CyberWire Daily - Mamba ransomware’s evolution. Facebook acts against Evil Eye. Huawei is invited into OIC-CERT. Slack Connect gets poor security and privacy reviews. An excursus on fleeceware.
Episode Date: March 25, 2021The FBI warns organizations that Mamba ransomware is out and about in a newly evolved form. Facebook takes down a Chinese cyberespionage operation targeting Uyghurs. Huawei joins the Organization of I...slamic Cooperation. Slack thinks it might have made a security and privacy misstep. Caleb Barlow from CynergisTek on Healthcare Interoperability. Our guest is Roei Amit from Deep Instinct on their 2020 Cyber Threat Landscape Report. And a look at fleeceware. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/57 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The FBI warns organizations that Mamba ransomware is out and about in a newly evolved form.
Facebook takes down a Chinese cyber espionage operation targeting Uyghurs.
Huawei joins the Organization of Islamic Cooperation.
Slack thinks it might have made a security and privacy misstep.
Caleb Barlow from Synergistech on healthcare interoperability.
Our guest is Roi Amit from Deep Instinct on their 2020
cyber threat landscape report and a look at fleeceware.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary
for Thursday, March 25th, 2021.
On Tuesday, the US FBI circulated a flash alert about Mamba ransomware to industry.
Mamba now uses a weaponized version of DiskCryptor against its
targets. DiskCryptor is an open-source full-disk encryption tool. As the FBI points out, the
software isn't inherently malicious, but Mamba's operators have weaponized it. After Mamba has
done its work and rendered the victim's files inaccessible, it displays a ransom note that includes the actor's email address, ransomware file name, the host system name, and a place to
enter the decryption key. Victims are instructed to email the extortionist and arrange payment
of the ransom. A decryption key is promised in exchange for payment.
The Bureau recommends adopting 15 specific and familiar hygienic
practices to avoid a Mamba infestation. One of the recommendations is peculiar to defense against
this latest version of Mamba. Quote, if descriptor is not used by an organization, add the key
artifact files used by descriptor to the organization's execution blacklist. Any attempts to install or run this encryption program
and its associated files should be prevented, end quote.
And of course, the Bureau discourages anyone from paying the ransom.
Quote, payment does not guarantee files will be recovered.
It may also embolden adversaries to target additional organizations,
encourage other criminal actors to engage in the distribution of ransomware, and or fund illicit activities, end quote. So,
you may not get your files back even if you pay, but one thing is for sure,
you'll help fuel the bandit economy of the cyber underworld.
Facebook announced yesterday that it had taken down a Chinese cyber espionage operation
directed principally against Uyghur activists, journalists, and dissidents living abroad in Turkey, Kazakhstan, U.S., Syria, Australia, Canada, and other countries.
Facebook's tweet announcing the takedown cited earlier work on the threat actor by Veloxity, Project Zero, and Trend Micro, who called the group
Evil Eye. Facebook said that a lot of the surveillance activity was conducted off-platform,
with surveillance installed via maliciously crafted bogus news articles that falsely
represented themselves as media reports in outlets covering news of interest to the Uyghur diaspora.
Those links are now blocked on Facebook.
The Washington Post notes that the takedown shows
that Facebook's intelligence operations are now looking beyond Facebook itself.
Huawei has joined the Organization of Islamic Cooperation's
Computer Emergency Response Team, OIC-CERT,
the first tech company to do so.
Malaysia and the UAE sponsored Huawei's membership, Gulf News reports. OIC-CERT is the third largest organization of its kind.
The Organization of Islamic Cooperation has 57 member countries. Huawei sees its invitation
to OIC-CERT as a testimony to its cybersecurity chops. Gulf News sees that invitation as, quote,
a rebuff to recent U.S. efforts to stop countries
from signing up Huawei for their 5G networks, end quote.
The four most dismaying words in IT may be,
why don't we just, as in,
why don't we just open up our platform
so users can DM anyone?
Slack, the widely used business chat application, yesterday introduced a feature, Slack Connect,
that would have allowed messages to be exchanged with people outside the user's organization.
Early notices haven't been positive.
It was poorly received, with users seeing the feature as a privacy and security bug.
According to Vice's motherboard, Slack, acknowledging the decision was a mistake,
is now backtracking and limiting the new feature's scope.
Quote,
After rolling out Slack Connect DMs this morning, we received valuable feedback from our users
about how email invitations to use the feature could potentially be used to send abusive or harassing messages. End quote. that is inconsistent with our goals for the product and the typical experience of Slack Connect usage.
