CyberWire Daily - GriftHorse’s premium service scams. Facebook open sources a static analysis tool. Update on the Group-IB affair. What the Familiar Four are up to. Counting ransomware strains.
Episode Date: September 30, 2021GriftHorse will subscribe afflicted Android users to premium services they never knew they’d signed up for (and wouldn’t want if they did). Facebook releases a static analysis tool it uses interna...lly to check apps for security issues. Speculation about what put Group-IB’s CEO in hot water with the Kremlin. A look from NSA about where the major nation-state cyberthreats currently stand. Malek Ben Salem from Accenture has thoughts on quantum security. Our guest is author and Wired editor at large Steven Levy joins us with insights on Facebook’s internal research teams. And a short census of ransomware strains. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/189 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Grifthorse will subscribe afflicted Android users
to premium services they never knew they'd signed up for.
Facebook releases a static analysis tool.
Speculation about what put Group IB's CEO in hot water with the Kremlin.
A look from NSA about where the major nation-state cyber threats currently stand.
Malek Ben-Salem from Accenture has thoughts on quantum security.
Malek Ben-Salem from Accenture has thoughts on quantum security.
Our guest is author and Wired editor-at-large Stephen Levy,
who joins us with insights on Facebook's internal research teams and a short census of ransomware strains.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 30th, 2021. Security firm Zimperium late yesterday described the activities of a massive Android scam campaign
they're calling Grifthorse.
Around 10 million devices worldwide have been affected,
and losses could amount to hundreds of millions of euros.
It's a premium service scam in which the crooks use malicious apps
and not the customary phishing
to enroll users in paid services they don't want.
The name Grifthorse presumably comes from gifthorse,
like the one you proverbially shouldn't look in the mouth,
and that might as well be the favorite proverb of social engineers everywhere.
At any rate, Zimperium's description of Grifthorse is instructive. The bait, as is so
often the case, is the proffer of a free prize, one you need only claim for it to be yours.
The crooks work to lull users into gullibility and complacent acceptance. Zimperium says,
quote, overall, Grifthorse Android Trojan takes advantage of small screens, local trust, and misinformation
to trick users into downloading and installing these Android Trojans,
as well frustration or curiosity when accepting the fake free prize spammed into their notification screens.
End quote.
In all honesty, it's the sort of thing many would fall for.
Zimperium says the campaign has targeted
millions of users from over 70 countries by serving selective malicious pages to users
based on the geolocation of their IP address with the local language. This social engineering trick
is exceptionally successful, considering users might feel more comfortable sharing information
to a website in their local language.
The infection, note, is the Android malware that serves the victim the pop-ups.
Upon infection, the report says, the victim is bombarded with alerts on the screen letting them
know they'd won a prize and needed to claim it immediately. These pop-ups reappear no less than
five times per hour until the application user successfully attempts the offer.
Upon accepting the invitation for the prize,
the malware redirects the victim to a geospecific webpage
where they're asked to submit their phone numbers for verification.
But in reality, they are submitting their phone number to a premium SMS service
that would start charging their phone bill over €30 per month.
The victim does not immediately notice the impact of the theft
and the likelihood of it continuing for months before detection is high,
with little to no recourse to get one's money back.
The proprietors of Grifthorse have avoided hard-coding URLs or reusing the same domains,
both of which have made their malware relatively difficult to detect.
They target different geographical regions differently.
And, quote,
This check on the server side evades dynamic analysis checking for network communication and behaviors.
End quote.
Zimperium warned Google about the malicious apps before the researchers went public with their findings,
and Google has ejected the bad apps from the Play Store.
That's a good thing, but it's far from representing a permanent removal of Grifthorse.
As Wired quotes Zimperium's CEO, Sridhar Mittal,
quote,
quote, these attackers are organized and professional.
They set this up as a business, and they're not just going to move on.
I'm certain this was not a one-time thing, end quote.
Facebook has open-sourced its Mariana Trench static analysis tool used within the company to find security flaws in Java and Android applications.
Bleeping Computer notes that this is the third security-focused static analysis kit Facebook
has released.
TASS has been authorized to disclose a bit more about the treason charges Russian authorities
have brought against Group IB's CEO Ilya Sakhov this week.
A source tells the outlet that, quote, the investigation suspects Sakhov of handing over
classified information on cybersecurity to foreign intelligence agencies,, quote, the investigation suspects Sakhov of handing over classified
information on cybersecurity to foreign intelligence agencies, end quote. Which
intelligence service employed him isn't being revealed because TASS's source says they don't
want to compromise an ongoing investigation. But TASS observes that there are a number of
unnamed possibilities. There are indeed. Russia's got a lot of beefs with a lot of foreign countries.
But it would be premature to assume
that this is a clear good-faith prosecution.
Sackhoff, as Christopher Burgess points out
in an interesting piece in Security Boulevard,
isn't some unknown or minor figure.
His company may now be headquartered in Singapore,
but he's also a
regular consultant to the Duma, Russia's parliament. As recently as two years ago,
he received the Russian Federation's Big Business Award from President Putin himself,
and was photographed with Mr. Putin on the occasion. Group IB's offense may be the appearance
that it had been too cozy with the FBI.
