CyberWire Daily - Indonesian election security. Watering hole in Pakistani passport site. RAT hunting. “Intelligence brute-forcing.” Just-patched zero-day exploited. PoS DGA attack. Operation Sheep. BND advises “nein” to Huawei.
Episode Date: March 14, 2019In today’s podcast, we hear that Indonesia says it’s got its voting security under control, and a lot of the problems sound like good old familiar fraud and dirty campaigning. Trustwave warns of a... watering hole on a Pakistani government site. Recorded Future goes RAT hunting. Proofpoint offers a look at “intelligent brute-forcing.” Kaspersky reports on two espionage APTs exploiting a just-patched Microsoft zero-day. Flashpoint describes an unusual point-of-sale attack, and Check Point find Trojanized Android apps. Germany’s BND warns against Huawei. Robert M. Lee from Dragos with thoughts on the Venezuelan power outages. Guest is Jeremy Tillman from Ghostery on the California Consumer Privacy Act. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/March/CyberWire_2019_03_14.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Indonesia says it's got voting security under control,
and a lot of the problems sound like good old familiar fraud and dirty campaigning.
Trustwave warns of a watering hole on a Pakistani government site. And a lot of the problems sound like good old familiar fraud and dirty campaigning.
Trustwave warns of a watering hole on a Pakistani government site.
Recorded Future goes rat hunting.
Proofpoint offers a look at intelligent brute forcing.
Kaspersky reports on two espionage APTs exploiting a just-patched Microsoft Zero Day.
Flashpoint describes an unusual point-of-sale attack.
And Checkpoint find trojanized Android apps. And Germany's BND warns against Huawei.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, March 14, 2019.
Indonesian authorities have said after complaining of Russian and Chinese attempts to meddle with that country's voting
that elections will go on as planned and that they expect the vote to be credible and fair.
It's no longer singling out Russia and China.
There have been, authorities tell Reuters and others, what they characterize as probes from a range of foreign IP addresses, including Russia and China, but not limited to
those two. In any case, the government says it's confident of its ability to handle any disruptions.
The opinion in Jakarta is generally that domestic finagling is probably more prevalent
than any foreign influence attempts. So the threats are
more the commonplace ones, rumor-mongering, campaign lies, and the sort of vote-buying
any old-time Chicago ward healer would recognize, like giving someone a turkey and a ride to the
polling place if they and their deceased relatives could commit to voting for the machine candidate.
They may make a lot of beanbags in Indonesia, but politics ain't beanbag there either.
A number of security firms reported threat research results yesterday and today.
We'll run through some of them.
Trustwave's Spider Lab is warning of compromised Pakistani government sites
serving keyloggers.
The compromised sites belong to a subdomain of Pakistan's
Directorate General of Immigration and Passport
that enables people to track their applications through the system.
It's effectively a watering hole attack that serves visitors' Scanbox malware.
Scanbox normally appears in the reconnaissance phase of an attack,
where it's used to gather the sort of information that will prove useful in subsequent targeted attacks.
SpiderLab doesn't offer any attribution for the Pakistani infestation, but they do note that
Scanbox has been used in the past by Chinese APTs, Stone Panda, and Lucky Mouse. Whoever's behind it,
they may have noticed that Trustwave is on to them, since they appear to have gone quiet.
A significant number of attacks against corporate
data are traceable to remote access Trojans, or rats, many of which represent commodity malware
traded in the criminal underground. Recorded Future this morning published an overview of
rat activity. They paid particular attention to Emotet, Extreme Rat, and Zero Access.
The researchers were interested in tracing the rats' command and control channels.
Most Emotet controllers resolved to Latin America,
as did a significant proportion of infected Emotet hosts
in the automotive, retail, finance, energy, entertainment, logistics, construction, and technology sectors.
Extreme Rat infections showed some geographical diversity,
turning up in European utilities and video game outfits, telecoms in the Middle East,
South Asia, and East Asia, and at least one industrial conglomerate and an IT company,
also in East Asia. The attackers' motives are an interesting mix of financial gain,
that is straightforward theft, and street cred,
that is showing off their skills in front of the knucklehead hacker community.
In the U.S., as citizens grow increasingly frustrated with what many consider unreasonable
encroachments on their privacy, California is leading the way when it comes to consumer
privacy legislation. Jeremy Tillman is from Ghostery,
makers of the popular privacy-focused web browser plugin, and he offers this perspective.
