Those attempts seem to have consisted of phishing with indifferent success, but official Washington is currently in a state of bipartisan concern
over the potential deep fakes,
convincing but utterly bogus videos and similar artifacts,
could play a disruptive role in future campaigns.
France's CNIL, the nation's privacy watchdog,
has fined Google 50 million euros over GDPR issues. Essentially, for lack
of transparency and user consent, the Telegraph reports. Former Facebook CISO Alex Stamos is
interested to see whether GDPR will prove to be more about competition than privacy.
In a series of tweets after the CNIL's actions, Stamos noted the sheer difficulty of compliance,
especially with respect to online advertising.
He said in one tweet that it's very hard to find a European advertiser who lives up to these standards.
Maybe they are just starting with the biggest, but if CNIL doesn't find any EU-based ad networks in the coming months,
we know GDPR is about competition policy, not privacy, end quote. Stamos's point is
worth considering, but the publication AdExchanger noticed back in November that CNIL had warned a
small European ad company, Vectory, about possible violations despite Vectory's having structured its
operations in accordance with the IAB GDPR transparency and consent framework,
generally thought a safe guide to compliance.
Russian censorship authority Ruskomnadzor has opened an administrative enforcement action
against Facebook and Twitter, the Wall Street Journal reports.
The communications agency says the two social networks haven't complied with requirements
that data on Russian citizens be stored in Russia.
Security Week notes that Facebook may be set for a large fine in the U.S.
The Federal Trade Commission is said to be preparing an enforcement action against the company for privacy failings related to the Cambridge Analytica scandal.
The Washington Post has new details on Russia's arrest of Paul Whelan on espionage charges.
He's said to have been past a USB drive containing secret information,
a state secret, as sources put it.
Whether he knew that's what he'd received remains unclear.
His defense attorney, Vladimir Zerobenkov,
who has the reputation for defending high-profile clients in high-profile cases,
said that Mr. Whelan, who holds U.S., British, Irish, and Canadian citizenship,
bought the flash drive, held photos, and videos of an earlier trip to Russia.
He'd asked for the files because he'd been unable to download them electronically.
Mr. Zarobenkov also said, quote,
How he got the flash drive, what he was
supposed to do with it, and whether Whelan knew he had secret information is unknown, end quote.
Mr. Whelan, who maintains his innocence, has been denied bail. The case is a very odd one,
and most observers speculate that the Russians grabbed Mr. Whelan in the hope of using him in
a swap for the Russian national Maria Butina, who's taken a guilty plea in the States and is herself widely regarded as a Russian
asset. All four of the countries in which Mr. Whelan claimed citizenship sent consular officials
to his hearing. Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. And joining me once again is johannes ulrich he's the dean of research for the sands institute
and he's the host of the isc stormcast podcast johannes it's great to have you back um you have
been tracking some scams that have been involving gift cards bring Bring us up to date here. What are you looking at? Right.
I think what's really special about this
is that these are attacks
that used to seem in a more targeted fashion
that are now sort of becoming
these automated commodity attacks
because I think the attackers are getting better
in really figuring out relationships
between people sort of in automated fashion.
The way these attacks work is that some random worker in a company, often associated with
accounting, gets an email that claims to come from a manager, from the CEO, and asks that
worker to go out and buy gift cards with company funds.
And there's usually some pretense around it, like, of course, the holidays recently. We've also sometimes seen some disasters being used like this.
And then send images of these gift cards to the attacker who claims to be that manager.
So that's really sort of how it works. But I think what's really special about it is
how these attacks appear to be automated based on the volume that we're seeing for these attacks.
So what are you seeing that makes the volume that we're seeing for these attacks.
So what are you seeing that makes you think that they're automated?
The texts are fairly similar, and sometimes you can also tell by, but they sort of get it wrong.
They don't get names quite right, but they use names, for example, from LinkedIn and platforms like this.
Sometimes they also target new employees that were just sort of added,
for example, to the company's website. That appears to be sort of another pattern that we somewhat see there. But overall, we are still collecting a lot of these emails. So if anybody
has them, send them our way and we try to get a better handle on what they're exactly using,
how they're getting this information. Yeah, that's interesting. So they could be
scraping someplace like LinkedIn
for folks in the positions that they want to target,
someone in HR or something like that.
But then that's interesting, targeting new employees.
Do you think they're looking for changes on a website,
something like that, someone new shows up?
That appears to be at least my best guess right now.
We haven't really recovered any of the sort of tools
they're using to do that yet.
That, of course, would be really great if someone finds a compromised system that still has these
tools installed on it. But company websites, of course, and particular new employees, of course,
are particularly vulnerable to this. They still want to impress the boss. They're not really that
familiar with the exact relationships and how things work in a company. In one case, I actually had one person sort of keep tracking them along.
After the initial hook, then it appears to be manual
because then you actually can communicate with the attacker sometimes.
And they try to convince the employee to actually go out and use personal funds
because they sort of send a fake reply back saying,
yeah, the company credit card doesn't work for gift cards.
Yeah, that's interesting.
I did have a friend who fell for this.
She was an HR manager in a tech company and went down the path, actually went down to the local grocery store, bought some gift cards,
and was in the process of sending the cards out and happened to wander down the hall to where her boss worked,
who was supposed to be the person making these requests,
and told him about the gift cards.
And he said, what gift cards?
This is a smart person, you know, working in a tech company.
So anyone can fall for these.
And that's it, really.
You know, by customizing these scams so well,
I think that's why they're successful.
They're not as easy to detect as some
of the other scams we have seen in the past. Yeah. All right. Well, it's something to look
out for. And certainly listeners, if you've got any additional information on this, let us know
or get in touch with Johannes himself. He'd like to see it. Johannes Ulrich, thanks for joining us.
Thank you.
for joining us. Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
security teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim
Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave
Bittner. Thanks for listening. We'll
see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. Thank you. through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.