CyberWire Daily - Keeping Winnti out of the goods while keeping an eye on them. GlitchPOS malware. What do apps want? Third-party Facebook data exposure. Digital hygiene. A scareware scam.
Episode Date: April 4, 2019In today’s podcast we hear that Bayer, maker of pharmaceuticals and agricultural products, blocked an espionage attempt by China’s Winnti Group, and has been quietly monitoring the threat actor si...nce last year. GlitchPOS and its evolution. Do those apps really need all that access? Two breaches of Facebook data by third parties. Some good digital hygiene notes:  change default passwords and backup your data in a secure and recoverable way. And no, there’s no CIA officer warning you’ll be arrested if you don’t pony up 1.4 Bitcoin. Craig Williams from Cisco Talos with research on GlitchPOS malware. Guest is Leo Simonovich from Siemens Energy on challenges and opportunities in the energy sector. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/April/CyberWire_2019_04_04.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Bayer, maker of pharmaceuticals and agricultural products,
blocked an espionage attempt by China's Winti Group
and has been quietly
monitoring the threat actor since last year.
News on Glitch POS and its evolution.
Do those apps really need all that access?
Two breaches of Facebook data by third parties.
Some good digital hygiene notes.
And no, there's no CIA officer warning you'll be arrested if you don't pony up 1.4 Bitcoin.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 4th, 2019.
Pharmaceutical and agricultural chemical giant Bayer this morning announced that it had sustained a network intrusion by the Winti Group.
Active since at least 2010, Winti has been associated with Chinese intelligence services, cutting its teeth on monitoring disfavored domestic populations, notably Uyghurs and Tibetans, and then moving on to industrial espionage.
and Tibetans, and then moving on to industrial espionage.
The goal of the operation seems to have been data theft, not attacks on industrial control systems.
Baer detected and contained the attack last year, and has been quietly monitoring it ever
since, the better to understand the attackers, how they work, and what they're after.
German authorities are investigating, and of course Baer, the victim in this case,
is cooperating with them closely.
Baer may be the victim,
but here the victim seems to have done a good job of self-defense.
Booz Allen researchers who've been tracking Glitch POS
report that the malware has evolved.
That suggests strongly that its masters are actively maintaining it.
Glitch POS's most interesting new functionality
is an offline mode,
which could enable targeting of systems
without direct internet connections.
It also probably enables a quieter mode of operation,
reducing chatter to command and control servers.
Boo's researchers say the malware sleeps
for a second between beacons, which may not seem
like much, but which drops the noise enough to make a difference. As the Booz report notes,
Cisco Talos first published an analysis of Glitch POS,
and we'll hear from that research team later in this podcast.
Apps really do ask for a lot more permission in users' mobile devices than they reasonably need, a Wandera study concludes.
The security company looked at some 30,000 iOS apps and found that a lot of them ask for quite a bit.
62% wanted to access your photo library, 55% wanted into your camera, and 51% asked for location when in use.
your camera, and 51% asked for location when in use. Sure, some of these may give the user a bit of convenience, but Wandera suggests that users really ought to be pickier about what permissions
they're prepared to give. Organizations in the energy sector continue to improve their readiness
when it comes to cybersecurity in the operational technology, that's the OT space, on the plant floor, for instance.
With the ongoing digitization of critical infrastructure, how are energy companies adapting?
Leo Samanovich is Global Head in Industrial Cyber and Digital Security at Siemens Energy.
Well, the energy sector faces two major challenges in security. One is to secure the vast brownfield where the equipment is
anywhere between 15 and 50 years old, where digital is being bolted on top, and the greenfield where
IoT and security is being implemented within and where attacks are reaching lightning speeds.
For the vast brownfield, I think the challenge is foundational.
To take some basic measures like patching and vulnerability management and asset management,
that's even hard to do for many companies, especially small to medium-sized enterprises. And then at the same
time, how to think about security in a different way around edge, around cloud, and around this
bifurcation where a lot of the intelligence is being pushed either into the office environment
or right into the field. Yeah, I mean it strikes me that that's an interesting challenge where
you have all these available streams of data that can come back to folks
controlling these systems, but you still have to have that component on the
ground. You're still dealing with
mechanical objects, you know, out in the field that are controlling the
flow of these critical infrastructure elements.
Yeah, that's absolutely right. It's where the
physical and digital worlds really converge. And we think of security and digitalization
as really two sides of the same coin. The attack in Ukraine really illustrates the point.
