CyberWire Daily - Gamaredon ups its crazy game. Doxing during unrest. Bogus contact-tracing apps spread spyware. Thanos in the ransomware market. Crypto Wars notes. Another 419 scam.
Episode Date: June 11, 2020The Gamaredon Group is back, and what’s their secret? Like Crazy Eddie’s, it’s volume! Doxing during times of unrest. Phoney contact-tracing apps are snooping on personal information in at least... ten countries. Thanos is a criminal favorite in the ransomware-as-a-service market. Another skirmish in the Crypto Wars is brewing up on Capitol Hill. David Dufour from Webroot on how organizations can successfully navigate their new workplace realities. Our guest is Chester Wisniewski from Sophos on fleeceware apps found in the Apple app store. And no, really, Elon Musk is not on YouTube offering you Bitcoin. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/113 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The Gamerodon Group is back, and what's their secret?
Like crazy eddies, it's volume.
Doxing during times of unrest,
phony contact tracing apps are snooping on personal information in at least 10 countries.
Thanos is a criminal favorite in the ransomware as a service market.
Another skirmish in the crypto wars is brewing on Capitol Hill.
David DeFore from WebRoot on how organizations can successfully navigate their new workplace realities.
Our guest is Chester Wisniewski from Sophos
on fleeceware apps found in the Apple App Store.
And no, really, Elon Musk is not on YouTube
offering you Bitcoin.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Thursday, June 11, 2020.
ESET reports that the Gamerodon group has introduced remote template injectors for Word and Excel documents
and is deploying a distinctive Outlook mass mailing macro.
Gamerodon is an advanced persistent threat group that for the most part hits Ukrainian targets.
advanced persistent threat group that for the most part hits Ukrainian targets. It's generally regarded as a nominally Ukrainian separatist group operating under Russian GRU control.
Gamerodon is both noisy and careless, going for speed and spread as opposed to stealth,
but as this latest report suggests, an operation might well rationally sacrifice quality for
quantity, since after all, as someone once remarked,
quantity has a quality all its own.
ESET also suspects that all the noise may be masking
quieter, arguably more damaging operations.
Police officers in major U.S. cities,
including Washington, Atlanta, Boston, and New York,
are being subjected to doxing,
their home addresses and other personal information being shared on social media,
the AP reports. The source is an unclassified intelligence memorandum from the Department of
Homeland Security, which warns that the information could be used by violent opportunists or domestic
violent extremists. It's not illegal to post this sort of information,
although most platforms at least fitfully discourage doing so,
but it's difficult to ignore the implicit threat in this and other doxing incidents.
Since there's a possibility that at least some of the information
came from compromised email accounts,
DHS advises police officers to take steps to secure their online presence.
advises police officers to take steps to secure their online presence.
Anomaly yesterday released its findings that bogus contact tracing apps were in fact carrying spyware payloads, mostly Spynote and the banking trojan Anubis. Contact tracing programs are being
spoofed for Armenia, Brazil, Colombia, India, Indonesia, Iran, Italy, Kyrgyzstan, Russia, and Singapore.
The geographic reach of the operations, the kind of information being collected,
and the opportunistic approach are suggestive of a sophisticated criminal enterprise.
Researchers at Recorded Future describe the growing popularity of Thanos in the ransomware
affiliate program Criminal Market. Thanos is a ransomware builder believed to be the first to feature the RipPlace technique
that's designed to facilitate rapid weaponization of proof-of-concept exploits.
RipPlace works basically by leveraging symbolic links through an MS-DOS device name
to copy an encrypted version of the file to the original file location.
It's been well-received in the criminal-to-criminal equivalent of Yelp. Thanos works flawlessly,
say the happy affiliates, and they ask the vendor, who goes by the name Nosoforos,
to keep the updates coming. And we say, as an aside, that we're struck by how often online
gangsters sound like people who buy stuff as seen on TV, or even like successful Mary Kay sellers. It's as if the Ultimate Avengers villain
was really more interested in establishing a nice work-from-home multi-level marketing scheme
instead of achieving universal beauty through widespread Infinity Stone desolation.
If only Nosoforos offered pink Cadillacs as a reward for criminal success,
the picture would be complete. In any case, Recorded Future sees two strengthening trends
in ransomware. First, the ransomware-as-a-service market can be expected to grow, and second,
the gap between the high-end operators and the skids will continue to widen. As they put it,
there will be a continuing separation between
the ransomware haves and have-nots. There's a thriving ecosystem of free-to-play games and
free-to-try apps in Apple's App Store, programs that encourage you to spend some time with them
before deciding if you want to spend a few bucks to unlock features or continue their use.
