CyberWire Daily - Malicious apps, a clever botnet, and cryptojacking. Patch notes. EU copyright regulations. Congress still doesn't like the cut of ZTE's or Huawei's jib. Tesla sues a former employee.
Episode Date: June 21, 2018In today's podcast we hear about a malicious app that will save your battery, but it will also install a backdoor, steal information, and click on a bunch of ads. A sophisticated and patient botnet..., Mylobot, is observed in the wild, but it's not yet clear what it's up to. Cryptojackers exploit a known (and patched) Drupal vulnerability. Vectra finds tunnels. Google adds security metadata to Android apps. Cisco patches. The EU's proposed copyright regulations attract little love. Congress pursues ZTE and Huawei. And Tesla sues a former employee. Ryan LaSalle from Accenture, on the opening of their new Cyber Fusion Center. Guest is Ned Miller from McAfee on their “Winning the Game” report on the gamification of security training. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A malicious app will save your battery,
but it will also install a backdoor, steal information, and click on a bunch of ads.
A sophisticated and patient botnet is observed in the wild, but it's not yet clear what it's
up to.
Cryptojackers exploit a known Drupal vulnerability, Vectra finds tunnels, Google adds security
metadata to Android apps, Cisco patches, the EU's proposed copyright regulations attract
little love, Congress pursues ZTE and Huawei, and
Tesla sues a former employee.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Thursday, June 21, 2018.
There are several warnings today of new threats.
Risk IQ this morning warned of information-stealing, ad-clicking malware
that's being offered via warning pop-ups on Samsung Android devices.
The malicious app represents itself as a battery saver,
and indeed it does perform as advertised.
Its unadvertised performance with clicks, theft, and a back door is what's
objectionable here. The pop-up contains a link that takes the unwary to the more often than not
safe Google Play. There, they are invited to install an app that will clean up your Samsung.
It's possible, thinks RiskIQ, that the app was originally developed as a legitimate battery saver,
with the ad-clicking and other undesirable stuff added later. As they say on their blog,
quote, we aren't sure, but we're keeping an eye on this developer, at least, end quote.
Another warning comes from Deep Instinct, which described MyloBot on its blog. MyloBot,
which one of the researchers named in honor of a pet dog,
is a new and sophisticated botnet currently active in the wild. It's not clear what MiloBot's
controllers are after, and it's also unclear how the malware is delivered, but by all appearances
it's not in the least an amateur performance. Among MiloBot's features are methods of evading
sandboxes and debuggers,
and of reflective execution of EXE files directly from memory.
MyloBot is also patient, remaining quiescent for two weeks after installation
before it calls its command and control servers.
It also removes competing malware from the systems it infects.
Researchers say it bears some similarity to Locky ransomware,
but it isn't just a Locky variant.
MiloBot can establish complete control over victim devices,
delivering whatever payloads its unknown masters may wish to install.
So, Milo, good dog, but bad bot.
Bad.
Cryptocurrency mining remains with us. Trend Micro has observed a
series of attacks that exploit CVE-2018-7602, a vulnerability in the Drupal content management
system. The attacks Trend Micro is seeing are installing bots whose purpose is to mine Monero
cryptocurrency. Happily, this is one instance in which patching fixes the problem.
An updated Drupal core closes out the vulnerability the criminal miners are exploiting.
Vectra's long retrospective look at the Equifax breach has led it to conclude
that attackers are interested in using hidden tunnels to get into otherwise well-protected networks.
Financial services are particularly attractive targets.
There appear to be more than twice as many hidden data exfiltration tunnels per 10,000 devices
in financial services than all other industries combined.
Google Play is adding security metadata to Android apps in the store,
the better to secure offline distribution.
Developer transparency has become increasingly important to the Android ecosystem.
Knowing who made what and what their track record is
can provide some useful indicators of trustworthiness.
In other upgrade news, Cisco has patched two dozen issues with switches,
next-generation firewalls,
and security appliances. The company rates them either critical or at least high severity,
and the patches deserve the quick attention of Cisco users. Researchers at McAfee recently
published a report titled Winning the Game. One of the areas it explores is how gamification can lead to better
security outcomes. Ned Miller is chief of technology strategy for McAfee's U.S. public
sector business unit. Gamification is an organization's ability to exercise their
cybersecurity team to ensure how they would behave if a real situation occurred, right? So if a real attack
occurred. So the gamification concept is often referred to in our industry as events like
capture the flag or hackathon contests. And what we were surprised at in the report is that
a number of organizations don't exercise their teams on a fairly regular basis.
