CyberWire Daily - If you're running a red team, let someone know it's a drill. Apache patches Struts. Another exposed AWS bucket. Remcos abused by hackers. DPRK goes after Macs. Dark Tequila runs in Mexico.
Episode Date: August 23, 2018In today's podcast, we hear that a phishing attempt against the Democratic National Committee turned out to have been a poorly coordinated red-team exercise. Apache patches a remote code execution vul...nerability in Struts. Another exposed AWS bucket. Remcos remote administration tool is being abused by black hats. Dark Tequila goes after customers of Mexican financial institutions. The Lazarus Group is back, and it's getting into Macs for the first time. Joe Carrigan from JHU ISI on Android vs. iOS data privacy. Guest is Oren Falkowitz from Area 1 Security on protection against phishing attempts. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/August/CyberWire_2018_08_23.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A phishing attempt against the Democratic National Committee
turns out to have been a poorly coordinated red team exercise.
Apache patches a remote code execution
vulnerability in struts. Another exposed AWS bucket. Remco's remote administration tool is
being abused by black hats. Dark tequila goes after customers of Mexican financial institutions.
The Lazarus Group is back and it's getting into Macs for the first time.
and it's getting into Macs for the first time.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, August 23, 2018.
In a week that's seen Microsoft, Facebook, and Twitter shut down influence operations from Russia and Iran,
and warnings last week that China and North Korea were also interested in hacking U.S. elections,
it's understandable that many people are quick to see foreign influence.
And it seemed late yesterday that there'd indeed been another election hack,
this one a phishing campaign directed against the U.S. Democratic National Committee, the DNC.
The DNC's CSO briefed party leaders, informed the FBI,
and took a whack at the administration for not doing enough to protect voting infrastructure.
It emerged overnight, however, that there was, in fact, no hack.
It was a false alarm produced by a poorly coordinated phishing awareness exercise.
Security firm Lookout reported a fake login page for VoteBuilder
that appeared to be after credentials for the DNC's voter database.
The DNC ran with the false alarm.
As Lookout has since tweeted, correctly,
you don't know an alarm is false until you investigate.
But the snafu, as CNN called it, is embarrassing.
It's good to be aware of security, but it's also good to be aware of it in ways that don't turn a fire drill into a federal
case. It's also worth pointing out that this is a good case study in the perils of attribution.
DNC CSO Bob Lord, a Yahoo alumnus who distinguished himself by mopping up that
company's big breaches,
all of which occurred before he was brought in to fix things, was in full cry yesterday.
He denounced hacks left, right, and center, demanded action and more administration support,
and congratulated his team on stopping the phishing in its tracks.
Others piled on, like Representative Carolyn Maloney, a Democrat from New York, who tweeted that, quote, This hacking attempt comes just weeks after the at-house GOP voted against funding for voting protections.
Our intel community warned us about this, and now it's happening.
This isn't fake news. It's a real attack on our democracy. We need to act. End quote.
The administration, in the person of Homeland Security Secretary Kirstjen Nielsen,
simply congratulated the DNC on reporting the case to the FBI,
which is, she said, the right thing to do.
But consider, if you will, how this might have played out
if victims of phishing generally had legal authority to hack back.
Senator Whitehouse, call your office.
This isn't a political comment, by the way.
Democrat CSOs are probably neither more nor less chicken little-ish than any others,
and Senator Whitehouse has bipartisan sympathy in Congress. But everyone, whatever their political
inclinations, might well pause and think about the dangers of harem-scarum attribution. We're so disposed to see cyber Pearl Harbor
that we overlook the opposite possibility of a cyber Tonkin Gulf incident.
No one's quite sure yet who ordered up the red-teaming fishing test,
but people are pointing on background toward the Michigan branch of the Democratic Party.
If that turns out to be true, then hey, just chalk it up to experience
and add the Michiganders to the list of bad guy capitals. Pyongyang, Moscow, Beijing, Tehran,
Lansing. If they get to Grand Rapids, well, then Katie, bar the door.
