CyberWire Daily - International cyber conflict: India and Pakistan; Australia and China. Rietspoof malware. Microsoft ejects cyptojackers from its store. NCSC may go easy on Huawei. Parliament criticizes Facebook.
Episode Date: February 19, 2019In today’s podcast, we hear of a small flare in cyber conflict between India and Pakistan. Australian political parties as well as Parliament subjected to attempted cyberattacks. A new strain of mal...ware is being distributed through messaging apps. Microsoft pulls cryptojacking Windows 10 apps from its store. Britain’s NCSC is rumored to have concluded that it can mitigate Huawei risks. Facebook gets a harsh report from Westminster. And a hacker claims a higher motive for his breach (but still wants Bitcoin).  Joe Carrigan from JHU ISI on Apple requiring two-factor authentication for developers. Guest is Igal Gofman from XM Cyber on network compromise through email. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/February/CyberWire_2019_02_18.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Cyber conflict flares in the subcontinent.
Australian political parties as well as parliament are subjected to attempted cyber attacks.
A new strain of malware is being distributed through messaging apps.
Microsoft pulls crypto-jacking Windows 10 apps from its store.
Britain's NCSC is rumored to have concluded that it can mitigate Huawei risks.
Facebook gets a harsh report from Westminster.
And a hacker claims a higher motive for his breach, but still wants Bitcoin.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, February 19th, 2019.
The website of Pakistan's foreign ministry was rendered inaccessible over the weekend, probably by a denial-of-service attack.
Speculation regards the attack as probably originating from India.
Last week's terrorist massacre of 30 Indian security personnel in the suicide bombing of a convoy moving through Jammu and Kashmir's Puwama district may have prompted the cyber attack. A Pakistani terrorist group claimed responsibility for the bombing.
It's worth noting that low-level cyber conflict between India and Pakistan has persisted for years
and that many of the actors on both sides have been patriotic hacktivists,
not necessarily operating under state direction.
Australian Prime Minister Morrison said yesterday that three political parties,
Liberal, Labour and National, have been targeted by sophisticated foreign actors.
The attempts came to light during investigation of attempts on parliament systems.
Chinese intelligence services are the leading suspects,
according to reports in the Sydney Morning Herald and elsewhere.
China's foreign ministry denies any involvement
and says reports of Chinese attacks are both baseless and irresponsible
and are likely to poison possibilities of future harmonious cooperation
between China and Australia.
Security firm Avast reports a new malware family, Reetspoof,
spreading through instant messages.
Reetspoof, which Avast says is now
being updated daily, combines various file formats and multi-stage attacks that give it unusual
versatility. The attack is delivered through such instant messaging clients as Skype or Live
Messenger, where what Avast calls a highly obfuscated visual basic script carries a hard-coded,
encrypted CAB file. That file is expanded into a digitally signed
executable, which in turn installs a downloader.
Avast says research is in its early stage, and that little is known about
the attacker's methods or motives, still less their identity, but
Reetspoof looks like a malware family that bears watching.
We often hear stories of how unauthorized access to an organization begins with a simple phishing email,
and many organizations have implemented combinations of technical solutions and training to prevent outsiders from gaining access.
Egal Goffman is head of security research at XM Cyber,
and his team has been tracking infiltration techniques that
begin with access to a low-level user's machine within an organization, and it pivots from there.
Let's say somebody malicious out there was able to gain full access to a user machine
located in the corporate headquarter. And the adversary's main goal is stealing, let's say,
some kind of credit card information from a database server located at some remote location.
And however, the database network is isolated from the user headquarter network, and it's not easily accessible from regular users.
So the headquarter network and the database network are completely isolated, and the user from the headquarter is not able to log in to the database network.
Because the adversary has full system access, he can easily locate the user mail application
and he can hijack all email session and messages and inject, let's say, a malicious URL or document
with some kind of a macro inside the document and to trigger the user to
click on this document or URL. So basically the adversary hijack mail
correspondence, a real mail correspondence and he's not faking
anything and this is the strong side of this attack. This way instead of targeting
user outside the organization by sending phishing emails the
adversary can manipulate real correspondence between a
compromised user and the target user. So in our example,
let's say the target user is one of the IT personals.
We can easily trick the IT person to click on an injected URL
or document. He will not suspect that anything is wrong and open
this URL or document. And will not suspect that anything is wrong and open this URL or document.
And then this action will direct, for example, the user account of this IT personnel to some
internal watering hole website, exposing his high privilege credentials and, of course,
bypassing many of the link detection and application control mechanisms.
Now, at this stage, the adversary has a high privilege user account.
He can use this account to connect
to some kind of a Jamf host
or some kind of a privilege access workstation.
