CyberWire Daily - Magecart is getting interested in exposed databases. Agent Smith may be in your Android app store. Tracking FinSpy. A contractor gets spearphished.
Episode Date: July 11, 2019GDPR fines and their implications. A reminder about Magecart, and some notes on its recent interest in scanning for unprotected AWS S-3 buckets. Agent Smith (of Guangzhou, not the Matrix) is infesting... Android stores with evil twins of legitimate apps. FinSpy is out and about in the wild again. “Daniel Drunz” is the catphish face of a gang that stung a US Government contractor for millions in goods. Justin Harvey from Accenture on the recent GDPR fines. Carole Theriault speaks with Michael Covington from Wandera on the risks facing financial services firms. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
GDPR finds and their implications,
a reminder about Magecart and some notes on its recent interest
in scanning for unprotected AWS S3
buckets. Agent Smith of Gonjo, not the Matrix, is infesting Android stores with evil twins of
legitimate apps. Bin Spy is out and about in the wild again. Carol Terrio explores the risks facing
financial firms. Daniel Druns is the catfish face of a gang that stung a U.S. government
contractor for millions in goods.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Thursday, July 11, 2019. This has been a week of record fines under the European Union's General
Data Protection Regulation. As we've noted, Britain's Information Commissioner's Office has whacked both British Airways and Marriott
with stiff penalties for breaches of customer information they sustained.
The fines were respectively over £183 million for the airline, £99 million for the hotel chain.
Given the high regulatory risk that accompanies GDPR, it's worth noting
that the British Airways breach was the work of the card skimming gang behind Magecart,
and Magecart is newly active with a disturbing new approach to theft. RiskIQ reports that
Magecart's online card skimmers are actively looking for unsecured AWS S3 buckets. The gang
has spread its skimmer code to some 17,000 domains
over recent months. They've gone for reach and not precise targeting. Some observers find the
ability to scan for exposed databases and the willingness to do so particularly alarming.
AWS comes secure by default, but many, perhaps most, enterprise users will change those settings
at some point and all too often neglect to notice that they've done so and sometimes forget to
restore them to secure options. It's worth checking on your settings if only to keep the ICO's wolves
from your door. Speaking of the Information Commissioner's Office, it's also issued a
warning this week to law enforcement agencies
about their responsibilities under GDPR
for data collected by facial recognition technology.
Checkpoint is tracking Agent Smith,
Android malware whose name is an homage
to the villain of the Wachowskis film The Matrix.
Agent Smith replaces legitimate apps
with imitations that carry adware
and that have the capability in principle to do more than that.
Its appetite is said to be voracious.
It will attempt to replace every app it finds on a device with a plausible but malicious double.
According to ZDNet, researchers have traced the operators behind Agent Smith
to an unnamed company based in Guangzhou, China.
The company's legitimate business is helping
app developers publish and promote their apps overseas. They also apparently operate an
illegitimate malware business behind this front, one which was confirmed in part by the company's
job postings, which suggested ongoing work to develop malicious code. Agent Smith has been out
as a garden-variety adware threat since 2016,
but late last year evolved into the more sophisticated threat it represents today.
It originally turned up in the third-party app store, 9Apps,
but its controllers appear to be working toward establishing a foothold in Google Play as well.
Most of its 25 million victims so far have been in India, Bangladesh, and Pakistan, but there have been infections reported in Australia, the United Kingdom, and the United States as well.
Financial organizations generally enjoy the reputation for having their security house in order.
Makes sense because that's where the money is.
But with the continuing growth in the adoption of mobile devices,
they've got their work cut out for them. Carol Terrio has the story.
Specialist firm in mobile security, Wondera, have released a report in which they effectively call out the financial industry for poor mobile security standards. So I got to speak with
Michael Covington, a VP at WANDRA, to share a few
report highlights with us. Michael, thanks for chatting with us today. I really appreciate the
time. Thanks for having me. Now, you have said that in the financial services industry, you found it
disconcerting to find mobile security still being an afterthought. Was this your conclusion after
you pulled together all
the research into the financial industry and their practices? It was. And, you know, I think one of
the things that's interesting about financial services is the amount of private data that they
maintain as a result of their business. And you would think that all computing elements that
touch that data would have some form of security to protect
it as it's being utilized by employees. One of the things that we found from this study is that
that doesn't appear to be the case on mobile. Wow. So it seems that not all is tickety-boo
when it comes to cybersecurity. Tell us, what are a few of the highlights from your findings
in this report? Well, you know, there's good news and there's bad news. And I'll start with
the good news because this may come as a surprise to your listeners. One of the things that we found from
our study is that financial services is pretty consistent with what we see with cross-industry
statistics around mobile malware. And the reality is that it's quite low in the business environment.