They don't have a scheduled cadence.
The more successful organizations would typically run one or two exercises per year
in order to ensure that their teams react accordingly
and they can put some metrics in place to measure their overall performance should an attack occur.
Now, looking at the results of the report, what are some of the key takeaways for you?
What are your recommendations for things that folks can implement to do a better job?
So there's a couple of things.
One, in terms of automation, what we have found is the teams that are more sophisticated
and have deployed automated capabilities to take care of some of the manual
steps that are very time-consuming and contribute to what we consider the dwell time from the time
an attack is identified until it's actually resolved. The use of automation is something
that all organizations have or should be adopting, and we would encourage that pace to quicken as they go forward. exercise the teams in order to sharpen their skills, understand where the organizational weaknesses are,
and then reinforce against those potential weaknesses that are identified.
And then in terms of what we consider the soft skills or the job satisfaction area is continuously explore the roles of the individuals and what their actual tasks are and continue to evolve what their
current tasks are and provide them career guidance towards other areas of interest that
will continue to pique their interest and maintain their loyalty to the organization
and grow professionally.
That's also where automation comes in place.
If we can introduce
automation that takes care of some of the more mundane tasks, the individuals that are there
can be repurposed to take on some higher order tasks that are typically more interesting and
challenging. That's Ned Miller from McAfee. The EU's controversial copyright regulation, which has advanced closer to becoming
law, it's not there yet, but it's closer, still attracts little love from the tech industry and
internet users. It would block a great deal of the sort of sharing that's now become routine,
including the popular sharing of low-grade memes. The regulations will now become matters of
negotiation with member states' national authorities, and that won't be a swift process.
In the U.S., Congress remains unwilling to follow the administration in cutting ZTE some slack.
Congress is also not interested in doing Huawei any favors, either.
Google's cooperation with Huawei has drawn some attention on Capitol Hill.
If you're unwilling on what you suggest
are principled grounds to cooperating
with the U.S. Department of Defense on IT research,
exactly why do you see no problem
with working hand-in-hand with Huawei
on projects of mutual benefit?
Huawei is, in the prevailing congressional view,
a security risk, a reliable adjunct of the
People's Liberation Army's cyber operators. How is that cooperation better than working with,
say, the DoD's Silicon Valley technology scouts? Some members of Congress are clearly in a
sauce-for-the-gander mood. Congress is also asking the U.S. Department of Education to look into 50 research partnerships
between Huawei and various U.S. universities. Some members of Congress, again, consider those
relations a security risk. And, desiring to prevent a recurrence of security wrangling over ZTE,
Kaspersky, and Huawei, a bill has been introduced into the Senate that would establish an
interagency Federal Acquisition Supp the Senate that would establish an interagency
Federal Acquisition Supply Council that would be charged specifically with responsibility
for developing cybersecurity supply chain criteria.
According to stories in the Wall Street Journal and TechCrunch, Tesla Motors is suing a former
employee for a million dollars, alleging he hacked them for trade secrets,
which he subsequently gave competitors.
Elon Musk did some email rumbling about the sabotage
and hacking early this week,
and the company filed a lawsuit yesterday
in a Nevada court against Martin Tripp,
who formerly worked at Tesla as a process technician.
Tesla's suit alleges that Tripp, quote,
admitted to writing software that hacked Tesla's suit alleges that Tripp, quote, admitted to writing software that hacked
Tesla's manufacturing operating system and to transferring several gigabytes of Tesla data to
outside entities, end quote. The company says that Tripp was upset at being reassigned within the
company. Musk says Tripp was sore about his failure to be promoted, and that Tripp did what
they allege he did in retaliation for what he felt
was ill-use. The Washington Post says that Tripp told them he didn't tamper with any internal
systems. Instead, he said he was a whistleblower, alarmed and moved to speak by, quote,
some really scary things, end quote, he saw at Tesla Motors. Among those things were,
according to Tripp, a high rate of raw material waste and
the installation of dangerous punctured batteries in some Tesla cars. The raw material waste story
found its way into Business Insider earlier this month, and Tripp acknowledged he was the source.
Tripp also denied having hacked anything, saying, quote, I don't have the patience for coding.
having hacked anything, saying, quote,
I don't have the patience for coding.
Musk's company is taking the founder's fears of sabotage seriously.