This is a Microsoft term for a Jamf host.
And then from there,
he can obviously access the isolated databases.
And basically this is a game over.
Once he were able to gain himself a high privilege
user account, he can pivot the network. Basically, that's the game over and the target was achieved.
So an effective solution in detecting email messaging defense mechanism will include some
kind of a malware sandboxing. All messages and attachment transported through the organization
mail server, let's say for example a chain server,
should be scanned for malware, viruses, and spyware. And if malware is detected,
the messages should be warrantied or deleted. That's Egal Goffman from XM Cyber.
Following Symantec's discovery that the apps were installing Monero cryptojackers in users' devices,
Microsoft pulled eight Windows 10 applications from its store. The unwanted apps included
FastSearch Lite, Battery Optimizer, VPN Browser Plus, Downloader for YouTube Videos, CleanMaster
Plus, FastTube, Findoo Browser 2019, and Findoo Mobile and Desktop Search. Symantec says that the
applications were nominally produced by three
developers, but that evidence in the source code and adjacent domains suggest to them that in fact
all eight apps are the work of one developer or group of developers. Reports in The Telegraph and
elsewhere suggest that a report on Huawei's security issue and the company's suitability
for participation in 5G networks
from the UK's National Cyber Security Centre will be very far from the harsh condemnation that had been widely suspected.
The NCSC is believed to have concluded that the risks Huawei poses are manageable
and that GCHQ sees its way clear to mitigating them.
sees its way clear to mitigating them.
On Friday, MI6 head Alex Younger said he wanted a proper conversation over giving Huawei a role in 5G networks,
but the specific concerns he expressed concentrated on the dangers the monopoly would present.
So Huawei is not out of the woods by a long shot,
but if the rumors about the NCSC's report are borne out,
that will be good news indeed for the company.
Facebook has not fared as well in Westminster.
The Digital Culture, Media and Sport Committee has published its final report
on disinformation and fake news, and Facebook figures prominently,
both in terms of content moderation and data handling.
The report says in its summary,
content moderation, and data handling.
The report says in its summary, Facebook intentionally and knowingly violated both data privacy and anti-competition laws.
The report recommends that tech companies be given a compulsory code of ethics
to be overseen by an independent regulator
who could take legal action against companies it found in violation of the code.
It also recommends that social networks be required to remove known sources of harmful content,
including proven sources of disinformation.
For its part, Facebook says it would welcome helpful regulation.
It's also mooting the idea of setting up its own tribunal,
a kind of 40-person Supreme Court that would adjudicate disputes
over whether content was being unfairly
judged in violation of the social network's terms of service.
The black market is, as many have noted after all, a market.
It follows familiar laws of supply and demand.
As supply of any commodity rises, prices drop, and it seems clear that user information is
now a relatively low-priced commodity. At the end of last week, Gnostic Players released his third tranche of PII,
mostly user credentials, taken from eight databases Gnostic Players claims to have hacked.
He's asking just over 2.62 Bitcoin for the almost 93 million users' data. We note that ZDNet,
which has been in touch with someone credibly
claiming to be Gnostic Players, is treating him as a singular he. At any rate, that's about $14,500.
Gnostic Players, who trades in the Dream Market, had earlier offered 16 databases with 620 million
users' data and another batch of 8 databases containing 127 million users' information.
2.62 Bitcoin doesn't seem like much for 93 million users' data, but money isn't the
sole object. Gnostic players told ZDNet that his goal is twofold. He wants, first of all,
to sell a billion records and then go hide out in some degree of comfort. It seems, at
the rates he's charging,
that such comfort may be more squalid than luxurious. Cozy, no doubt, but frosty and
frayed around the edges. Second of all, Gnostic Players wants to contribute to
the downfall of American pigs. A manifesto that accompanies his offerings suggests why he's got
it in for the Americans, who are, we think, generally a lovable crowd,
although we admit that we can be something of an acquired taste.
Mr. Players is offering support for a convicted Apophis Squad hacker.
George Duke Cohen is a young and talented boy, Mr. Players writes.
Instead of giving him a chance, the UK government sends him to prison for three years.
And not only that, after he's through a three
years detention at Her Majesty's pleasure, the Americans are lined up to take a whack at him,
as we noted in a discussion of his indictment last week. The U.S. charges could get Mr. Duke
Cohen a further 63 years in club fed. That's a high-end estimate of his sentence, but still,
it is, after all, a long time. So bad on Her Majesty's government, says Mr. Players.
May this upcoming release of dumps serve as a reminder, he writes,
when countries claim to respect their citizens, they have duty protect them.
Anywho, Mr. Players thinks this is unfair.
If he is not given a fair justice during the upcoming days, weeks, years,
more data will be released.
