CyberWire Daily - Fancy Bear, again and again. QRecorder is a banking Trojan. Authentication issues with Apple's Device Enrollment Program. Notes on regulation. Farewell to a code-breaker.
Episode Date: September 27, 2018In today's podcast, we find out that Fancy Bear has its very own rootkit. VPNFilter turns out to do a lot more than previously suspected. One of the Salisbury assassins is identified as a GRU colone...l. A voice recorder app is kicked out of Google Play for being a banking Trojan. Apple's Device Enrollment Program may have authentication issues. Big Tech might learn to like being regulated. And farewell to one of Bletchley Park's Jenny Wrens. Mike Benjamin from CenturyLink with thoughts on the Foreshadow vulnerability. Guest is Daniel Riedel from New Context Services, discussing synthetic identities. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/September/CyberWire_2018_09_27.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Fancy Bear has its very own rootkit.
VPN filter turns out to do a lot more than previously suspected.
One of the Salisbury assassins is
identified as a GRU colonel. A voice recorder app is kicked out of Google Play for being a banking
trojan. Apple's device enrollment program may have authentication issues. Big tech might learn
to like being regulated. And farewell to one of Bletchley Park's Jenny Wrens.
of Bletchley Park's Jenny Renz.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, September 27th, 2018.
There are a few fancy bear sightings to report today.
You'll recall that fancy bear is what Russia's GRU
has come to be called when it operates in cyberspace.
Or, if you insist, Mr. Putin, Russia's GU, since, ho-ho, there's, strictly speaking, no such thing as the GRU because its name got changed, in any way it doesn't exist.
We say FUI, whatever the acronym, it's the same old firm, and we doubt the misdirection works even at the UN.
So tell it to Turtle Bay,
or save it for a meteor shower over Chelyabinsk. But no one here is buying.
Security firm ESET, the gang from Bratislava, reported yesterday that Fancy Bear is deploying
a rootkit against its foreign targets. They're active so far mostly in the Balkans and other
central and eastern European countries,
and the kit they've deployed is Lojax, malware developed from the Lojax anti-theft software.
The attribution to Fancy Bear is, as is usually the case, circumstantial but compelling,
based on the presence of other known Fancy Bear hacking tools.
Cisco's Talos unit looked into VPN filter malware
and has discovered that it's even more capable than initially believed.
The researchers found seven additional modules in VPN filter.
They think it was designed to debut against Ukrainian targets
on the anniversary of the NotPetya attacks,
but they also note that VPN filter was also designed to be a long-term attack platform.
The malware is particularly adapted for IoT attacks, especially against vulnerable routers.
When Talos started checking on VPN Filter this spring, it was hitting home routers,
mostly those manufactured by Microtik. At the time, the US FBI attributed the campaign to Fancy Bear, took control of some
of its command and control infrastructure, and advised everyone to reboot their routers.
It's difficult to say how many devices remain vulnerable, but VPN Filter turns out to be more
capable than hitherto believed. The seven new modules include an HTTP traffic redirection and inspection tool,
an SSH utility, some network mapping functionality, a denial-of-service tool,
a network traffic forwarding unit, a SOX5 proxy, and a reverse TCP VPN.
So it does a lot.
And one of the suspects in the Salisbury nerve agent attacks has been identified as a GRU colonel.
Both of the men British authorities hold responsible for the nerve agent attack in Salisbury
have so far been known by their pseudonyms, Ruslan Boscharov and Alexander Petrov.
Boscharov turns out to be one GRU colonel, Anatoly Chepiga,
an officer thrice deployed to Chechnya during 17 years' service
as a Spetsnaz goon. He was also awarded the Order Hero of the Russian Federation in 2014
by decree from the Russian president for peacekeeping, which probably means hybrid
warfare against Ukraine. The investigative site Bellingcat, which did much of the inquisitorial heavy lifting here,
says that Chepik's alma mater,
the Far Eastern Military Command School,
has his name in the award up on their wall of honor.
His mention is to the right of their statue
of Marshal Rakossovsky.
It's worth noting that the honorific hero
of the Russian Federation is by custom
awarded personally by the Russian president,
the way the U.S. Medal of Honor is normally presented by the U.S. president.