End quote.
Many organizations aren't waiting for the walkback and are limiting the feature themselves, the record reports.
You may ask, don't people in organizations get lots of email that they don't want?
Sure, but as the help desk types would say, that's a known issue,
and organizations have a lot more control over their email environments
than they do over Slack Connect,
whose granularity apparently doesn't get much more finer than on or off.
And finally, greetings, fellow youths, and remember, fleeceware?
Well, don't worry, fleeceware remembers you.
It has to remember you, at least well enough to know when that free
trial ages into a premium subscription. Security firm Avast yesterday blogged about what they found
when they went looking for Fleeceware on planets Apple and Android. 250 apps with a north of a
billion downloads and an estimated dodgy revenue in excess of $400 million, which is a lot of fleece.
Fleeceware, remember, is an app that starts off with a free trial and then, at the end of the trial period,
quietly enrolls the inattentive user into a subscription with whopping big fees
that users wouldn't have signed up for if they'd been in there right,
which is to say, skeptically vigilant mind. As Avast puts it,
quote, the application takes advantage of users who are not familiar with how subscriptions work
on mobile devices, meaning that users can be charged even after they've deleted the offending
application, end quote. The free trial period is usually just three days long. The apps usually
have some not particularly distinctive functionality
which they actually deliver, more or less forgettably,
but their principal purpose is to fleece the unwary.
The most common nominal benefits on offer include musical instrument apps,
palm readers, image editors, camera filters,
fortune tellers, QR code and PDF readers,
and slime simulators.
Who falls for this stuff?
Kids, mostly, as the popularity of slime simulators might suggest.
The youth see free trial, figure they're good to go, and so they are.
For three days.
After that, it's Katie bar the door,
until mom or pop notice these weird subscription charges on their statements.
By that time, the grifters have, as the kids like to say, already made some bank.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black
Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The researchers at security firm Deep Instinct recently published their 2020
cyber threat landscape report. And among the findings was the discovery of adversarial firm Deep Instinct recently published their 2020 Cyber Threat Landscape Report.
And among the findings was the discovery of adversarial machine learning being used in the wild.
Rowy Amit is a threat intelligence researcher at Deep Instinct.
So every year around December, we realized we have a lot of data that we collected over the year and we think that we have some insights that we think could contribute to the community
and to our purposes. So we gather up
all of our data we collected
in our cloud and other resources and we create
this research paper, which is not too long, but not too short.
And we just, yeah, you know, it's right about exactly
the amount you want to read without getting
too caught up in all the technical details. But still,
you know, feel like you had a good and interesting read and not just, you know, get
the highlights. Well, and I mean, would you say it's fair to say
2020 was a year like no other
given the pandemic? I totally agree. We've seen a lot of interesting things happen, especially
because of COVID-19. For example, almost all of the phishing campaigns in some way or another included the COVID-19.
These were like the most, this was like the most talked hot topic in the phishing campaigns themselves.
The documents or the fake links that were used.
It was also, it's interesting to know that the second most common subjects
were the US elections and the Black Lives Matter movement.
That is interesting.
Yes, I agree. It's very interesting to see what attackers think that might be interesting for their targets.
Right.
One of the things that you draw attention to here is advanced adversarial machine learning in people's defense posture. Can you take us
through your thoughts there? Yeah, sure.
We saw in the past theoretical work and
proof of concepts in which adversarial machine learning
attacks are aimed at
security products that utilize machine learning and deep learning
in order to evade their detection.
What they basically do is trying to take advantage of design weaknesses and flaws that are inherently
in the way that machine learning-based or deep learning-based cybersecurity models work
in order to evade their detection. And we saw it in the
past in proof of concepts and in theory, but actually in 2020 we found a sample in the wild
that utilizes adversarial machine learning techniques in order to bypass these products.
And I'm not saying we can expect every malware to be able to do so,
but it is something new and something that should be looked at by anyone in the industry. It's very interesting to see what happens.
And of course, there are ways to defend and these products can defend from these techniques.
But it is very interesting to see that hackers and attackers also evolve
and malware developers are continuing to try
to find ways to bypass these products.
That's Roey Amit from Deep Instinct.
Cyber threats are evolving every second, and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Caleb Barlow.
He is the CEO at Synergist Tech.
Caleb, it's always great to have you back. Today we are talking about healthcare interoperability
and the effect that may have for security professionals.
What sort of things do you want to share with us today?
Well, hello, Dave.
Hello.
