CyberWire Daily - Malicious apps do more than extort predatory loans. A Facebook account recovery scam. Notes from the hybrid war. Goodbye SHA-1, hello Leviathans.
Episode Date: December 16, 2022A predatory loan app is discovered embedded in mobile apps. Facebook phishing. GPS disruptions are reported in Russian cities. NSA warns against dismissing Russian offensive cyber capabilities. Farewe...ll, SHA-1. Kevin Magee from Microsoft looks at cyber signals. Our guest is Jason Witty of USAA to discuss the growing risk from quantum computing. And welcome to the world, Leviathans. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/240 Selected reading. Zimperium teams discover new malware in Flutter developed apps (SecurityBrief Asia) Meta-Phish: Facebook Infrastructure Used in Phishing Attack Chain (Trustwave) GPS Signals Are Being Disrupted in Russian Cities (WIRED) NSA cyber director warns of Russian digital assaults on global energy sector (CyberScoop) Russia's cyber war machine in Ukraine hasn't lived up to Western hype. Report analyses why (ThePrint) NIST Retires SHA-1 Cryptographic Algorithm (NIST) Historic activation of the U.S. Army’s 11th Cyber Battalion (DVIDS) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A predatory loan app is discovered embedded in mobile apps.
Facebook phishing? GPS disruptions discovered embedded in mobile apps. Facebook phishing?
GPS disruptions are reported in Russian cities.
NSA warns against dismissing Russian offensive cyber capabilities.
Farewell, SHA-1.
Kevin McGee from Microsoft looks at cyber signals.
Our guest is Jason Witte of USAA to discuss the growing risk from quantum computing.
And welcome to the world, Leviathans.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Friday, December 16th, 2022.
Zemperium has found a novel predatory loan application, MoneyMonger,
embedded in mobile apps developed with Flutter.
It's found in apps sold through third-party stores.
MoneyMonger collects a large amount of personal information from its victims
and then uses that information in what Zimperium describes
as multiple layers of social engineering,
ultimately seeking to extort even more money from the marks
than the original conditions of their predatory loans themselves. Zemperium concludes that the
code they've discovered forms part of a more extensive predatory loan malware campaign
previously discovered by K7 security labs. So, predatory lending is bad enough, but in this case, the criminals seek
to enmesh the victims in a tangle of threats, pressure, and further extortion with some data
theft on the side. Researchers at Trustwave have observed a phishing campaign that informs
recipients that their Facebook account will be locked within 48 hours for a copyright violation.
The phishing emails themselves are very poorly written,
but they contain a link to a fairly convincing Facebook post.
The researchers write,
Instead of the usual phishing link to an external landing page,
this mail sample is crafted with a link that points to an actual Facebook post.
The content of this Facebook post appears
legitimate because it uses a dummy page support profile with the Facebook logo as its display
picture. At first glance, the page looks legitimate, but the link provided in this post leads to an
external domain. The link in the Facebook post leads to a spoofed version of Facebook's appeals page,
hosted on a domain that impersonates Facebook's parent company, Meta.
Once you're there, thinking you're about to get your account unlocked,
you'll be asked to enter some information.
The Trustwave researchers explain,
Upon clicking the Send button, any information entered in the form by unsuspecting victims
will be sent to the
cyber criminals, along with the victim's client IP and geolocation information. Inspecting the
source code reveals a link to a JavaScript file, which contains the function that will retrieve
any information provided to its form when triggered. After the victims enter their
information,
they'll be redirected to Facebook's real website, possibly none the wiser.
Trustwave concludes, These fake Facebook violation notifications use real Facebook pages
to redirect to external phishing sites.
Users are advised to be extra careful when receiving false violation notifications
and not to be fooled by the apparent legitimacy of the initial links.
Wired reports that GPS signals are being jammed in some Russian cities.
Russian electronic warfare operations have periodically disrupted GPS during the present war.
The motive in this case may be interference with GPS-guided Ukrainian drones
and missiles that have recently struck military targets inside Russia. It's now become a commonplace
and correct observation that Russian cyber operations have fallen far short of pre-war
expectations, but U.S. NSA Cybersecurity Director Rob Joyce warns against complacency.
CyberScoop quotes him as saying during a press briefing on the release of NSA's 2022 retrospective,
I would not encourage anyone to be complacent or be unconcerned about the threats to the energy sector globally.
As the war progresses, there are certainly the opportunities for increasing pressure on Russia at the tactical level,
which is going to cause them to re-evaluate, try different strategies to extricate themselves.
So, listen to Mr. Joyce and don't get cocky, kid.
The mention of the energy sector is significant, as it had been expected to be a principal target of Russian cyber operators.
had been expected to be a principal target of Russian cyber operators.