Sackhoff's company, and especially one of its executives, Nikita Kilitsin,
cooperated with the Bureau in the investigation of Yevgeny Nikulin,
a Russian the U.S. indicted in 2020 for the 2014 compromise of Formspring and LinkedIn.
Burgess writes, quote, Group IB, as well as Kalitskin, cooperated with the U.S.
investigation, making themselves available for interviews with the FBI in the U.S. embassy in
Moscow. During that meeting, according to Radio Free Europe, Kalitskin said he was open to
collaboration and wished to mitigate any problems. Of particular note is Kalitsyn's revelation that a Russian hacker had
worked with the Russian Federal Security Service, the FSB, to obtain compromising information on
unnamed individuals, end quote. So it may be the implications of privateering or at least coziness
with the FSB that Group IB people appear to have given the FBI that put the organs' noses out of joint.
Various government and industry bigwigs have been out in Aspen, Colorado, swapping thoughts on matters cyber.
NSA's Rob Joyce reviewed the current state of play with respect to the familiar four, as seen from Fort Meade.
The record glosses his remarks as follows,
quote, Russian state hackers are disruptive and are doing intelligence gathering on critical
infrastructure and governments. Hackers backed by Beijing are off the charts in terms of their
scope and scale. Iran's hackers are often very focused on regional things right now,
but they're dangerous because they're less judicious in what they decide is a reasonable action, end quote.
So some wild and crazy guys are out and about from Tehran.
And the North Koreans?
They're out for the cash, still active, still a threat,
very capable, but mostly focused on crypto exchanges
and creating money.
And finally, Bitdefender's latest monthly
threat report, released yesterday, notes the resurfacing of Arevil under its familiar name.
The report also counts some 250 active ransomware strains, which is a lot, especially given the
challenge of survivor bias duly noted by Bitdefender, and the difficulties of individuating things as slippery as bad
actors.
Anyway, their name is Legion, and to draw a conclusion the report doesn't, a look at
the countries targeted suggests that half to two-thirds of Legion probably have a letter
of mark from 24 Kuznetsky most, not far from Ulitsa Lubyanka.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
Look at this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
The Wall Street Journal recently published an investigative series examining Facebook,
and one of the areas they focused on was the social media giant's own internal research.
Stephen Levy is editor-at-large at Wired, where he writes the column Plain Text.
He's also author of a number of best-selling books, including his latest, Facebook, The Inside Story. I caught up with Stephen Levy
on our Caveat Law and Policy podcast. Well, research started pretty early in Facebook's
history. They were watching what people did almost from the get-go. But in 2006, they hired a really bright person named Jeff Hammerbacher
to make all the data very easy to search.
And he created this infrastructure that allowed them to take the data
and do all kinds of research.
And they began to hire social scientists and statisticians
to make the research in a more organized fashion. Interestingly, research was part of the
organization at Facebook that was devoted to growth. So a lot of the research was devoted
to ways that people would stay on longer to Facebook and help them discover not only ways that people might use Facebook better.
A lot of companies in Silicon Valley use researchers to test how well you use the product,
what you might want to do in a product that you can't do, what you have difficulty doing.
But in terms of Facebook, they also figured out how the algorithm would work to keep you using it more.
And one of the big breakthroughs that happened in research was when they discovered how things can go viral on the system.
And they published a paper on it called Gesundheit, because it's like a sneeze.
Certain things can go viral.
And they thought that was the greatest thing ever.
And they never realized, the researchers who published that,
that really is the key not only to fun things going viral, but as it turns out, some things that create anger or divisiveness or just misinformation is harmful. So the research is sort of a mixed bag there. Is this ultimately just about growth and money and profits?
I mean, why do you suppose they're so hesitant to make meaningful changes here?
Well, growth is the North Star at Facebook.
In my book, I devoted a lot of time to tell, for the first time, the story of Facebook's growth circle, they called it, which used all kinds of means,
some of them pretty dicey, to get and retain users. And that is the key to Facebook, really.
And money is important because that enables Facebook to spend money to grow more and retain more users.
It is connecting the whole world, which is important to Facebook.
And to do that in light of competition from places now like TikTok that draws people away from Instagram and Facebook.
Probably those TikTok users aren't using the Facebook main
app anyway. And there's only a certain amount of time people spend in a day. So that is really
important. And as it turned out, when push came to shove in certain ways, the way Zuckerberg chose
to look at it was to say, wait a minute, a fifth of our users, the teenage girls using
Instagram, it makes them feel bad, aggravates their mental health problems. That means like
four-fifths are doing great, right? So let's go with that. But obviously, a fifth of the teenage
girls who use Instagram represent millions of people, quite literally.
So there's something really wrong if your researchers come to you, and if you look at
these slides, it's almost like they're begging the leadership of Facebook to do something about it.
You're saying, our product is making millions of teenage girls feel bad, and some of them with mental health problems are seeing these problems aggravated by it.
That's a serious problem for a company to make the lives of millions of teenage girls miserable or worse even.
You would think that all steps, any step possible would be taken to change that situation.