What if I told you and kind of everyone listening
that you needed to open up your corporate databases
so that any of your clients,
or let's say even independent research groups,
could access your most sensitive records?
And oh, by the way,
this was going to be required by regulation.
I think most people listening to this podcast would probably have an issue with that.
Yeah, I think you'd get a fair amount of pushback on that.
I think it's fair to say.
But that's what's happening in healthcare.
So there's something called the 21st Century Cures Act.
It was signed into law in December of 2016.
And this was the start of what we call the information blocking and interoperability rule. So, Dave, imagine if you're a
healthcare provider. The rule prohibits information blocking, which is defined as something except as
required by law or covered by an exception is likely to interfere with the access, exchange, or use of electronic health information. And the rule
goes on to define kind of eight exceptions that would not, you know,
construe information blocking. So what does this mean? Well, this means that
if a patient has an app, let's say a fitness app, or
you know, something else that, you know, maybe they're
working on weight loss,
or it could be any number of applications that want to access your healthcare record,
you need to allow it unless one of these eight exceptions is met.
But what it also means is that an independent researcher,
let's say someone doing cancer research,
and they want to access patient information on cancer patients.
You also need to allow that as well.
Okay.
What about patient privacy?
Well, remember, when we look at patient privacy, the way this comes into play under HIPAA is by requiring that entities that access a healthcare record have certain security provisions and controls in place.
It doesn't restrict them from actually accessing it in the first place. It just says they have to
take due care when accessing it. So in a lot of ways, this opens it up. And remember, HIPAA is
all about portability. Now, the P in HIPAA is portability as it refers to insurance. But if
you really kind of dig through all these murky regulations, it's also about opening up healthcare information for research, for other applications, and other things you may want to do.
So on one hand, as a consumer, this is great because I can go in, I can see what's in my healthcare record, I can link it to my fitness application or whatever else it is I
want to track. But from a security professional standpoint, this is a nightmare because I have
no idea what the security is of these apps. I may not even know who's behind these apps in terms of
ownership or these research projects, but I have to allow them in. And we're actually moving into a mode here where
the actual enforcement of this rule is going to start to come into play over the next couple of
months. Is there no vetting? I mean, can anybody just hang up a shingle and call themselves a
researcher and have at your medical records? Well, it's not quite that simple. And as you
can imagine, like all regulations, this is very murky.
And no one yet really totally understands exactly how this is going to be enforced.
But suffice it to say, you could, as a healthcare provider, restrict someone from accessing this information if one of these eight conditions were met. And one of them, of course, is security.
So you've got to look at the type of risk, the type of harm.
So risk of harm is one of the issues. Privacy is one
of the issues. Security is one of the issues. Or if it's simply infeasible,
not just, I don't want to do it, but truly infeasible to access
this data. Otherwise, you've pretty much got to do it, but truly infeasible to access this data.
Otherwise, you've pretty much got to allow this, and you're going to have to demonstrate why you think that individual or entity asking for
access can't secure it or has an associated privacy
risk with it. Are people out there already trying to take
advantage of this? Are they knocking on healthcare providers' doors and saying,
let us have at it? Well, I think we have to divide this, Dave, into kind of two swim lanes.
The first swim lane, which is, can a consumer take advantage of this? The answer to that is
absolutely yes. I mean, I know my healthcare provider, there's an online portal. I go in
and there's a laundry list of applications that they've already worked through the API
that I can connect to my mobile phone
or to other entities that may not even be mobile.
And that's fantastic.
I mean, it was honestly, it was kind of interesting
just to see what notes my doctor wrote about me
and my healthcare record and what was in there
and all kinds of interesting,
like you can see legit your data.
So that part is fantastic. But the other side of this You can see legit your data.
That part is fantastic, but the other side of this and the part that healthcare CISOs are just starting to understand, one of the things that we're spending a lot of time
in my business on is looking at these APIs that may be coming in and saying,
what's the API asking for? Do we know if the API is secure?
How do we pen test that API?
I think we're just at the beginning of security professionals being concerned.
I don't think we've yet seen instances of abuse.
But there are certainly all kinds of doomsday scenarios that people are starting to think about, particularly on these research provision, right?
I mean, how do we actually understand who's doing the research, where they come from, who owns that research, what happens to it downstream,
and that's all the stuff that's going to get worked out over the
coming weeks and months as we all figure out how interoperability rolls out.
All right. Well, something to certainly keep
an eye on. Caleb Barlow, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
The nutty taste people like.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.