They had shown the ability to interrupt service across portions of the Ukrainian grid in 2015 and 2016,
but those cyber attacks haven't been reprised in the present war.
This isn't due to any tenderness about civilian suffering or indiscriminate targeting either,
as the drum fire of Russian missile strikes demonstrates. Some of the failure of
Russian cyber operators to show up is certainly due to effective Ukrainian defense, but a complete
explanation remains a matter for speculation. The report that Cybersecurity Director Joyce was
introducing also outlined the support NSA has rendered over the course of 2022 to defensive operations prompted
by Russia's invasion of Ukraine. The NSA Cybersecurity Year in Review report summarizes,
as Russia invaded Ukraine in early 2022 and the U.S. held Russia accountable,
intelligence indicated that the Russian government was exploring options for potential cyber attacks against the U.S.,
including its critical infrastructure sectors. NSA, CISA, and FBI issued cybersecurity advisories
in January, February, and April to heighten awareness of the threat and promote understanding
of Russian state-sponsored and cybercriminal tactics, techniques, and procedures so that
net defenders could strengthen their defenses.
Through operational collaboration with defense industrial-based companies and their service providers,
NSA's Cybersecurity Collaboration Center played a leading role in protecting key critical infrastructure sectors.
The CCC conducted more than 2,000 bidirectional exchanges in the first four months of 2022,
sharing NSA's insights, actionable information on Russian cyber TTPs,
and building a more fulsome intelligence picture with industry's help.
Throughout the conflict in Ukraine, NSA has provided foreign signals intelligence insights
that have aided U.S. government leaders, NATO,
and the U.S. European Command. It has also provided cryptographic security products
to meet unplanned emergency requirements and to support urgent missions. It has rapidly deployed
more than 150 communications security devices to support mission operations during the global crisis.
It is so long at last to SHA-1. NIST urges those who still use it to move away from the venerable SHA-1 encryption algorithm in service since 1995. They state,
the SHA-1 algorithm, one of the first widely used methods of protecting electronic information, has reached the end of its useful life, according to security experts at NIST.
The agency is now recommending that IT professionals replace SHA-1 in the limited
situations where it is still used with newer algorithms that are more secure, that is,
with SHA-2 or SHA-3. SHA-1 has grown unacceptably vulnerable to collision
attacks. Leaving SHA-1 will be a long goodbye. NIST explains that these things aren't done
overnight, stating, Modules that still use SHA-1 after 2030 will not be permitted for purchase by
the federal government. Companies have eight years to
submit updated modules that no longer use SHA-1. Because there is often a backlog of submissions
before a deadline, we recommend that developers submit their updated modules well in advance
so that CMVP has time to respond. And finally, the U.S. Army has activated the 11th Cyber Battalion, the Leviathans, at Fort Gordon, Georgia, with official ceremonies welcoming the new organization held yesterday.
Good luck and good hunting, Leviathans.
Coming up after the break,
Kevin McGee from Microsoft looks at cyber signals.
Our guest is Jason Witte of USAA
to discuss the growing risk from quantum computing.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you
know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Quantum computing has the potential to greatly increase the speed and power of computers,
and with that comes great promise as well as potential risk,
particularly to encryption methods.
Jason Witte is chief security officer at insurance and banking organization USAA,
and I caught up with him for insights on being quantum ready.
and I caught up with him for insights on being quantum ready.
There are things that exist today already in terms of the quantum computing offerings that large-scale technology companies have today.
But there's also what we predict is going to happen in the next 10 years,
and that's where it gets really interesting and why we're talking about it now.
Quantum computing certainly has the promise
of delivery tens of thousands,
hundreds of thousands, even tens of millions
of times more compute capacity
than classic computing environments have.
So that can really go to solving some
really, really, really large challenges that we couldn't do with today's
compute environment.
But also from a security standpoint,
having that much compute power at your fingertips
roughly 10 years from now
puts asymmetric cryptography
at real risk of being decryptable at that timeframe.
And because we're using asymmetric encryption
in so many different things like SSL or TLS or just HTTPS in general,
all of that traffic being hoovered up by military intelligence in several countries
for the purpose of being able to decrypt that 10 years from now is certainly a concern.
So that's why I think we're talking about that now. And there's a lot to
unpack there. And where do we stand in terms of having confidence in the timeline with the
research that we're seeing, the announcements we've seen made? Where do we stand there?
Yeah, it's a really good question. One of the things that happened five years ago was that
there was a prediction that it would take about five years for there to be quantum parity.
So being able to calculate using a quantum computer, the same thing that you could do with a regular Clexa computer.
And so if that was five years ago, that actually happened about three years ago.