The operator for the first few hours didn't know he was experiencing a cyber attack. He thought that his control system was malfunctioning. And if he was, in fact,
collecting and correlating data from the network, the control system, and the asset,
he would have spotted a pattern that was really out of sync. And this is where AI, in fact,
really out of sync. And this is where AI, in fact, offers enormous benefit. It's those variations and the ability to identify patterns that to a human brain would be difficult to pull together.
But AI can bring to fruition to say that my process logic says that the machine should be operating in one speed,
my network says that it's operating in another, and pulling these pieces of the puzzle together,
mixing, matching them, and then identifying unusual patterns is sort of the promise that
artificial intelligence, machine learning, neural networks can bring to the table.
But to do all that, you need connectivity, you need basic visibility, and foundationally,
you need to embrace artificial intelligence as a tool. And that's something that many energy
companies are hesitant to do because to them, it seems like a black box.
companies are hesitant to do because to them it seems like a black box so how do you overcome that resistance how do you convince them that this is something
that's beneficial well I think it begins by tackling visibility one block at a
time starting with an understanding what assets you have how important those
assets are prioritizing them, and then
beginning to implement some monitoring capability.
You shouldn't monitor everything, and the things that you do monitor need to have both
operational benefit and security benefit.
In fact, the data that we're analyzing, and this is what we're doing at Siemens, we've built a monitoring platform that ingests process and network data to provide insights to customers in terms of
finished intelligence. What we often find is that 90% of the alarms have more to do with
operational changes than they do with security. But nevertheless, they need to be investigated
because a configuration change could mean a cyber attack
or it could mean that a compressor or turbine is malfunctioning.
So this digital revolution that we are all experiencing is inevitable.
The question is, how do we protect it to ensure the viability of our economy?
That's Leo Samanovich from Siemens Energy.
Another big Facebook data exposure has been disclosed,
this one due to third parties who left the data in indifferently configured AWS buckets.
Researchers at security firm UpGuard found 450 million Facebook users' records exposed online.
That's pretty big, but we may be growing inured
to big breaches. The data were in unsecured AWS buckets belonging to third parties Cultura
Colectiva and now defunct At The Pool. Cultura Colectiva, a Mexican media outfit, left such data
as comments, likes, reactions, account names, Facebook IDs, and more waggling around on the Internet,
unsecured by so much as a password.
The situation was similar with At The Pool.
This was a Facebook-linked app whose exposed S3 bucket include a baker's dozen of data categories,
including Facebook user ID, user, friends, likes, music, movies, books, photos, events, groups, check-ins,
and interests, as well as passwords for At The Pool. At The Pool may be gone, but the Facebook
data remain, and even the passwords to At The Pool are problematic. As UpGuard points out,
many people reuse passwords, so even these could have some utility in credential stuffing attacks.
Reuters says Facebook has succeeded in getting the information taken down.
The company has taken the opportunity to point out that, quote,
Facebook's policies prohibit storing Facebook information in a public database, end quote,
but as so often happens, there's many a slip twixt the bucket and the lip.
AT&T Cybersecurity's Alien Labs reports finding a Python-based bot scanner, which they're calling ZWOO.
It's actively looking for exposed surfaces and any default passwords users might carelessly have left in place.
This serves as a timely reminder of one aspect of good digital hygiene.
Don't leave that default password in place when you deploy hardware or software tools.
People notice. They have bots looking for them.
Another aspect of good digital hygiene is, of course, regular secure backup.
There's a sad story out of Michigan this week, in which a small business, specifically a medical practice,
is going under
due to a ransomware attack. Brookside ENT and Hearing Center in Battle Creek will close its
doors permanently on April 30th. Attackers encrypted the practice's files and demanded
$6,500 in ransom. When Brookside refused to pay, the extortionists wiped the practice's data.
Rather than try to rebuild their records, and they decided that this would be difficult to the point of impossibility,
the two principals decided to close the practice and retire.
Brookside's files were encrypted, and the attackers aren't believed to have been able to access them,
but essentially all the practice's business data and medical records were lost.
Brookside is remaining open until the end of the month, but only to answer patients' questions
and refer them to other care providers. Several things about the incident are striking.
First, ransom need not be large to destroy a business. Indeed, it probably won't be the
ransom demand, but rather the data loss that proves the killer.
Second, the doctors declined to pay because they didn't believe they'd be provided with a key to decrypt their files.
And third, while the data were encrypted, which is important,
they apparently weren't effectively backed up in a way that would enable them to be restored,
and that broke the practice.
And finally, some news you can use.
If you're contacted by someone who says you're about to be arrested for naughty stuff on your device, just blow them off.
It's scareware and not real.
Trustwave's Spider Labs has been looking into one such scam.