We found that on Android, less than 1% of devices are actually impacted by mobile malware. And on iOS, it's even better.
It's almost zero.
But I think where we have real concern is around some of the threats that people don't
always think about applying to mobile.
Phishing, for example.
That's what we'd say is probably the most important or relevant threat today for mobile
employees.
And we found that within financial services, more organizations across the board were impacted by mobile phishing than we see across all other industries. So it almost
seems as though financial services employees are being targeted, but they're not being trained or
being provided with the right tools to protect them against the new threat vectors that are
being utilized to kind of levy these phishing attacks, SMS,
social networks, etc.
Yes, you kind of say almost that they're hacking the human inside the financial industry, so to speak.
It's a great analysis.
And I think, you know, there's a very strong belief that mobile devices are built well,
that they protect information kind of by default.
And, you know, generally, we see that mobile devices, the operating systems that they protect information kind of by default. And, you know, generally we see
that mobile devices, the operating systems that they utilize are pretty well built from a security
perspective. They still have flaws. I think the vulnerability that we saw with the WhatsApp
communication tool just a couple of weeks ago really highlighted how the vulnerabilities and
the risk exposure that companies face on mobile is quite high. But at the same time, we see attackers kind of being mindful of that fact as well.
It's easier to hack a human than it is to hack a device or an application.
I wonder if many companies are just not hiring or getting in the expertise in the mobile arena.
So they're basically taking, well, we know how to protect computers.
We'll just apply the same logic to mobile.
And in fact, it's a very different platform and concept, isn't it? It really is. And you know, it's hard to fault
financial services exclusively here because mobile is one of those emerging technologies.
Yeah, it's been in the workplace for a number of years now, but we're really hitting a point
right now where I think the number of employees that are equipped with mobile and the amount of
data that's moved out of a protected data center and into kind of public cloud is at that inflection point now where we
really do see more and more of that data being put at risk as it's being pulled out of those
data repositories and being utilized by those mobile employees. And I think now's the time to
really upskill those employees and get them more focused on mobile because that's the future.
So that would be your big takeaway for not just for companies in the financial sector, but for all companies.
Train your employees to be your, well, effectively your first line of defense.
Absolutely.
You know, I think employees, when it comes to mobile, employees are not only the first line of defense, they're a big part of the solution.
One of the trends that we've seen within financial services in particular is a really high adoption rate of BYOD.
I think Forrester has put the statistic at 64% of devices as a whole in financial services being employee-owned.
And if that's the case, you have to rely on your employee to install the tool that will keep them safe and to kind of deal with alerts as they are often raised.
And so if the organization is going to make a decision to push that responsibility down to the user, they really have to equip those users with the right tools and the right training to do something with it.
Michael, thanks so much for your time today.
This was Carol Terrio for the Cyber Wire.
much for your time today. This was Carol Terrio for the Cyber Wire. Forbes reports that Kaspersky has found new infestations of FinSpy in the wild, suggesting that the spyware continues to find
users among governments in many corners of the world. FinSpy, a product of the Gamma Group,
belongs to the lawful intercept family of security products. It intercepts messenger traffic,
including traffic from such widely used services
as Skype, Telegram, WhatsApp, Signal, WeChat, and BlackBerry Messenger. The spyware is normally
installed either through a malicious SMS message to the targeted device or directly by obtaining
physical access to the device itself. Gamma Group insists that it sells only to legitimate
government agencies for legitimate law enforcement purposes. So, Fin insists that it sells only to legitimate government agencies for legitimate law
enforcement purposes. So, FinSpy would be comparable to other law enforcement tools like wiretap
equipment or bugs, the sort of surveillance tool that in the United States, for example, and in
many other countries as well, would be used only with a duly authorized search warrant. But there
are some problems with this. First, Gamma Group was hijacked in 2014 and some of its code was leaked.
That code has turned up in criminal knockoffs of the original product.
And second, not all the governments who buy lawful intercept products
use them with due attention to generally accepted notions of human rights.