So it was greatly accelerated to have this prediction that it was going to take five
years and actually took two. Similarly, for a very narrow scope, quantum superiority, where you can
actually calculate the things faster using a quantum computer than a classic one, was predicted
to be several years after that, and it actually happened the same year. So I would say our ability to predict where this technology is going
has been kind of, you know, not a whole lot of confidence in terms of, is it really like a decade
from now? Or is it two decades from now? Or is it like a year from now? However, what I would say
is that we generally are stating that quantum things are going to happen in the 5 to 10 to 20 year time frame.
And we're generally seeing that those things are happening faster than most of the predictions.
But across the scientific community, having quantum computers at the level where they can
actually break asymmetric encryption, there is general consensus right now that that problem
is about 10 to 12 years from now. And because is about 10 to 12 years from now.
And because it's 10 to 12 years from now, we should be very thoughtful about what does that mean for the next five years.
In terms of new algorithms coming online that are in the post-quantum encryption environment, PQE,
we will then need to understand where do we have traditional algorithms and inventory
all of those traditional algorithms, then plan on replacing them with these post-quantum
encryption algorithms.
And then how long is that rollout going to take?
And is that going to be able to be done by the time the threat landscape around quantum
changes?
What is your sense in terms of urgency for folks who are responsible for security?
To what degree should they be actively pursuing solutions for their own environments?
Yeah, so the National Institute of Standards and Technology has recently come up with a small number of PQE replacement algorithms,
post-quantum encryption replacement algorithms.
So now it is really on all of us to make sure that we start
in the inventorying phase to ensure that we have the ability
to migrate to these new algorithms and we know where they're in use today,
then there's the phase of actually doing the migration.
And then there is along that same timeframe,
let's just say for argument's sake,
that the inventory might take you two or three years
and the migration might take you two or three years
and you actually start the migration in parallel.
Along that roughly six-year window, hypothetically,
you also want to be able to decouple as much as possible
the encryption and the decryption and the key management processes
so that you have crypto agility so that if you get to the end
of that six-year timeframe and now all of a sudden
something's wrong with one of the algorithms
or there's some breakthrough that's happened, you have the ability to switch out again
and you have an agile way of doing your key change or algorithm changes.
Is there a hit that organizations could take in terms of performance
by implementing some of these more advanced algorithms?
Or does the asymmetry mean that that's not so much of an issue?
No, it can certainly be an issue.
And the whole thing with post-quantum encryption is it is classically computed algorithms using classic computers that are more resistant to quantum computers attacking those algorithms.
There's a lot of different theoretical algorithms that are out there today.
They are all trying to balance the performance hit
with the additional security that you get with the algorithm.
But certainly, that's part of the process is understanding,
where do you take that hit and can you horizontally scale to just deal with it?
Or do you have to, you know, have bigger compute capacity
on an individual server-by-server basis?
That's Jason Witte from USAA.
There's a lot more to this conversation.
If you want to hear more, head on over to the CyberWire Pro and sign up for Interview Selects,
where you'll get access to this and many more extended interviews. And joining me once again is Kevin McGee.
He's the Chief Security Officer of Microsoft Canada.
Kevin, always great to welcome you back to the show.
You and your colleagues at Microsoft recently released a report.
It's, I believe, titled the Cyber Signals Digital Briefing.
This is the second one you all have put out.
Can we go through some of the highlights here from this report?
Thanks, Dave.
Thanks for having me back.
It's always great to chat with you.
This is a new quarterly research report. This is our second edition we've come out with, and not focus for super highly technical.
It's more like a signals intelligence report
where we're listening to the 40, 50,
I'm not sure how many trillion signals we have at this point
across our global platform.
And we're building intelligence
that can be shared with business leaders.
So this is a report that you can share
with the business leaders in your organization,
with your senior executives, with your board of directors, to help them understand some of the
challenges you are seeing in the marketplace. But it's not driven on sort of hearsay or, you know,
observations. It's driven on hard data that we're seeing from our platform. So I think that's the
unique place that we're trying to carve out in educating the vendor community and also our customer base.
Can we dig into some of the specifics here? What are some of the things that caught your eye?
Yeah, this one is focused on ransomware and it's entitled Extortion Economics,
Ransomware's New Business Model. And my read of it is really the days of the ma and pa
sole provider hacking team is kind of done. We're seeing a
professionalization, industrialization of the ransomware industry. And I often joke that you'll
run into a hacker now in the criminal markets. They don't want to be called a hacker. They want
to be called an extortion engineer. I think that's the phase of ransomware we're seeing going through.