The subject line is replete with the sort of officialese that might seem spooky.
Your email, and that's where
they put in your email address, has been verified, and that's followed by a Central Intelligence
Agency case number. The body of the email says it's caught you distributing material involving
underage children and urges you to open a zip file which will prove that they've got the goods on you.
Your arrest is scheduled for April 15th, at least in the sample Spider Labs is sharing.
Why?
Well, the technical collection officer says it's come to his attention that you're a
wealthy person concerned about your reputation, and that he's offering to expunge you from
the records and the arrest list if you pay 1.4 Bitcoin, about $5,000, in accordance with his instructions. So is this some
rogue Langley flyboy out to make some blackmail money on the side? No, it's the usual jerk trying
to scare the naive. Delete the email, and for heaven's sake, don't open any attachments or click on any links.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
BlackCloak.io.
And joining me once again is Craig Williams.
He's the director of Talos Outreach at Cisco.
Craig, it's great to have you back. You all recently published some new research about some point-of-sale software you guys have been looking at.
What's going on here?
Yeah, thanks, Dave.
So this piece of malware we found, we're calling it the Gl POS or glitch point of sale malware. And what's really interesting about this
one is it's, you know, all these types of kit malware are really designed to allow unsophisticated
attackers to basically run malware that's out of their league, right? To take a really
sophisticated idea and make it simple so that anyone can control it and use it successfully. So walk me through what's going on with this one.
So this one's pretty interesting. The author behind it is advertising it on these forums,
obviously for sale. But what I found really interesting is that he's basically using his
credibility to help market it. And so a few years years ago he released another similar kit called Diamond Fox that was very very popular had a post out by
Check Point I think it was back in 2017 or so and so you know it's one of those
interesting things that they do on these criminal forums right how do you know
who to trust you know because anybody could just take somebody's money and run
but so this guy's standing up and saying no I'm an experienced malware author and i know what i'm doing which it's hilarious when you think about
it right like talk about operational security fails you know it's like hey let me just take
all my illegal activity and sign my name to it and notarize it with a copy of my id right but at the
same time it gives other bad guys a sense of oh we can we can trust him. He's a really bad guy. He's written malware in the past.
Yeah.
Honor among thieves.
Right.
Well, wait until we get to the end.
It gets even funnier.
Okay.
And so, you know, when this malware comes out, it's basically packed.
It's got a lovely little kitten unpacking routine.
So, you know, he's clearly learned to avoid AV.
You know, he's attempting to do that through Packers.
I believe it was a UPX Packer, which is, you know, again, time-tested and proven.
But the basic payload for this is really interesting.
So it's got like a command and control system, right?
And it's actually pretty visually appealing.
You know, I looked at this, and I've got to give this guy credit.
It's probably one of the prettiest C2 setups I've seen. It's put a lot of effort into this that
we just don't see a lot of times. And so to me, one of my core takeaways from this
is it's almost like anyone with sophistication to install a video game could probably run this successfully.
The reason I find that so concerning is because a lot of the people who are going to be looking at these underground forums, potentially just out of curiosity, may be drawn into this because
it looks like something they could handle.
Yeah, it's interesting to see where the bar is set and that it would even
extend to something like this in an underground market.
Right. And, you know, this is New Mal malware. We did look, there were some visual similarities.
So it's pretty clear that they did steal a little bit from the Diamond POS control panel,
or I guess C2 is probably a better word, some of the graphic interfaces,
but the actual malware itself is new. And so that actually does give additional credibility to,
was this guy behind the other
piece of malware. So we do believe these are linked. We believe it's the same author. We
believe it's new software he put out there to make some money. But here's where it gets really funny.
Right. So we're looking at these forums, looking through the malware and the guy comes out.
Presumably this guy bought the malware from the original author. And then he comes out, presumably this guy bought the malware from the original author,
and then he comes out basically claiming it as his own and wanting to sell it on his own.
And so he's actually trying to increase some of the prices,
and so people called him out on it, but, you know, thieves are going to thieve, you know?
What can you do?
Right, yeah, I guess there is no honor among thieves.
Well, at least he was smart enough to use a different forum. But, you know, these type of attacker
communities are so small that people are going to tend to use multiple forums. And so while he was
called out on it, I'm sure he did make a decent amount of money from it. And so, you know,
unfortunately, this is going to be one of those things that I think is going to continue to
evolve. It's one of these things that Talos is going to have to basically continue to monitor
and ensure that our coverage stays in place
and ensure that we can properly work with law enforcement
all around the world to take these guys down.
Yeah.
All right, well, Craig Williams, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire. Thank you. for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.