We note that Gnostic Players is selling, not dumping the data he's ripped off.
So let Justice be done, or more data be sold,
at least until Mr. Players makes enough altcoin to retire to wherever he wants to go,
because, after all, political altruism has its limits,
and those limits are probably somewhere south of $14,500.
That much change will get you a nice commercial cleaning franchise in some markets,
although admittedly that's probably more conventional work and social utility
than it's fair to expect from a hacker of Mr. Player's mad skills.
Is it us, or does Mr. Player's diction sound kind of shadowbrokerish?
Not of course that he's a shadow broker.
But where have these guys been these days, anyway?
Wealthy elites has been missing you at the Davos.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
He's also my co-host on the Hacking Humans podcast.
Joe, it's great to have you back.
It's great to be back, Dave.
We've got an article here from the Naked Security blog over at Sophos.
This is written by Paul Ducklin, friend of the show.
Yep.
And the title is,
Apple Fighting Pirate App Developers Will Insist on Two-Factor Authentication for Coders.
Right.
What's going on here?
will insist on two-factor authentication for coders.
Right.
What's going on here?
Okay, so Apple has this program called the Enterprise Certificate Program.
Right.
Which is a way that allows, let's say you wanted to develop an app specifically for the CyberWire.
Okay.
But you didn't want to put it into the App Store and you didn't want to wait for Apple to approve it and you wanted to do a little bit more nosing around the phone for security purposes of your company data, right?
So this is an internal use app for CyberWire employees, let's say.
Okay.
Now, Facebook and Google were recently chastised for abusing this program by distributing apps
to other people outside of the company that Apple said, well, this doesn't amount to an
employee, but they were amount to an employee,
but they were doing a lot of, I like the way this article puts it. This article describes the app as way too Snoopy.
Right.
Or just too Snoopy for the app store.
So they use their enterprise certificate and Apple essentially grabbed Facebook and Google
by the necks and shook vigorously and said, this will not be the case.
You will not be abusing this.
Right.
So it turns out that this program can be used to develop rogue apps.
It's essentially the closest thing that Apple has to the Android equivalent,
which is allow apps from other sources.
Right, to sideload apps.
Yeah, sideload apps or for developer options, right?
Okay.
But in order for me to do that, I still have to have a certificate with Apple so that Apple can at some point in time in the future revoke that certificate like they did for a day with Facebook and Google and make the app not work.
Okay.
So if I know your password to your enterprise certificate.
So I'm developing for CyberWire.
Right.
Somehow you compromise my credentials.
Correct.
Okay. And I go out and I generate an app that is malicious and then sign it with your enterprise
certificate.
Oh, I see.
Then I can distribute it and it will come up as a valid app, right?
So what Apple is going to start doing is requiring two-factor authentication so that that particular
abuse case can't take place anymore.
So now when I try to go sign the app with your certificate, you'll get a message on
your phone that says, here's your code.
And I don't get that message.
I see.
Right.
Okay.
Well, this seems non-controversial to me, but there are some folks who aren't very happy
about it.
The article goes on to talk about a couple of recent cases that are not necessarily from
the developer community.
The article talks about an attorney who's suing Apple with a class action lawsuit saying
that he and millions of other people have been economically
damaged by two-factor authentication.
I think the crux of his lawsuit
if I remember... What is his hourly rate
if the
two-factor is an economic loss?
But go on. He said it was taking
five minutes for every time he needed to use two-factor
which is a ridiculous amount of
time. I find it incredibly difficult to believe that.
It never takes five minutes.
Okay.
If you're security conscious and minded, you should always ask if two-factor authentication is available.
And if it isn't, maybe you should reconsider using that product or service.
Right.
Well, yes.
I think that's an excellent point that I would make the argument that that should be part of your buying decision.
Yeah.
Is two-factor available with your product.
Right.
If it's something that's important to you.
Again, Dave, we're dealing with a huge education problem for the general populace of you ask people who don't live and breathe this stuff every day what two-factor authentication is.
I'll bet you get 50% of the people who have never even heard of it.
Yeah, that's true.
All right.
Well, I would say I'm on Team Apple with this one.
Yeah, I am too.
I think it's probably for the best in the long run, and why not?
Certainly developers have some privileges that other folks don't
when it comes to potentially putting dangerous stuff out there.
Especially for developers.
They should absolutely require developers to use two-factor authentication.
I think this is a no-brainer.
The general populace, the user community
not using two-factor authentication,
I can...
And more sympathy for that?
I am...
It pains you to say it, doesn't it?
I at least understand the difference
between the two populations.
Okay, alright, fair enough.
That's as far as we'll get you.
All right. Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant. And that's the Cyber Wire. For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.