But what does that mean in real terms? Distributed networks, cybercrime is becoming
a gig economy. There's a great deal of focus on innovation. We're seeing a move to subscription
based business models, ransomware as a service, initial access brokers. You've covered a lot of
this on the podcast, which you've seen more and more evidence of this in the marketplace as well.
We're also seeing adoption of affiliate marketing and multi-level
marketing and human-operated approaches. They're running these more like businesses and distributed
businesses as opposed to sort of how we envision the traditional hacking team. And it's a profound
change in the business models, which presents some threats and it also presents some opportunities
for us as well. Yeah. Can we talk about some of those opportunities? I mean,
what in your mind are the possibilities in terms of disruption?
I think for the short term, it's going to get worse because they're evolving faster than we are.
But what is happening in the back end, and I hope I'm proven right in there,
is in order to build these bigger markets where you're having less sophisticated people,
joint affiliate networks and whatnot, you have to standardize and you have to build these bigger markets where you're having less sophisticated people join affiliate networks and whatnot,
you have to standardize
and you have to build standard products
and build things that are consistent.
Because if you're providing ransomware as a service
and you need to provide an upgrade,
you're now acting like a software vendor
as a cyber criminal
and you need to run that business.
So standardization means
they're going to continue to use the same tactics. They may lower the tactics, they may make them easier and whatnot.
As that continues, that gives us a chance to, when we defend, defend against a larger segment of
these attacks. So short term, and I don't know what short term means in cybersecurity, it could be
weeks, it could be years, I think there will be more pain. But as we see them try and really build business models that are global and distributed, they're going to suffer the same challenges that any other business faces. And that gives us as defenders a chance to find new ways to build defenses.
Are you optimistic that we're on the right path here, that this is something that's achievable?
Well, I have to be, Dave. I would be able to do my job.
I want to thank, you know.
You are, after all, Canadian.
Yeah, yes.
And I'm sorry.
But we have to really look at capitalizing on some of these opportunities and thinking forward of how we're going to address these challenges.
We're seeing the transition in the cyber criminals
from technical, highly technical operated attacks
to more business email compromise,
more focusing on the business.
That's something as an organization we can respond to.
Our tech folks, when we were trying to talk
to senior executives and whatnot about building defenses,
they didn't understand our language. They understand the language of extortion. They understand the language of affiliate model ransomware. I think, again,
as we standardize and as we see cyber criminals become more like a business, the private sector,
who's pretty good at business and competition, will eventually be much better equipped and will
be able to harness the entire resources
of the organization at layer nine,
as Bruce Schneider would say,
to sort of combat and defend against some of these attacks.
So I am optimistic.
I do think we'll go through some pain
and a lot more of it till we get there.
But eventually, every time there's a new technological advance,
the attacker-defender balance shifts.
Eventually, I believe it will come back into our favor.
Yeah, I can't help wondering if, as you say, the professionalism continues here, but
I don't think it's ever going to go away completely, but I wonder if we might reach a point
where it exists mostly at the nuisance level, where it's not an existential threat to your business. It's just one of many risks that you have to plan for, but it can be
dealt with. And I think that's where it was a bespoke, one-off type of highly creative hackers
in a very immature market that didn't know how to deal with it. Now we're having a more
commoditized attack approach, a more institutionalized approach to cybercrime. We're getting every year more of an
understanding integrating into resilience, not just security on the business side. So I think
you're right. At some point, it will become a cost of doing business and we will understand how to
deal with that. That's going to take time. That's going to take education. That's going to take really the integration of cybersecurity to be operationalized throughout
the organization, not just still in the tech department.
And in my career, I've really seen that change.
I mean, there was maybe 5, 10, 20 of us in the industry, it seemed, when I got started
a few years ago.
And now everyone's talking about cybersecurity in all aspects of the business.
And if you told me that that would have happened so quickly as it did, I would have been surprised
10 years ago to hear you say that. So again, I'm optimistic. I think when we're in the trenches
and we're fighting it every day, it can seem like it's never ending. But I do see some light at the
end of the tunnel. And hopefully it is, as they proverbially say, not a train.
That's right.
All right.
Well, Kevin McGee, thanks for joining us.
Cyber threats are evolving every second. And staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant. Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
The situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit cbcnews.ca.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out Research Saturday and my conversation with Or Katz from Akamai.
We're discussing highly sophisticated phishing scams and how they're abusing holiday sentiment.
That's Research Saturday. Check it out.
The Cyber Wire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brendan Karpf,
Eliana White, Puru Prakash, Liz Ervin, Rachel Gelfand, Tim Nodar, Joe Kerrigan,
Carol Terrio, Maria Vermatsis, Ben Yellen, Nick Vilecki, Millie Lardy, Thanks for listening.
We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Pure AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.