Physical security has been beefed up at Tesla's Gigafactory in Nevada.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting. Thank you. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Yesterday, our partners at Accenture celebrated the opening of their newest cyber fusion center,
this one in Alexandria, Virginia, just outside Washington, D.C.
Virginia Governor Ralph Northam was there for the ribbon-cutting and to acknowledge Accenture's commitment to add 1,000 new jobs to the region by 2020.
The cyber fusion center puts Accenture's threat intelligence, incident response, and
adversary simulation under one roof. I stopped in for a tour of the new facility, which features
impressive views of Washington, D.C., glass-enclosed meeting and collaboration rooms, large displays on
the walls monitoring cyber threats from around the world, and clusters of workstations for
developers, researchers, and threat hunters to do the
things they do.
At the grand opening, one of the demos highlighted the team's ability to infiltrate a client's
industrial control systems and alter the settings on a critical safety system.
So when the attacker does this, he's changing the parameter in the safety system so that
now that in and out cadence that you were hearing has stopped.
We now get the tank filling up with pressure just by changing that one parameter.
For the demo, an overinflated balloon substituted for an exploding gas storage facility.
But the security implications were clear.
I sat down with Ryan LaSalle, managing director and North American lead at Accenture.
I want to touch on the notion of proximity from two different directions.
First of all, proximity to the nation's capital.
You are, as you look out the windows here, you have a fabulous view,
but you're looking at Washington, D.C.
You're in the shadow of that city,
and obviously we don't have to go into the importance of that,
but why is it important to you from a business development point of view
to be that close, to be that accessible? So first, I think the future innovation and the research
agenda of cyber defense is happening here. I mean, this corridor from really from Dulles Airport up
to Baltimore is the cyber innovation corridor. This is the place where it happens. It was important
from a talent perspective. This is the place where those entrepreneurs and the talent base live. From a business development standpoint, certainly,
this market is rich with the federal government and their need for cyber defense services,
but also a pretty healthy commercial community that is also looking at ways to defend themselves,
whether they're hospitality organizations or banks, financial services organizations. I mean,
there is a
bustling economy inside the DC Beltway beyond just the federal government. The other thing I want to
touch on with proximity is the proximity that you've placed everyone within the space itself.
It strikes me that that is a very deliberate part of what you've designed here. First of all,
was it always that way? Were the teams always able to communicate this way? And if not, what are the benefits of having them here together?
So first I'll say these teams have never been co-located before.
They're teams that came through some through organic growth,
some through acquisitions over the last couple of years.
And we've been stitching together that cycle of no B, C, and expel as we've been growing.
So this is the first time the teams are all together
in one place and we work really closely with all the different teams to design a space that was
accommodating to the kind of work they do but we put the coffee and the snacks at the corners
and the teams have to go and bump into each other when they're uh getting caffeinated so if you want
to if you want to fuel up that's where where the innovation happens. We also put the biggest TVs there. So the other day when Tunisia was playing England in the World
Cup, and there was a cross team of lots of different groups working, sitting together
around the table, watching the game, coding away, doing analysis, whatever they were doing,
there were three different languages being spoken at that table. And we could hear this
collaboration happening in a way that you can't force. You've got to create the space and then give them the room to innovate.
This is a substantial investment.
It makes for a great tour.
What is the justification that Accenture has made for that investment?
What is the bet that you're placing that spending this kind of money is going to pay off for you and your customers?
Well, I think there's three main things that we think are really important.
First, when our clients come to a space like this, they can look out and see all of DC.
And so it's not like they're in an innocuous conference room somewhere.
They can really sort of awe them in the experience.
And the whole space is designed around a design thinking approach that gets people out of
the comfort zone and thinking about their problems and how to solve them more creatively. So we geared the space around that. And that does
kind of feel higher touch. The second one I think that's really important is security is a war for
talent. And getting the best people means that you need to make sure that they have the tools
and environment that they need to innovate, create, and contribute.
And so we think that just investing in our people in a space like this is important because it gives them a place to come every day that they're excited to show up and do their best.
And then I think also as we look around at kind of how we're growing in this space,
the neighborhood that we're in, again, is right in the hub of security innovation.
And so being in proximity to all the things around us,
the ecosystem around us, is really, really important.
Endgames up the road, DARPA's up the road,
they're all right around us.
And that's really critical,
to be kind of in the hub of the contact of the ecosystem.
That's Ryan LaSalle from Accenture.
Cyber threats are evolving every second, Thank you. a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Benzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.