Researchers at Sophos have been looking into the increased
presence of fleeceware apps, so-called because they lure you in with some promise of particular
functionality, but soon switch to charging users large sums of money, often in a sneaky way.
Chester Wisniewski is a principal research scientist at Sophos.
Well, they have a tendency to be on the whimsical side and on the commonly
searched side. And I think those of us that have been in the security industry for a long time have
often made fun of people downloading flashlight apps when there's been flashlight functionality
built into our phones for years, and yet run into our friends at parties who, in fact, have loaded
a flashlight app because it will strobe the light to the beat of their favorite song or, you know,
whatever.
And so a lot of these apps are things like that.
We see horoscope apps, fortune telling apps, QR code apps, apps that make you look like you're aging to see what you might look like when you're ready for retirement.
This kind of stuff that people would kind of play around with, but not take terribly
seriously.
And how are the folks who are running these app stores responding to these things?
Are they taking them down when they find them?
Well, it's difficult for us to know how much patrolling Google and Apple are doing, but
our researchers certainly have had no difficulty tracking them down.
And sometimes even to the point of us pointing out violations of the app store guidelines
to the app Stores themselves,
going, we found all these apps, we see all kinds of people complaining about them,
why aren't you doing something?
And fortunately, we have seen some response when we file complaints,
but there does not appear to be a lot of proactive action on behalf of the App Stores.
Yeah, I mean, I wonder if it's against their own interest.
app stores. Yeah, I mean, I wonder if it's against their own interest. I mean, for example, you know,
Apple takes a pretty significant cut of an app's revenue. Yeah, the cynic in me says, hey, they're making 30% off every one of these things. You know, what incentive do they have? But I think
there is incentive in that people really do trust, and especially Apple over Google. I think a lot of
people are more suspicious of things that make it into the Google Play Store,
whereas Apple has a reputation that they value very highly.
The reason they're able to get you to buy very expensive phones
and laptops from them is that they do curate content pretty well,
and this kind of, I think, leaves a bad taste in people's mouth
who really trust the Apple brand.
What are your recommendations for folks who want to protect themselves, for themselves,
but also for other members of their family?
Yeah, it's tough.
It's a tough problem.
I mean, one thing you can do is regularly review any subscriptions in your app store.
So fortunately, both Apple and Google make it quite easy to review what things you're
subscribed to, especially if you're concerned about teenagers that maybe you're trying to give them some
control of their device and teach them some responsibility. You don't want to totally lock
it down. On the other hand, you don't want to find out, you know, six months later that you
paid $200 for a palm reading app. So, you know, we posted a blog post on our Sophos Labs Uncut
site where we point people to the way to unsubscribe or check
your subscriptions in both iOS and Android. But it's quite easy if you go to the App Store help
and look for subscriptions and you can see a list of anything you're subscribed to.
That's Chester Wisniewski from Sophos.
In what the Washington Post sees as a shift in the Earned Act skirmish in the crypto wars,
Reuters reports that members of the U.S. Congress are seeing information on a 2015 backdoor incident at Juniper Networks.
While Senator Wyden, Democrat of Oregon, has been prominently mentioned among the pro-crypto lawmakers engaged in the inquiry, it's a bipartisan move.
move. Senator Wyden of the Intelligence Committee was joined by his Utah Republican colleague Mike Lee of the Judiciary Committee in a letter sent this Tuesday to Juniper Network CEO Rami Rahim.
They're interested in what Juniper learned after it found what the networking shop called
unauthorized code in its net screen security software in 2015. It was reported at the time
what they found was an NSA-designed backdoor.
The FBI investigated, but the results of their inquiry haven't been made public.
The other incident that's prompted a revival of this particular contest is the Motherboard
account, published earlier this week, of Facebook's development of an exploit that
enabled the FBI to make an arrest in a notorious case of child stalking
and exploitation. Facebook and other big tech companies have resisted the Justice Department's
push for what Justice characterizes as responsible security, which is to say security systems that
would permit some form of access to systems involved in criminal or national security
investigations. The Washington Post characterizes the effect of the news like this,
quote,
for that information, which cybersecurity pros say would make everyone more vulnerable to malicious hacking.
Finally, celebrity impersonation in the service of fraud is back.
Actually, it never really left, but it's back in a splashier way.
As has so often been the case, the celebrity being impersonated is Elon Musk,
the closest thing to a real-life Tony Stark we're likely to see,
only with a healthier heart and without the transistor-powered armor.
This round of trouble is a YouTube scam in which criminals hijacked the legitimate YouTube sites
Juice TV, Right Human, and Maxim Sakalevich, and renamed them SpaceX Live or SpaceX.
The hoods splashed some vaguely plausible SpaceX branding on the sites,
streamed some of the real Mr. Musk's appearances at conferences, and then pitched the usual
advance fee scam. The faux Musk would double your bitcoins back if you put some in a wallet
the crooks helpfully provided. Why would he do that? Well, never mind. It's Elon Musk.
