CyberWire Daily - ExileRAT versus Tibet. SpeakUp backdoors Linux. Facebook bans Myanmar militias. Norway sees a threat in Huawei. Westminster gets hacked? Bangladesh Bank sues over SWIFT caper.
Episode Date: February 5, 2019In today’s podcast, we hear that ExileRAT is targeting Tibet’s government-in-exile. The SpeakUp backdoor afflicts many varieties of Linux systems. Facebook bans ethnic militias in Myanmar from... its platform. Norway’s PST intelligence service says that Huawei constitutes a security risk, and China says that’s nonsense. Someone seems to be hacking contact lists belonging to UK Members of Parliament. Bangladesh Bank is suing to recover the $81 million missing from its 2016 SWIFT heist. Joe Carrigan from JHU ISI on Facebook’s password flexibility on mobile devices. Guest is Josef Williamson from EclecticIQ on cyber espionage and nation state threats. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/February/CyberWire_2019_02_05.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. The speak-up backdoor afflicts many varieties of Linux systems. Facebook bans ethnic militias in Myanmar from its platform.
Norway's PST intelligence service says that Huawei constitutes a security risk,
and China says that's nonsense.
Someone seems to be hacking contact lists belonging to UK members of parliament,
and Bangladesh Bank is suing to recover the $81 million missing from its 2016 Swift heist.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 5th, 2019.
2019. Cisco's Talos Research Group has identified a targeted campaign against supporters of Tibet independence, including elements of the Tibetan government in exile, that installs the Exile Rat
remote-access Trojan. The vector is a malicious PowerPoint file, and the attack shares command
and control infrastructure with the Lucky Cat Android malware earlier used against Tibetan activists.
The researchers think espionage and not criminal gain is the goal.
Talos doesn't say as much, but the Magic 8 Ball would probably say that signs seem to point to
China, where Tibetan independence groups and sympathizers, as well as ethnic Tibetans both
home and abroad, have long been of interest to Beijing's intelligence and security
services. Researchers at security firm Checkpoint has found a new Linux backdoor, SpeakUp, which can
run on several Linux distributions and on the related Mac OS. The Trojan, thought to be possibly
the work of a Russian-speaking coder and so far apparently most active in East Asia, is said to evade
most current security products.
Checkpoint thinks its current activity is a sign of much bigger campaigns to come.
Facebook has banned four ethnic armed organizations that operate in Myanmar from using its platform.
The militias all form part of the Northern Alliance and are among the armed
militias that have long operated in that country. The group's Facebook band include the Arakan
Army, the Myanmar National Democratic Alliance Army, the Kachin Independence Army, and the
Ta'an National Liberation Army. This is part of Facebook's ongoing efforts to purge its
platform of groups that advocate violence, and even more of groups that use Facebook to incite or coordinate violence.
It's worth noting that this isn't being done necessarily at the behest of Myanmar's government, even though security forces have recently clashed with some of the militias, notably the Arakan army.
with some of the militias, notably the Arakan Army.
As TechCrunch notes in its coverage,
Facebook has earlier taken action against some government leaders and organs,
including the commander-in-chief of the armed forces and the military-owned TV network Mayawadi.
Nor is this simply the restriction of content as hate speech.
Facebook has so thoroughly permeated Myanmar's late-adopting online culture that it
practically constitutes the internet for most of the country's users, and its platform has been
actively used to incite and coordinate several violent campaigns, most notably those against
the Rohingya Muslim minority in the Buddhist-majority nation. The UN believes some 700,000
Rohingya became refugees since August of 2017.
The UN also reported that abuse of Facebook played a determining role in inciting the persecution.
Cyber espionage from nation-states of industrial environments continues to be a global concern.
The folks at Eclectic IQ have been tracking these threats in their new fusion center.
Joseph Williamson is a threat intelligence analyst with Eclectic IQ have been tracking these threats in their new fusion center. Joseph Williamson is a threat intelligence analyst with Eclectic IQ.
So specifically with regards to espionage of industrial environments,
I think you can break it down into two categories at the minute.
The first category would be espionage for competitive advantage,
and the second would be a recon for destructive attacks.
So an example of espionage for competitive advantage, that's where a nation state might
want to take a look at the ways that Western countries run their businesses in the critical
infrastructure sectors so that they can employ certain strategies within their own firms within those sectors.
One example that we see a lot at the minute is a lot of China-based adversaries have been working
in support of the Belt and Road Initiative. So there's been an increase in Chinese espionage of
Western and Southeast Asian petrochemical and energy firms in order to bolster their own trade and gather insight
into the other countries that they do business with.
An example of the latter, which is a recon for destructive attacks.