All steps, any step possible will be taken to change that situation.
But in this case, at least according to the journal reporting, those steps weren't taken.
It was saying, well, you know, gee, if we change that, people would use Instagram less.
Where do you suppose things have to go for us to see meaningful change here? Is this something where we could see, if Facebook doesn't
make effective change themselves, perhaps we'll see some regulation? I think it's more likely.
The more we see leaks like this coming out, which isn't, let's say it's in the category of shocking but not surprising.
People don't really expect Facebook to be dealing honestly with them anymore.
Certainly the legislators that are trying to get information out of them, the regulators, don't think that. There's a whole class of skeptics and critics of Facebook who wouldn't be surprised by this.
skeptics and critics of Facebook who wouldn't be surprised by this. The independent board that Facebook set up, whose job it was basically to rule on decisions that Facebook made that
people are challenging, overstepped their charter intentionally and said, wait a minute,
we want to get into this. We want to look into this. So they're going rogue in a way,
wait a minute, we want to get into this. We want to look into this. So they're going rogue in a way,
which is kind of interesting. I think ultimately, this pressure is going to lead Facebook to make some changes, maybe not willingly. That's author Stephen Levy. His most recent
book is titled Facebook, The Inside Story. You can hear the rest of my interview with
Stephen Levy on this week's CyberWire Caveat podcast.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And joining me once again is Malek Ben-Salem.
She's the Technology Research Director at Accenture.
Malek, it is always great to have you back.
I want to touch today on some work that I know you are involved with,
with quantum security and safety.
What can you share with us today?
Yeah, I wanted to talk to your audience about
a question that I typically receive when I have conversations with my clients around quantum
safety and quantum readiness. As you know, Dave, we talk about the quantum threat, the threat of a universal quantum computer that is able to break our current encryption schemes that rely on integer factorization.
So it will be able to break the most popular public key algorithms such as RSA and our digital signature algorithms, etc.
Right.
And the way of dealing or preparing for that quantum threat is to use post-quantum crypto
algorithms that are, you know, quantum safe, or to rely on this other approach known as quantum key distribution,
where organizations can distribute keys through a quantum channel.
So not classical keys, but quantum keys.
And that provides basically the ability to ensure
that those keys have not been tampered with,
and they would not be at the risk of being
factorized or decrypted if a threat actor is eavesdropping. The typical question that I get
from clients is, you know, do I need both? Or is it okay to just choose one approach to be quantum safe versus the other?
And my answer is that you probably or most folks will need both because they're complementary.
So post-quantum crypto, again, relies on certain mathematical assumptions.
They're not the same as the ones we've been relying on to build RSA, for instance.
They're new mathematical assumptions, but they eventually are dependent on those mathematical assumptions
and are only as strong as those assumptions are. A number of algorithms
are being evaluated by the research community, the crypto research community. NIST is enabling that
and NIST is expected to announce the winner of that assessment or what will be potentially the new crypto standard by 2024.
So that's one approach.
And organizations can already implement those algorithms, try them out in their environments,
understand their computational overhead and the latency that they introduce in comparison to existing crypto.
But QKD, you know, relies not on the mathematical assumptions, but on the quantum properties, the mechanical properties or quantum physics properties, right?
That can provide this, you know, tamper evidence property when keys are distributed. However, post-quantum crypto is more, you know, can deal with scale, right? Can be scaled to the scale of the Internet versus QKD has some physical limitations because it's a link.
It's based on a link-to-link transmission.
So there is a limited number of qubits that can be transmitted on a line.
So there's basically physical limitations.
So, yeah, so that's why I think for companies, for most use cases, you'll need both. And, and also QRNG, quantum random number generation, together, all in one strategy and all in one defense and in-depth strategy going forward.
You know, we've been talking about this coming quantum revolution or threat, however you want to look at it, for a few years now. And my recollection is a couple years ago, it was really a hot topic.
And it seems like things have sort of settled in
and people are taking very practical approaches these days.
Where are we in terms of the computational heavy lift
versus Moore's law making everything get a little faster?
By the time this is ready for widespread distribution,
are we going to be in a good place
in terms of it not being too much of a burden to transition to?
I think that is a great question.
Knowing how long these transitions take,
particularly crypto, right?
Whenever you're changing standards in crypto
or changing algorithms in crypto,
we've seen this over and over.
They take years, if not decades.
And I go back to the example of DNSSEC being deployed.
We still see DNS servers that are not using the dns sec
protocol even though that is a simpler change right uh but now with let's say post quantum
crypto you know organizations would have to upgrade thousands of applications right and certificates and you name it so again the transitions take years so i think if we don't
start now we're not going to be ready uh knowing that a quantum computer is expected to be available
within 10 to 15 years depending on whom you talk to right and also because for certain you know
whom you talk to.
Right.
And also because for certain, you know,
this harvest now decrypt later threat, right?
So threat actors can, you know,
listen on our communications today and harvest all of that data
and then decrypt it 10 years from now.
So the threat is here.
It exists today and we need to deal with it and we need to mitigate it as soon as possible.
All right. Well, interesting stuff as always. Malek Ben Salem, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.