This would seem to deprive President Putin of some deniability he's hitherto claimed.
Fact is, he probably pinned the medal on Chepik personally.
Chepik's fellow tourist, Alexander Petrov, has yet to be identified.
We live in a world with Twitter bots, fake and stolen Facebook profiles, and even automated AI-driven
customer service chatbots. As the technology matures, it's getting hard to be sure you're
dealing with a real human being. This notion of synthetic identities is cause for concern and attention. Daniel Riedel
is CEO of data security firm New Context, and he offers these thoughts. I think with synthetic
identities, it depends on the industry that you're in to a certain extent. I think the banking
industry has their concept of what synthetic identities are. I think other industries do as well.
Obviously, with the banking industry, it has to do with fraudulent uses of payment systems.
But I think that synthetic identities is going to grow and morph in ways that in some cases we
can't foresee. It's sort of the unknown, unknown concept, but I think it's going to have a huge effect on how we trust an entity that we have not seen in person, basically, right? So
anything where we can't absolutely validate that it is a human that I'm actually talking to.
And from your point of view today, where we stand, I mean, how do you define
it in the present context? So today, I think that I think you could say that, you know, some of the
Twitter bots that are out there are synthetic identities. I think that I would look to see a
little bit more sophistication. So, you know, LinkedIn accounts that are false, but look absolutely real. Like
you can't, you can't tell the difference, but they're, they are fake or a Facebook account
that is fake or sort of a, what we're seeing now, especially with some of the announcements with
Google, you know, a conversation that you, if you cannot perceive that there's a human,
not a human on the other side, like it's a, it's a bot that's talking to you and you cannot perceive that there's a human not a human on the other side like
it's a it's a bot that's talking to you and you can't you cannot make the distinction of whether
that's a human or a bot i think that's really the the fit for where synthetic identity is a lot of
those twitter bots you can you can absolutely you know it's a you know it's a bot you can see it's a bot. It's when it's very hard for your average person to make the distinction
between the, is this a bot or is this a human? I don't know. I can't tell.
Yeah. And I think we've seen cases of this with things like romance scams, where people
have, you know, sort of vacuumed up someone else's online profile and it's somewhere like
Facebook and assumes their identity and uses it to scam unwitting people.
Absolutely. And I think you're going to see.
So there's the age old fraud that we've seen since the dawn of email where somebody wants you to wire $10,000 suddenly because, you know, they're in a bad spot in the middle of Africa. The synthetic identity
allows it to be a little more challenging to really understand whether that's real or not.
And so I think with anything, especially when it comes to financial transactions,
it's always, you know, making sure that you really know the other party before you do anything.
Yeah, I think of the example that we've seen in the past few months where, you know, Google
had a technology demonstration where they showed, you know, an artificial intelligence
that was ordering up a haircut appointment for someone.
And so I think, you know, certainly the possibility is there.
You can look forward and see how that could be a useful application of this sort of thing.
And yet I feel like, folks, there's that uncanny valley problem.
I think we just can't help having a sense that at a certain level, sometimes these things are just a little creepy.
Yeah, it's like a Black Mirror episode.
Yeah, it's like a Black Mirror episode. You're kind of in this new world that we weren't quite sure where if I picked up the phone and I had a conversation with somebody, I'm almost positive that's a human being. We're going to go into a world where if a customer support calls up and it's a very well-written AI that you can have a conversation with, should it say,
hi, I am actually not a real person, but I'm here to help you. And therefore, those folks who
don't do that, you know, it's a little easier to compartmentalize and possibly make it so law
enforcement can go after them. I don't know quite where that's going to go.
Regulation isn't necessarily always the best way to approach something, but I think those
organizations that put their best foot forward and think about that before anyone on the regulation
side thinks about that, I think that would be a good thing. That's Daniel Riedel from New Context.
Returning to some other ESET research,
the company says it found a banking trojan masquerading as a call recording app in Google's Play Store.
The bad app was called QRecorder.
Google has given it the heave-ho.
Duo Security reports finding an authentication weakness in Apple's device enrollment program
that could be
exploited for privilege escalation or rogue device deployment. Part of the problem is that a device
serial number, and that's a predictable number according to Duo, well, it can be used to enroll
a device. Duo recommends that enterprises protect themselves by requiring user authentication
before mobile device management enrollment. They notified Apple of what they found, but Apple has yet to address the matter.