The instances of FinSpy Kaspersky has been recently tracking
appear to originate in Myanmar, and that government's human rights track record has
been questionable, to say the least. An unnamed U.S. defense contractor was
tricked into sending sensitive, highly classified communications intercept equipment
worth about $3 million to an international criminal gang. A search warrant request the
U.S. Department of
Homeland Security filed with the United States District Court for the District of Maryland
revealed the details. Homeland Security investigations asked for Apple iCloud
information pertaining to four email accounts of interest. The incident appears to have been
a spear phishing scam executed by Hoods posing as a fictional U.S. Navy contracting officer,
Daniel Druns. The criminals were allegedly in email correspondence with a Maryland firm
identified in the affidavit only as Company B. They posed as a U.S. Naval contracting officer,
Daniel Druns, and used a bogus U.S. Navy email address. It was daniel.druns at navy.mil.us. Do you see the little rift?
navy.mil.us. A genuine U.S. Navy email address would use the domain navy.mil without the.us.
The scammers are being called the Druns Gang in honor of the catfish they hid behind.
The comms intercept gear is the
important and worrisome item misappropriated, since such equipment is on the United States
munitions list and therefore falls under ITAR controls. Those are the International Trafficking
in Arms Regulations. And of course, the equipment is said to be highly classified. The crooks made
off with more than just the comms intercept gear too.
Their take included $6.3 million in televisions and $1.1 million in iPhones and iPads. Those will be a lot easier to fence than the classified equipment, but the druns gang will probably
find a buyer for that too. After all, you don't swindle a contractor out of intercept kit just
so you can steal Netflix in your she-shed or man cave.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new
way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, it's great to have you back.
I wanted to touch base with you on some things we've been tracking with GDPR.
It seems as though, I guess people have been waiting,
they've sort of been saying, hey, you know, years gone by with GDPR,
when are we going to start seeing some big fines?
And recently, we've started seeing some big fines.
Yeah, Dave, the jury has been out for over a year now.
We in the industry have been waiting to see,
does the EU have the teeth in order to drill down on gdpr and
as we've seen over the last seven days the answer is yes with uh two organizations being fined 100
and over 100 million and then the second one over 200 million and those of us in the industry who
have been watching this very closely we did not know if this was going to go over like a Led Zeppelin where we'd see like million or $2 million fines or even any fines at all.
But it appears that they are very serious about this.
And what's even more curious is that one of the businesses that was singled out was actually based in the United States. I think that should be a very big hallmark of things to come, not only with the United
States businesses and international businesses doing operations in the EU theater of operations,
but also how is this going to change regulations and fines of data breaches around the world not just in the eu since you
usually see for trends like this it starts there's like a pilot or there's a there's a region that
says we're going to try this and then it catches on and then it spreads like wildfire now in a
situation like this we i'm thinking of you advising the the folks you with, the companies that you work with, is there a sense
that this removes, knowing that this is the way the EU is going to come at GDPR fines,
I suppose that removes a certain amount of uncertainty, which is a welcome thing.
At least companies know where they stand.
Yes.
And as an industry veteran, I'm actually excited about the GDPR and their ability to
follow through. I think that this is a pivotal or watershed moment in cyber defense. So C-suites
and boards are doing a calculus and they're essentially thinking if the average fine is,
let's pick an average size of $100 million or 100 million euros. Could they take 20 or 30 of
that against a potential loss and essentially invest it into increased cyber defense spending?
And Dave, I've got to tell you, if anyone took $20 to $30 million in addition to their normal spend
and spent it on cyber defense, that would be like an adrenaline
shot to the heart. I think that what we're telling businesses is they need to focus more
on detection and response. So get that mean time of detection and mean time to detect
and respond shorter. So find stuff faster, respond to it faster, less on prevention,
although prevention is not dead. And also still do the basics really well.
Privileged access monitoring, security operations, doing the log management and the threat intelligence and monitoring, multi-factor authentication.
And of course, on top of all of this, proper planning and testing of personnel processes in your technology array. But if you just, even if
it's a tenth of what a GDPR fine could be, I think that'll really catapult these organizations that
have stood up and are paying attention. Yeah, it's fascinating. I mean, it's almost like it's
a calibration event. You know, this is the zone that we're in now. Yes, I think that more
organizations need to think about the likelihood of attack just
as much as the severity. That's what risk management is about. It's about what could happen,
what could be the impact, and of course, what's the likelihood. And I, every week and every month
that we see more and more incidents, those likelihood numbers are going up and up. And it's
just a matter of time before most businesses,
if not all businesses and organizations, are hit by a cyber attack at one point or another.
All right. Well, it's certainly interesting to watch this as it proceeds.
Justin Harvey, thanks for joining us.
Thank you, Dave.
Thank you. why. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.