We're in an interesting moment in the sort of U.S. legislative ecosystem where both parties
are trying to stake out positions on consumer privacy. Over the past couple years with the
growing scandals with Facebook, with some of these increased scrutiny, even on Google and Apple, I think both sides of
the aisle are trying to find a message that appeals to voters. What's interesting though,
is that there's a lot of competing forces that are sort of playing a bit of a tug of war over
what these privacy laws might be. And I think it's pretty striking how
they are similar to and how they might be different from what GDPR is. So I think the most well-known
one is the California Privacy Act, which in many respects is the strongest data protection law in
the U.S. By and large, it's pretty much head and shoulders above anything else that has been
proposed in the U. US. It is very strongly
requiring consumers have a right to know what companies are collecting about them and whether
their data is being sold. I think compared to the GDPR, where it falls short really in two ways.
The first is that the GDPR has pretty strict requirements around disclosure by companies
and the requirement for consumer opt-ins.
Second, the GDPR also has really, really stiff penalties. In fact, I think Google recently had
a 50 million euro fine, and those fines can go up to billions of dollars. The California Data
Protection Act has far fewer teeth when it comes to the fines. And I think that the biggest fine that a company could get for
a single violation is, I think, like $7,500. So if you're Google or Facebook or any of these big
companies, it's more of a PR cost if you violate the California Privacy Act. But there's not a lot
of financial risk here if you've got very aggressive data collection practices.
And what about this notion that this should really be the first step towards some sort
of national policy?
So in a weird way, the California Protection Act is, at the moment at least, the sort of
de facto national policy because there is no stronger law in the U.S.
And because most of these tech companies are in California, it effectively is the only game in town.
But there's definitely efforts to pass a watered down version of a privacy act that would supersede the California privacy protection law.
You can definitely sort of see how this plays out based on where the tech companies themselves are lining up and which things they fight against and which things they support. I think most recently you've had sort of a flurry of different proposals.
There's the recent one from Marco Rubio, the America Data Dissemination Act. And it's
interesting that that act is very much vaguely worded. It doesn't really include a lot of
specifics, but what it does include is the fact that this would supersede any state laws. So there's definitely an effort on behalf of, I think, tech companies in their lobby to get a watered down version of a privacy act, a federal privacy act that rather than conflict with their business models, perhaps entrenches it even further.
That's Jeremy Tillman from Ghostery. breach cloud accounts. They're seeing a more complex and sophisticated approach to brute forcing, sufficiently sophisticated as to perhaps no longer deserve the name of brute forcing.
Proofpoint calls them intelligent brute forcing. Attackers used password spraying and credential
stuffing, made easier by access to large credential dumps. These were followed with
phishing for credentials that would give further access to corporate accounts. The goal is internal phishing and business email compromise, always more
persuasive than attempts that obviously originate outside an enterprise. The endgame, of course,
is usually theft of either money or data. Kaspersky Lab reports that a zero-day Microsoft patch this week, CVE-2019-0797,
is being actively exploited by two espionage APTs, Sandcat and Fruity Armor.
Sandcat also uses chainshot malware and the controversial intercept tools FinFisher and FinSpy.
Fruity Armor's been around for a while, and Sandcat is a more recent discovery. Attribution
is unclear, but the APTs appear to have a particular interest in Middle Eastern targets.
Flashpoint researchers note an unusual point-of-sale campaign that's targeted mainly
small and medium-sized businesses. DM Sniff creates command and control domains using a domain generation algorithm.
This makes the malware more resistant to domain takedowns by police or tech service providers.
Flashpoint says this particular tactic hasn't often been seen in point-of-sale attacks.
Researchers at Checkpoint describe Operation Sheep, in which Chinese IT and services firm Wang Xiao Xiongwang Technology
is apparently scraping data, contact lists, geolocation, and QQ Messenger login information
from Android phones via some 12 Android apps infected through a data analytics software development kit.
The applications are available through third-party stores and seem mostly to
affect users in China. Checkpoint thinks the app developers and the stores have been unaware of
the data collection campaign. Shunwang may be doing its collection mostly domestically,
but international concern about Chinese presence in infrastructure, especially in 5G build-outs,
in infrastructure, especially in 5G build-outs, remains high.
Germany is set to auction 5G licenses next week,
and that country's intelligence service has added its warning to those offered earlier this week by the European Parliament.
The BND says that Huawei in particular is not to be trusted in the infrastructure.
The Cyber Wire was at the Johns Hopkins University yesterday, attending the Cyber Security Conference for Executives,
the conference organized by the Johns Hopkins Whiting School of Engineering and NCURA,
concentrated on regulatory frameworks and trends, and the sometimes surprising impact of national, international, and state regulations on businesses of all sizes.
and state regulations on businesses of all sizes.
You may not think you're interested in GDPR, or for that matter, HIPAA or CCPA,
but as several experts explained, they're interested in you.
Be brave, but don't hesitate to seek help as these regulatory frameworks continue to evolve.
Calling all sellers. Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Robert M. Lee.
He's the CEO at Dragos.
