CyberWire Daily - Gustuff is out and after Android devices. Microsoft takes down Phosphorus. Elfin is working for Tehran. Russian cyber troops come to help Venezuela’s Chavistas. Guilty plea expected in Martin case.
Episode Date: March 28, 2019In today’s podcast we hear that a young banking Trojan gains criminal marketshare in the Android ecosystem. Microsoft lawyers up and seizes sites Iran’s Charming Kitten used to stage its attacks.... Another Iranian APT, “Elfin,” is described. A battalion’s worth of Russian special operators and cyber troops are on the ground in Venezuela. Washington wants them out; Moscow says they’re in for the duration. And accused NSA leaker Hal Martin is expected to take a guilty plea this week. Daniel Prince from Lancaster University on cyber risk management. Guest is Satish Thiagarajan from Tata Consultancy Services on customizing machine learning to combat cyber attacks. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/March/CyberWire_2019_03_28.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A young banking Trojan gains criminal market share in the Android ecosystem.
Microsoft lawyers up and seizes sites Iran's charming kitten used
to stage its attacks. Another Iranian APT, Elfin, is described. A battalion's worth of Russian
special operators and cyber troops are on the ground in Venezuela. Washington wants them out.
Moscow says they're in for the duration. And accused NSA leaker Hal Martin is expected to
take a guilty plea this week.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, March 28, 2019.
Security firm Group IB has reported that an Android banking trojan circulating in criminal marketplaces has been growing in popularity and should now be considered among the top threats of this kind.
The trojan is called Gustuff, and after about a year in circulation, it now joins more familiar banking malware like Anubis, Red Alert, Exobot, LokiBot, and BankBot.
banking malware like Anubis, Red Alert, Exobot, LokiBot, and BankBot. Gustuff is said to be capable of phishing credentials and automating transactions in and around 100 Android banking
apps and some 32 cryptocurrency applications. Both large traditional banks and new wave altcoin
exchanges are among the targets of Gustuff's users. An attack begins with social engineering
designed to get users to the Android Accessibility Service. That's been a common approach with
Android banking trojans, but Gustav departs from the norm in its ability to use Automatic
Transfer Service to expedite theft. That's old hat for Windows malware, but it's a new
wrinkle in the Android world.
So Gus stuff will be one to watch.
So far, according to Group IB, the malware hasn't appeared in trojanized apps offered in the Google Play Store,
but users should be alert.
Iranian cyber threat groups are again in the news.
First, in a bit of lawfare observers approvingly call creative lawyering, Microsoft
yesterday announced that it had seized control of 99 websites used by the threat group they call
Phosphorus. A U.S. federal court issued an injunction last week that enabled the takedown.
Phosphorus is also called APT35, the Ajax security team, and, our favorite, Charming Kitten.
The group is known for its use of social engineering, usually tailored spearfishing,
or more broadly based fishing that uses a bogus security warning as its fish bait.
Traffic from infected victims will now go to a Microsoft sinkhole for analysis,
and not to the paws of Charming Kitten.
sinkhole for analysis, and not to the paws of Charming Kitten.
Microsoft observes that this takedown is similar to the one they executed against sites belonging to Strontium, the threat actor better known as APT-28, or, again, our favorite, Fancy Bear,
which of course belongs to Russia's GRU military intelligence service.
For some reason, Microsoft likes to use the periodic table of the
elements for deriving its names for threat actors. We feel sorry for the poor hoods who eventually
get tagged with Thulium, not to mention Boron, which sounds bad but is still a heck of a lot
more useful than Thulium. And what happens when you reach the 119th threat actor? Will Redmond
move on to isotopes? Some
element names, as it happens, are already taken by the good guys. Terbium comes to mind, and so
should be off the table. Anywho, for now at least, phosphorus has taken the hit.
The other Iranian APT is one security firm Symantec calls Elfin. This group has been working most heavily against targets in Saudi Arabia and the U.S.,
but other countries have been affected as well.
Belgium, Jordan, the United Kingdom, the United Arab Emirates, China, Thailand, Morocco,
and the Czech Republic have all sustained attacks.
Elfin's targets have been drawn largely from the engineering, chemical, research, energy consultancy, finance, IT, and healthcare sectors.
Symantec calls the group agile and active and notes that it operates by scanning for vulnerable websites.
It then deploys a range of commodity and custom-built tools.
Security Week notes that FireEye tracks the group as APT33.
Security Week notes that FireEye tracks the group as APT33.
Neither Symantec nor FireEye think Elfin is the group responsible for the 2018 wave of Shamoon attacks,
although Elfin and Shamoon's targets have shown some overlap.