That's the way he rolls. Surely, you say, no one could
fall for that. Surely, however, you'd be wrong. Naked Security reports that YouTube has given the
hijacked accounts the old heave-ho, but during their brief time on stage, the faux Musk had
pulled in about $150,000 in Bitcoin. Needless to say, not one of the marks realized any return on their investment.
Two things. First, it's worth doing what you can to secure your own social media accounts.
Try a password manager. Don't reuse your passwords. Use multi-factor authentication.
Sure, they're not collectively a silver bullet, but they're valuable precautions nonetheless.
And for heaven's sake, no one, and we mean no one,
is going to pay you big bucks in exchange
for a small donation.
And no kids, that's not how the stock market
works no matter how bullish it gets.
Class dismissed.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a thousand dollars off. And now a message from Black Cloak. Did you know the easiest way for cyber
criminals to bypass your company's
defenses is by targeting
your executives and their families
at home? Black Cloak's
award-winning digital executive protection
platform secures their personal
devices, home networks, and
connected lives. Because when
executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is David DeFore.
He's the vice president of cybersecurity and engineering at WebRoot, an open text company.
David, it's great to have you back.
I wanted to get your take on where you think things are heading on the other side of this pandemic that we find ourselves in.
And I wanted to come at this from the point of view of the employer.
What are the realities you think they're going to face when we start to see some light at the end of the tunnel here?
First of all, great to be back, David.
Always love being here.
You know, I think a lot of folks are still asking that question.
What does this look like?
A lot of us like working at home, David.
Ironically, I'm sitting in the office and it's empty right now.
Me too.
You as well, yes.
I don't know if that says anything about us.
Truth hurts.
Yeah.
I was really surprised how quickly both technical and non-technical companies
were able to flip a switch and have people working at home.
And I think these organizations are going to have to spend some time
evaluating policies and procedures that they have in place because, you know, we have a lot of tools, VPNs.
I know we've had some struggles with VPN ban load, having people come into the network to be secure.
Things like that are going to have to be evaluated in terms of how we can ensure high levels of productivity with the tools that we
have in place. That said, I think employers have been pleasantly surprised and somewhat shocked
at the productivity of employees who've been able to work from home. People are really, really,
you know, knuckling down and maybe that'll fade over time and it's all the, you know,
hey, we need to get through this. But people really are being hyperproductive from home and employers like that.
Yeah, it's interesting to me, you know, there's that old saying that how temporary solutions tend to become permanent solutions.
these networks, as stuff was put together with spit and bailing wire just to get everybody in place, as things settle down and more permanent solutions are put into place, could folks actually
see pushback from employees as things become a little more regimented? I can guarantee that's
going to happen. I'm not going to name any offices that I'm familiar with who are already worried
they're going to all have to come back in. But no, I think there's a lot of that that's happening
when people realize, you know, I'm able to get a lot done when I'm not sitting in the car.
I'm showing up to work. I'm not as frustrated because of that drive or that commute. I'm home
with my family more. There's a lot of that. On the flip side, though, and we are experiencing a lot
of this as well, David, there's some desire to get back to that collaboration when you can get in a room with
folks and write on a whiteboard to design something out or plan something. So I think
we're going to have to find that balance between requiring people to come in at certain blocks of
time or letting them figure out when they need to get together to collaborate. Because yes,
we can all meet online with the video conferencing,
but there's something that is lost that's that intangible
when you're sitting in a room with people
that I think we're still going to have to figure out how that pans out.
Do you think we're going to see a shift?
I'm thinking about the pure hardware side of things,
of having servers and all those sorts of things
that having a physical
location can provide you with. Do you think more, this is going to be a push to have more stuff just
be, you know, virtualized out there to have more and more things as a service? Oh, I truly do. And
I'm going to jump back to like 2016, I think it was, maybe it was 2017, actually, I went a year without using Wi-Fi or cable. I put a SIM card
in my laptop and I completely was off network other than my wireless carrier for a year.
And that was painful at times, but it was doable in 2017. And, you know, with the 5G coming out
and the stability of 4G infrastructure, and I'm maybe extrapolating a little too far here because people have broadband and all
that at home.
But the capability of these cloud providers to provide the tools and SaaS solutions, all
of this is really allowing us to disconnect.
The concern then will be, as it's been for several years, is how do I ensure the device
or the person is who they say they are if I have no network to feed them through to ensure of that authenticity?
Yeah, that's an interesting point. All right. Well, David DeFore, thanks for joining us.
It's been great being here, David.
Thank you. suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Thanks for listening.
We'll see you back here tomorrow. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.