Rob, it's great to have you back. I wanted to touch base with you about the situation that's going on with the electrical grid down in Venezuela.
Lots of intrigue there.
It's a really sad situation.
Obviously, regardless of the cause of
the outage you're talking about massive outages across the country in ways that we already know
people have died and obviously a lot of folks are in hardship as well as just general fear is
turmoil in their country exists and now they have to deal with without the basic utilities of life
so it's um it is incredibly heart-wrenching kind of scenario that they're in right now. Now, what do you make of President Maduro blaming the U.S. for this outage? He went
so far as to say that the U.S. conducted a demonic electromagnetic attack. I'm going to guess that a
lot of people aren't taking that seriously. No, you know, the original discussion was around a
cyber attack. And the original discussion was at, cyber attack and the original discussion was at they
kept pointing to and discussing a specific dam in their country i thought the cyber attack took
place at but then it turns out that they didn't quite know where the outage was coming from where
there was like a transmission line issue or a generation issue which wouldn't the dam and so
they came out right out the gate saying hey it's a cyber attack we have evidence and it's the united
states then they it
turns out not only do they not have evidence but they didn't even know exactly where the outage was
coming from which definitely calls into question any discussion of attribution or or belief that
it was cyber attack and then later on they were talking about the electromagnetic aspect which was
and if i remember correctly he was even talking about weird drone like uh devices that perched on top of the
transmission lines and then perform this i kind of call into i don't kind of i very overtly call
into question their ability to know what a cyber attack or electromagnetic issue would look like
what i mean by that is the way that they're describing both the cyber attack and the way they're both describing electromagnetic pulse attack indicates to me that nobody involved in creating that story had familiarity with what a real one would look like.
And it's obvious in the way they describe it.
So I not only say that it is unlikely to be the case, but they really do not include the appropriate language to indicate
that there's a there there isn't it interesting though that um you know cyber attack becomes
something that uh that they can just toss out there as a cover to not blame themselves yeah
it is and this is this actually kind of harkens back to a couple things that many of us in the community have been warning about, and I've written extensively about before,
on the need to have evidence presented with attribution
and also the need to understand the
implications of targeting infrastructure. So on one hand,
when the United States comes out and does attribution on different countries,
I think it's actually a good tool.
I don't I don't really think there's value in private sector companies doing the attribution they do.
I've been a critic of that before.
But for a government to come out and do so is an incredibly important part of international relations and their ability to dictate policy and action.
But doing attribution without actually providing evidence, which we have done plenty of times before, some of the indictments act opposite.
We do a really good job.
But some of the times that we've done attribution as a country have been completely void of actual evidence.
And that sets a precedent where other countries can do the same.
Now, I think many countries do take the United States coming out and making claims of attribution much more seriously than venezuela but on the international scene i don't know that we should
set that precedent that it is okay to do attribution without evidence like if a country is going to
come forward claiming sources and methods and hiding behind classified data is not going to
be conducive to ever setting the standard that countries actually have to put up or shut up
and that can become tricky in areas like this.
On the converse, going back to the cyber attack discussion,
I don't think this is a cyber attack.
There's zero evidence to support it.
But nobody can rule it out either,
because obviously we're not on the ground looking at this case.
I don't think it's a high chance,
but you can't just equivocally come out and say something is not something.
But what I will say on this is it is a good example of what I've kind of petitioned before, which is get out of other people's infrastructure.
If there is no such thing as a good guy or gal in terms of cyber attackers.
So it's the idea that any country Could break into any other country's infrastructure.
Like you're the bad guy.
There is no oh we're just here for intelligence purposes.
Or oh it's pre-position of conflict.
Or oh whatever.
And I think modern countries struggle with this.
Of the desire to break into infrastructure.
For military planning and purposes.
But not necessarily do anything with it.
And the problem is.
You could accidentally cause an issue.
And we've seen that in attacks before. it was very likely what occurred in the german still works case in 2014 but but
this could be i don't think it is i don't want to start that rumor like i really don't think this
is cyber attack but but it's a good example of in aging and poorly maintained infrastructure
if a intelligence agency or military group
breaks into an organization
and accidentally does something
to take down infrastructure,
you open up this entire issue
of not only political consequence,
but potentially cascading issues
where they're already poorly maintaining
that infrastructure.
There's already turmoil in that country.
You could cause an issue
that scales way beyond your control very quickly,
where we are talking about loss of human life.
And that is just unfortunate.
So is this case a cyber attack?
I don't think so.
There's nothing to support that.
And with their jumping narrative,
it does seem that they're just blaming anything and everything
to distract from the actual issue.
But it is a good example of the kind of issues
that can come up if people are poking around in each other's infrastructure.
Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, Thank you. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.