It's difficult to gain too much insight into this because once an adversary gets information
on one of the environments that they're surveying, you don't know exactly what they do with it.
But to give you an example, there's a Russian-based actor called Dragonfly who has been lurking in a number
of Western energy firms for the last few years, exfiltrating sensitive data on those organizations'
SCADA systems. And for example, just to go down right to the detail, exfiltrating stuff like
screenshots of wiring diagrams and stuff like that. What they do with that information
is never going to be 100% clear to us on the defensive side. But the idea is that they could
then use that for subsequent destructive attacks. Can you give us an idea? I mean,
how does the average person dial in the appropriate level of concern when it comes to these things?
That's a great question. I'm glad you asked it. In general, when it comes to these things? That's a great question. I'm glad
you asked it. In general, when it comes to reporting in mainstream media, we tend to take
it way too far. The average person is not at risk. You know, it's very unlikely that you're going to
wake up and see the headline that a cyber attack on a nuclear power plant is causing immediate danger to a populace. It's not likely
that you're going to wake up and find that you have no electricity, although that has happened
before. But it's unlikely. This doesn't happen very often. And it happens to very specific
targeted regions. So definitely a dose of realism is needed when you look at the headlines in mainstream media
and taking a bit more time to understand the facts behind certain situations.
These types of attacks are very unlikely to affect your average citizen.
And so looking forward into the coming year, what do you expect we'll see?
Do you think we're going to see an uptick in these sorts of things?
Will it run at the same pace that we've experienced in the past few years? Where do you think we'll land?
It's another good question. So we closed out the year with a pretty big destructive attack.
Supposedly an Iranian-based actor used a Shamoon wiper to target an Italian petrochemical company,
as well as a few similar organizations in other countries.
That certainly suggests that things are not calming down. This is reemergence of activity
that we saw in 2012 and then again in 2017. So that certainly suggests that destructive
attacks might continue at the same pace. In terms of espionage, yeah, I would say that's
going to continue at the same pace. There's, again, like I said, a lot of China-based adversaries who work in support of the nation-state's Belt and Road Initiative.
You can almost predict when certain attacks are going to occur based on when neighboring
countries have their elections. There's always an uptick in targeting by Chinese actors when
a country like Cambodia or Vietnam has a presidential election
or something along those lines. That's Joseph Williamson from Eclectic IQ.
Norway's PST intelligence service has added Huawei to the list of threats to Norway.
Benedikta Bjornland, who runs the domestic intelligence unit, put it this way,
quote, an actor like in Oslo said,
It's very ridiculous for the intelligence service of a country
to make security assessment and attack China with pure hypothetical language.
And it added that China poses no threat to Norway's security.
The Norwegian decision comes in advance of the widely awaited report in the UK from the GCHQ unit
charged with monitoring Huawei security. That report is expected to be a doozy.
BuzzFeed reports that some members of Parliament in the UK
have been subjected to cyber attacks.
Investigation is underway,
but the hackers seem to have been interested
in getting phone numbers and contact lists.
Bangladesh Bank is suing Manila-based
Rizal Commercial Banking Corporation, RCBC, and others
for the $81 million lost to hackers in a 2016 caper
that abused the SWIFT transfer system. In an unusual move, the New York Fed is working with
Bangladesh Bank to assist with the clawback. Consensus holds North Korea responsible for the
theft, as does the FBI. The theft involved transferring funds from Bangladesh Bank's accounts with the Federal
Reserve Bank in New York. $101 million were siphoned away to front accounts in Sri Lanka
and the Philippines before bankers involved in the transfer realized something was amiss.
It's worth noting that alert proofreaders at Deutsche Bank noticed misspellings and wayward
grammar in the transfer requests, and they're the ones who sounded the warning.
As Americans, we note with shame that the Germans were better proofreaders
than our own boys and girls in New York apparently were.
Of the $101 million stolen from Bangladesh Bank,
$20 million of it went to front accounts in Sri Lanka,
and essentially all of that was recovered.
Most of the $81 million that went to the Philippines is still missing,
and that's what Bangladesh Bank hopes to recover.
The Washington Post points out that recovery will be difficult.
Bangladesh Bank alleges that RCBC personnel helped the North Korean hackers
transfer the money to RCBC accounts at the New York Fed,
and then to the Philippines, where ever since it's been gone,
baby, gone.
RCBC has said in response that this is all PR and misdirection on Bangladesh Bank's part
to cover up its own negligence in permitting the transfers in the first place.
They'll see one another in court, probably.
Why not, you may ask, just sue Pyongyang, since after all they're the goons behind this caper?
A good question, but remember a couple of things about North Korea.
First, it's not exactly a country with deep pockets.
That's why its government hackers are so busy with financial crime.