Phishing campaigns remain a reliable way for adversaries to find their way into your systems,
to trick employees to perform an action, click a link, pay a phony bill, or transfer money to an In some ways, phishing campaigns remain the same as they've always been.
It's an attempt to lure a user to take some sort of action unwittingly,
whether it's to click on a link that might drive them to a website where they might reveal a
username and password, or to download a file which might infect their computer, or increasingly
to not click links or download files, but just to engage in the transfer of data at the request of another or transfer of financial assets at the request of someone else.
What does evolve is that attackers leverage authenticity as the key kind of lure in getting individuals to respond to their phishing campaigns.
And these lures around authenticity come in two primary forms.
The first is primarily the 100 largest brands or companies in the world, their logos and their
corporate assets are used to make the campaigns look authentic. So it's common to see the links
that people click look like logins to Google or to look like logins to Dropbox or to
your financial institution. And the second type of authentic lure is to leverage the organizational
dynamics that we all play within to make it appear as if the CEO from your company is sending you an
email or a financial officer is requesting information from you.
And, you know, if you really think about our organizational dynamics, it's very hard if you work at, for instance, the Walt Disney Corporation to receive an email that you think comes from the CEO, Bob Iger, and to not respond because you think it looks funny.
And so we see that in 100% of the time when users fall for phishing campaigns, that they're trying to do their jobs correctly. That's why they continue to be the root cause in over 95% of cybersecurity incidents.
Now, is it common that you find that if someone does fall victim to something like this, are these incidents underreported? Is there an embarrassment factor? I think certainly that's the case. In some instances, folks might have a suspicion that they've done something wrong, but primarily folks are unaware that that has happened.
It's all happening at network speed, the transfer of this, and ultimately until there's damage, I don't think people are realizing that something has gone wrong.
And so what are your recommendations for organizations to better protect themselves against these attacks?
There's two primary things to start with.
You know, today, the cost of being a bad guy on the Internet is just really good business. So we need generically to be increasing those costs and make it more difficult for attackers to just be sending out emails and hoping one of them lands and someone transfer them $50,000.
That's a really good day of work.
You know, if you think about an hourly basis, that'd be great for you and I.
And the second is that organizations need to invest in technologies that are comprehensive and specifically focused on stopping phishing.
Historically, organizations have invested in anti-spam technologies, which is not the same as phishing.
And those anti-spam layers consistently miss on these phishing campaigns.
They're consistently bypassing those layers.
Education and awareness programs are totally ineffective at stopping the inevitability of the click.
And as part of layered defenses, organizations need to start investing in technologies that are special purpose designed for phishing and to be comprehensive.
You know, on one level, many people believe phishing is an email problem.
And while email is a primary vector for these phishing campaigns, it's not the only vector. A large number of them persist across the worldwide
web. And so there's a need for comprehensiveness in this approach as well. That's Oren Falkowitz
from Area One Security. Apache Struts has been found vulnerable to remote code execution.
Security firm Semmel described the issue, which the Apache Foundation is addressing with a patch.
As Semmel points out, remote code execution exploits have the potential to work great damage, so they encourage patching.
Surveillance toolmaker SpyPhone left terabytes of data exposed in a misconfigured AWS S3 bucket.
The exposure was disclosed to Motherboard by a security researcher
who wishes to remain anonymous for fear of legal retaliation.
Motherboard reports that 3,666 phones were tracked in the database,
which contained things like texts and selfies.
The security site Have I Been Pwned also looked into what the researcher found,
and they concluded that 44,109 email addresses
were among the material compromised.
SpyPhone told Motherboard that they're investigating
and that they're thankful the researcher
who found the bucket had good intentions.
But again, do look at your buckets.
Cisco's Talos security unit reports that Breaking Security's Remcos remote admin tool is being exploited by hackers.
Breaking Security, a security software outfit based in Germany,
says its tool is legitimate, that they don't want it misused,
and that they'll revoke the license of those who abuse it.
But Talos isn't entirely convinced.
Remcos is widely discussed and traded in gray or black markets.
Researchers at Kaspersky Lab are tracking what they call Dark Tequila,
a financial fraud campaign targeting customers of Mexican financial institutions.