It thus falls into that familiar, that's a known issue, category.
Yesterday's hearings in the U.S. Senate covered online privacy.
Big Tech expressed general approval of privacy regulations.
Some of the GDPR's requirements are onerous, but Big Tech
likes consistency and predictability. So while in some ways regulation isn't really welcome,
it does have some upsides for those who fall under it. Privacy laws and possible
antitrust actions continue to loom over Silicon Valley. Finally, it's worth remembering our heroes, and one such received a last farewell Monday.
Jean Briggs Waters, who died last week at the age of 92, was laid to rest at the Omaha National
Cemetery. She was buried with a Union Jack over her casket and honors from Her Majesty's Government.
Miss Briggs was one of the last surviving Bletchley Park bomb operators
who ran the code-breaking machines
that yielded up German signals
during the Second World War.
She enlisted in the RENS,
the Women's Royal Naval Service,
at the age of 18 out of an art school in Cambridge.
During the war, she fell in love
with an American Army Air Force pilot,
John Waters.
They married, and after the war, settled fell in love with an American Army Air Force pilot, John Waters. They married and after
the war, settled in Nebraska. Mr. Waters died in June at the age of 101, and this week,
Jean was laid beside him. Thank you. winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. And joining me once again is Mike Benjamin.
He's the Senior Director of Threat Research at CenturyLink.
Mike, welcome back.
You know, we've seen plenty of stories come by about Spectre, Meltdown, and most recently, Foreshadow.
And there's been a lot of teeth gnashing and hand-wringing over that.
But you wanted to make the point today that maybe it's not all doom and gloom.
hand-wringing over that, but you wanted to make the point today that maybe it's not all doom and gloom. Yeah, I mean, any bug that hits our industry or puts anybody at risk is, it's of course
interesting and people need to understand it. They need to patch it or mitigate it as the case may be.
But if we look at the class of bugs, these are really very difficult to exploit when you compare to what we were looking at 10, 20 years ago.
The gone are the days of a simple buffer overflow in a privileged application on an internet-facing service.
The fact that we're getting into this complexity of chips really, really shows how much we've matured as an industry.
really shows how much we've matured as an industry. So I actually think it's a good opportunity to step back, look at it and be proud what we've been able to accomplish in terms of maturity to
technology and software and look at these bugs as not all a bad thing. What do you say to the folks
who make the case that this is a result of the chip makers not being able to increase clock
speeds fast enough that, you know, market pressure still means that they wanted to do things faster.
So they went back to the computer science books and they dug out these speculative processing routines
without maybe giving it the closer look that it deserved.
Well, I think that's a little unfair.
You can look at any technology advancement we've made in any area
and probably point to some security issue that came out of it. And so this is part of evolving technology,
right? And so academia has brought us some interesting methodologies in order to receive
increased execution speed. And I don't think we should criticize necessarily everything they do.
On the flip side, from a chip manufacturer perspective, this is a great opportunity to
learn from the experience and think about how to properly vet these technologies in the future.
So it's a maturity item, and the pendulum will swing both ways. We're going to have advancements,
we're going to learn from them, and then hopefully we mature to the point where things like the class
of bug that gets provided by speculative execution really is no longer going to be an issue after we
learn from it in future spins of this technology. Yeah. So, you know, meanwhile, here in the real world, for folks who have to deal with this, should they be worried?
What's an appropriate level of concern people should have with this?
My recommendation to everyone that's asked me has been be aware of what it is.
And so the concept of retrieving information through these bugs is a risk to certain organizations and certain environments.
And, of course, the environments that get mentioned most from the publicity that these bugs receive is always the shared multi-tenant cloud environments.
The infrastructure as a service provider environments is where other people's data is running on the same chip.
It's being stored in
the same system, and that's where the risk is. And so reaching out to the service providers that
offer those technologies and assuring that they've patched their environments or mitigated in an
appropriate way so that you're not at risk is an appropriate reaction. From other cases,
either the data being stored is not at high of risk, or they're in their own private environments where they need to be aware more of other security issues in front of this and need to allow the natural patching cycle to occur inside their company.
Mike Benjamin, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.