And second, it's really not a government that has a deep respect for international law,
still less for whatever decisions might be issued by some Yankee court.
So what are you going to do? Send a repo man after a great successor and dear comrade Kim Jong-un's
Mercedes limo? Not likely. In the first place, it would be hard to get through the bouncers guarding
it. In the second place, you'd have to beat the Sinanju Highway Patrol to the Yalu Bridges,
since you probably wouldn't want to try the minefields
around the DMZ, which would be like trying to drive north on the 101 during a Los Angeles rush hour.
And finally, the value of the car probably wouldn't cover the full $81 million,
even if it does contain that fully functional onboard toilet, rumored to have been installed
aftermarket. So while the Mercedes is what anyone would call nicely loaded,
Bangladesh Bank will have to get whole somewhere else.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to
salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
and he is my co-host on the Hacking Humans podcast.
Joe, it's great to have you back.
Hi, Dave.
I try to make a point to learn something new every day.
Good. I try to do the same thing.
Recently, something came by that was not necessarily new, but it was new to me.
Okay.
And so much so that I wanted to check in with you about it
because it really exceeded some of my technical knowledge.
And I thought maybe you could help out here.
It turns out that when you're logging into Facebook on a mobile device,
Facebook is not exactly 100% precise about checking your password.
What's going on here?
That sounds scary, doesn't it?
Well, it didn't.
It was.
Yeah.
Yes, it was.
But I figure there must be more to the story so what's going on here there's a um there's this is from a post on y combinator yeah and there's a
user who who noticed that he entered passwords differently and facebook still accepted the
password so he wrote facebook and said what's up with this yeah and facebook told him from a mobile
device they will accept four forms of the user's
password.
They will accept the original password.
Right.
They will accept the password with the case switched.
So in other words, as if you have the cap locks on.
And the third way is if the initial character of the password is a letter, they'll accept it if it is the original password is in lowercase, but it's in uppercase.
Oh, because mobile devices tend to automatically uppercase words.
Correct. That happens to be frequently on my mobile device.
Okay.
Although nowadays in passwords, it doesn't seem to be an issue.
And finally, they will accept your password if it has an additional character at the beginning
or an additional character at the end.
Okay?
So there's two things going on here.
One is if I had to speculate on how this is being done, I don't know,
but if I had to speculate, then I would say that they are storing three hashes of your password
when you enter or change your password to a new password.
Right?
So the first one is the
original password. Then they run a text conversion on the password to change the case of the first
letter, and they hash that. And then they run a text conversion on the password again to invert
the case, and then they hash that, and they store those three passwords. Then when you enter your
password, this is how I would develop it if I was a developer.
They're going to hash the password you entered, the password you entered minus one character at the end, and the password you entered minus one character at the beginning. That's going to give
them three hashes, three candidate hashes. And if any of those three candidate hashes match
the hashes that they have, one of the hashes that they have stored, then they authenticate you. Huh. Now, you know, my first inclination here is to think, well, what? Password is not a password.
It just needs to be close. But I went a little, did a little digging on this and saw some people
talking about it and saying, well, no, because you're coming from a mobile device. That's something you have. And this is probably okay.
It's worth the slightly lower amount of security for the convenience to the user.
Yeah. The lowering of the amount of security is really not that big of a deal. You're changing
the case of one letter. You're tripling the key space of available passwords, but you're going
from one to three. And then the truncating
of the password really doesn't have any effect on your security level. Because if I take a,
let's say I take a 10 character password and then Facebook hashes two nine character passwords,
that doesn't really matter, right? Yeah. I can't think of how that does matter. I might be wrong,
but I don't think it matters. But Facebook has decided it doesn't matter enough.
matter. I might be wrong, but I don't think it matters. Well, Facebook has decided it doesn't matter enough. Right. And that's really the key here. It doesn't matter enough. So once again,
if you're using a 20-character password that's all uppercase, lowercase, special characters,
numbers, you're going to be fine. This password policy is going to have a minimal impact on your
risk. I see. So it might actually make it easier for you to log in when you're coming in on a
mobile device. Right. Right. And I guess Facebook has made the actually make it easier for you to log in when you're coming in on a mobile device. Right, right.
And I guess Facebook has made the decision that it's worth it to make it easier for the user to log in on a mobile device.
Right.
Rather than the whatever slight amount of insecurity it may add is insignificant but worth it.
You know, if this were my choice, I wouldn't do it.
If I was running the website, I wouldn't do this.
But Facebook has opted to do it.
I don't have that big of a problem with it.
Yeah. All right.
Well, it's interesting.
Like I said, you learn something new every day.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you
informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly produced in
Maryland out of the startup studios of DataTribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Thanks for listening.
We'll see you back here tomorrow. Thank you. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.