It's sophisticated and long-running, apparently since 2013.
The attack is multistage and modular.
It has an info-stealer that harvests passwords from browsers,
a keylogger, and a service module that keeps it running properly.
The two known infection vectors are spear phishing and injection by USB device.
And finally, the DPRK seems to be branching out.
Kaspersky Lab finds North Korea's Lazarus Group pushing Mac malware in Operation Apple Juice.
The campaign affects Macs, which is new for Pyongyang's hackers.
And its malware poses as a legitimate appearing app from a cryptocurrency trading software vendor.
When the victims take the bait, they're infected with the fall chill rat. Innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
He's also my co-host on the Hacking Humans podcast.
Joe, welcome back.
Hi, Dave.
So we got an article here.
This comes from Digital Content Next online service, and it's called Google Data Collection Research.
And this is research that was done by Professor Douglas C. Schmidt.
He's a professor of computer science at Vanderbilt University.
And they're looking at how much data Google collects from their users on mobile devices
and contrast that over what kind of data is collected on iOS devices.
I must admit, Joe, I'm trolling you a little bit here.
I was going to say, Dave, you're trolling me, aren't you?
Yes.
For those of us who aren't regular listeners of the Cyber Wire,
Joe uses Android devices, and I prefer iOS devices.
That's right.
This comes up more often than it probably should.
And Dave often likes to compare Apples to Googles.
There you go.
So what do we know from this research here?
Well, we do know that you're correct, that Android devices, even when they're idle and
stationary, communicate a lot more with the Google services than the Apple devices communicate with Apple.
Right.
What Professor Schmidt found is that a lot of this information is location data.
Yeah, 35% of the data was location.
35% of the traffic is location data.
Right.
I don't know why it feels necessary to do that.
We use that location data in our family so that we can track where everybody is.
But we are under no disillusion that Google also has access to that location data.
Before we started, you and I were talking about this.
And one of the key points that you brought up is that Apple and Google are in very different businesses.
Right, right.
Which they brought out in the research here as well.
Right.
Right, right, which they brought out in the research here as well.
Right.
Apple is in the business of selling people hardware, and they are very user-focused.
And Google is in the business of a search engine and advertising and marketing.
Right.
And they provide some remarkably good services to users for free.
For example, Google Docs, which I use, and it doesn't seem to have a lot of advertising on it. It's a great tool, but I'm under no disillusion of what that entails, that
Google has access to every single thing that I type up there. If I have something, some intellectual
property I don't want shared with Google, I don't put it on that service. For example, my password
safe file, which I have started protecting now with
a physical YubiKey, I don't keep that on Google at all. I keep that on another cloud provider
service. That shall go unnamed. That shall go unnamed, I guess, yeah. Right, right. But it is
one of the big three or four or five ones. But yeah, because I don't think that, I'll say it's Microsoft.
I don't think Microsoft's business
is selling me software and cloud services.
Right.
Not selling me advertising.
So I don't think they're mining my data,
or if they are,
they're not mining it to the extent that Google is.
Google is definitely mining my data.
Yeah.
I know they're doing that.
That's what they do.
Yeah, it's interesting statistics they had here.
They said an Android phone,
a stationary dormant Android phone,
contacted Google 340 times during a 24-hour period.
That averages out to 14 communications per hour.
Yeah.
And an idle iOS phone didn't communicate back at all.
You had to be using the iOS phone for it to be sending that sort of data back.
Right.
Interesting.
So it's a consumer choice.
Yeah.
And I understand consumer advocates will say most people don't know that this is a choice they're making.
And that's true.
They don't know.
And that's kind of why we talk about this and why Professor Schmidt has published this is because people should know this.
This is something they should be making this as a conscious decision.
Right.
They shouldn't just be going, oh, it's free.
That's great.
And like we always say, if something's free, you're the product.
Yeah.
And Tim Cook says that a lot.
All right.
Well, the research is called Google Data Collection.
Again, we found this on Digital Content Next.
So it's worth a look.
And Joe, as always, you're a good sport.
Thanks, Dave.
All right. Thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too. Thank you. Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.