Some of Elfin's recent campaigns against Saudi targets have sought to exploit a known vulnerability in WinRAR, CVE-2018-20250.
Successful exploitation would give the attackers control over the victim machine.
We're all familiar with the phrase, fight fire with fire.
In the ongoing arms race between attackers and defenders in the cyber domain,
some say fight AI with AI.
Satish Thyagarajan is VP and Global Head of the Cybersecurity Practice at Tata Consultancy Services. He shares these thoughts.
Very recently, McAfee Labs published a report, a 2019 threat prediction report,
that states that hackers will increasingly turn to AI to help them evade detection.
This is very significant because we are already seeing patterns of attack that are very AI-driven.
So cybercriminals will also use AI to automate the target selection. So therefore, in our assessment over the last few months, we have seen a significant increase in cyberattacks,
which are not necessarily leaving signatures of
traditional methods of attack, but a significant influence of AI and ML by the attackers themselves.
Cyber attacks have become more adaptive. They've become stealthy. They are very intelligent,
and the intelligence has increased over the last few years. To defend against these kind of attacks, organizations probably need to use much more advanced AI,
machine learning, and deep learning capabilities to address this particular problem.
And what are some of the things that draw attention to an attack as likely being sourced by AI or machine learning?
Some patterns that we have seen is malwares are now able to choose
its target vectors on the fly based on the environment and vulnerabilities it perceived,
which is very different to the attacks that have happened in the past. There are older forms of
malware like TrickBot, which are now using AI to intelligently mimic trusted system components and adapt to the context of the target.
So number one, they are getting very stealthy.
Number two, they have the ability to adapt based on the target that they're trying to attack.
What part do the humans play in all of this?
Is this a matter where the AI and ML can handle the high velocity of potential attacks that are coming in and then alert the humans
that these are the ones that we believe really need your actual attention?
Absolutely. I think you've got it right on the money.
One of the key issues that we face as cyber defense warriors, there is this issue of alert fatigue.
You get millions of alerts. You don't know which one do you have to act on.
And you end up acting on a few and you leave the rest, not knowing whether the rest is going to cause disruption.
Artificial intelligence, analytics, and insights are going to give you the ability to identify the needle in the haystack.
ability to identify the needle in the haystack, the kind of algorithms that we use will identify the rightful pattern that is pointing to a potential attack or a breach in your system
based on data. There are also additional use cases where you use AI and ML in the context of
our business. We have built what is called a doomsday predictor. The doomsday predictor
actually looks at your WAF web application firewall logs, the incoming traffic is analyzed,
and based on the incoming traffic, we look at what is the attacker trying to attack in your system,
or what vulnerability is he trying to exploit. And within your system, you look at whether those
vulnerabilities are patched. And we do draw a system, you look at whether those vulnerabilities are
patched. And we do draw a correlation, you know, and based on algorithms, we predict what is the
likelihood that a particular vulnerability, be it on the infrastructure side or the application side,
is likely to be exploited. And hence, that needs to be protected. So having AI, ML, or deep learning
capabilities becomes very, very essential for an enterprise to be protected. So having AI, ML, or deep learning capabilities becomes very, very essential
for an enterprise to be successful in defending their crown jewels.
That's Satish Theogharajan from Tata Consultancy Services.
A small contingent of Russian troops, two plane loads,
has arrived in Venezuela with the avowed purpose of assisting the Chavista regime
recover from what Caracas maintains is a wave of cyber attacks and sabotage has arrived in Venezuela with the avowed purpose of assisting the Chavista regime recover
from what Caracas maintains is a wave of cyberattacks and sabotage that have crippled its electrical grid.
The U.S. wants the Russians out, and the Russians say they're staying.
The two aircraft that made the delivery were an Antonov 124 Condor and an Ilyushin 62 Classic.
Between them, the two aircraft have a troop capacity of
somewhat less than 650, which places an upper limit on the size of any contingent they might
have carried. The Russian troops are said to include both special operations forces and
cyber operators, and so their presence might be said to constitute a kinetic contribution to an
information operation.
Few credit the Maduro regime's hacking allegations, but that's their story, and they're sticking to it.
The Venezuelan power grid continues to suffer periodic issues, even after power was restored
after widespread outages earlier this month.
European, Canadian, and U.S. authorities cooperated this week in rounding up 61 people
who'd been actively trading contraband of various kinds, drugs, guns and so forth, in dark web markets.
In addition to the arrests, police seized $7 million in cash and virtual currency,
as well as about 300 kilograms of drugs and 51 firearms.
Coincidentally or not, Dream Market, now regarded
as the world's largest dark web market since the demise of Silk Road, Alpha Bay, and Hansa Market,
announced that it would cease operations at the end of April. There's some speculation that the
police took over Dream Market some time ago and have been using it as a honeypot, but most observers
think this is unlikely.
It's probable that the Dream Market's proprietors are feeling the heat
and decided to get out while the getting was still good.
The Wall Street Journal, CNN, the Baltimore Sun, and others are reporting that former NSA
contractor Hal Martin is expected today to plead guilty to charges of stealing classified material.
His trial has been expected to begin in June.
The government says they found some 50 terabytes of secrets in Martin's possession in his home
and shed in Glen Burnie, Maryland, a Baltimore suburb near BWI Airport and just across Interstate
95 from Fort Meade.
Mr. Martin's defense counsel have portrayed him as a pack rat,
and in this judgment they are seconded by some of his acquaintances. But defense counsel has
suggested that their client's hoarding was obsessive and perhaps pathological,
and maybe in this respect even exculpatory. He's no Edward Snowden, they've said,
and had no intention of harming the U.S.
The government, it's worth noting, hasn't charged Mr. Martin with espionage, but rather with 20 counts of unauthorized and willful retention of national defense information.
That's bad enough, but it's also not espionage.
An interesting question that remains to be answered is this.
With all the concern about insider threats,
how was a pack rat able to pack so much over the course of more than a decade?
Calling all sellers. Salesforce is hiring account executives to join us on the cutting
edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. And I'm pleased to be joined once again by Daniel Prince.
He's a senior lecturer in cybersecurity at Lancaster University.
Daniel, it's great to have you back.
We wanted to touch today
on cyber risk management and some of the aspects related to that. What do you want to share with us?
Thanks for having me back on. One of the areas that I teach here at Lancaster is around
cyber risk management as part of our master's degree course. And one of the things that I talk
to my students about when we're going through this course is that the idea that for a lot of the things that I talk to my students about when we're going through this course is the idea that for a lot of the cybersecurity risk management elements that we're looking at,
so all the risks and the threats, they're based on a series of assumptions.
Assumptions about who the attacker is, assumptions about the structure of the network.
And what we're really saying when we're trying to make risk evaluations
is that this is the risk level, assuming all the
things that we have that go behind that are true. And that basically moves us into a different
kind of category. Because what we need to do is understand all those assumptions behind what we
believe to be the known knowns. Because as soon as those assumptions start to fail or start
to be proven to be false, then actually a lot of the risk measurements that we've made start to
fall away. They start to become invalid. Now, in terms of the known knowns and managing risk,
are we dealing with absolutes or probabilities? By and large, when we're doing things like
quantitative risk management
we're thinking about the probabilities we're thinking about the possible outcomes that the
system can produce and in this case the negative outcomes the negative events and then we're trying
to assign probabilities to those the most that the likelihood of those events happening and and what
I'm interested in is trying to help the students and others to understand actually what are the assumptions that
go into into making those qualitative or quantitative risk assessment analysis so that
we can understand when those assumptions do fail we can take appropriate remediation action and
that's really important because time and again we've seen in the technology scene, a number of sort of assumptions around how the technology works fail.
So, for example, the hardware security issues we've seen with Spectre and Meltdown, you know, there's a big assumption here that the actual hardware is secure and actually doesn't prevent any problems.
any problems but you know as soon as that assumption is proved to be false then a lot of the other security assumptions that we make and the security risk assessments that we make
then also become false and we have to start again and so it's really important to understand
the assumptions that we have that sit behind our risk assessment and try to map and understand
those and it's also caught up in this idea of inductive risk so the the reasoning process that we have behind it and the risks associated with that in terms of the biases that we have in place, potentially have in place, and then also based on the assumptions around the methodologies we use to derive the probabilities and so on.
Yeah, it strikes me that, you know, with something like those hardware issues, that's a low probability risk.
hardware issues, that's a low probability risk. I would imagine you're thinking that,
you know, these hardware designs that have been around for decades would have a fundamental flaw in them. Well, there's a low chance of that, but it's also a high impact if something like that
turns out to be true. And that's one of the significant problems, I think, with cybersecurity
and technology more generally. The risks are driven by network effects. So they're
highly exponential. As soon as something bad happens, it tends to happen very quickly and
at scale. So these things that we would normally not need to worry about in terms of physical
processes, physical risks, we do need to worry about because there is a significant impact potentially from these
low probability risks and there is, I would argue, we need to consider those in a much
more considered way because it's time and again we've seen within cyber security a significant
number of black swan events, things that people didn't think could happen are happening
and causing a significant number of problems for everybody. Daniel Prince, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
informed. Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in
Maryland out of the startup studios of DataTribe
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team
is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick
Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your