CyberWire Daily - Metadata signs point to St. Petersburg in l'affaire Macron. UK, Germany, US expect more Russian election influence ops. New IoT botnet appears. US FCC sustains DDoS. Microsoft fixes MsMpEngine. SS7 weakness and 2FA.
Episode Date: May 9, 2017In today's podcast, we hear that haste may make for, not exactly waste, but at least brazen and ineffectual influence operations. Metadata evidence of Fancy Bears paws in En Marche! emails. Moscow sno...rts "false flags," but UK, German, and US officials say the Bears are there and up to no good. ISIS posts another bit of depravity as inspiration. North Korea is thought to be paying for its advanced weapons programs with cyber bank heists. Persirai joins Mirai in the IoT botnet world. The US FCC sustains a DDoS attack. Joe Carrigan from JHU explains the benefits of segmenting your home network. Andrew Blaich from Lookout on finding the Pegasus lawful intercept tool on Android devices. Microsoft patches an RCE flaw in its Malware Protection Engine. SS7 protocol weakness permits defeat of two-factor authentication. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. Thank you. SS7 protocol weaknesses defeat two-factor authentication.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, May 9, 2017.
France's presidential election is over and Emmanuel Macron is preparing to take office.
But postmortems continue on the influence operations that released a large number of hacked emails and some apparent fabrications just before French media entered
their legally mandated pre-voting blackout period.
The leaked material has yet to turn up anything observers find particularly scurrilous or
discreditable, and the influence operations seem to have amounted to little more than
tendentious jeering memes on social media.
Thus, the campaign seems to have been ineffectual.
Security firm Flashpoint has told the press that the whole hack-and-release effort was both brazen and hasty,
and the haste manifested itself in comparatively poor preparation and output.
Macron emerged as a serious contender quite late in the campaign cycle,
his candidacy gaining traction as the principal center-right alternative to Marine Le Pen
and the National Front was effectively sidelined by scandal. Thus, whoever got into the emails of
Monsieur Macron and his On March movement had only weeks to run their operation.
Consider the many months in which threat actors were present in the U.S. Democratic Party's networks
and contrast the results of the Macron hack with the damaging enforced transparency
Ms. Clinton's campaign suffered.
While Moscow indignantly denies any involvement in the incident,
circumstantial evidence still points toward Russia.
Attribution to Russian services are being denounced from the Kremlin as slander
and false flags. Research firm Trend Micro has maintained for some time that the operation
against Macron's campaign is circumstantially but significantly similar to the one Pondstorm,
Fancy Bear that is, the GRU, conducted against the U.S. Democratic National Committee last year,
and it's been publicly joined in that assessment by Flashpoint.
False flags planted in the leaks are of course possibilities,
if not probabilities,
but German and British authorities are taking the threat
of Russian information operations to their own elections very seriously.
Recently retired U.S. DNI Clapper agrees
and says the U.S. should expect more of the same.
He also says that he and the
intelligence community, whose activities he once coordinated, remain convinced that Russia did
attempt to disrupt U.S. elections. Congressional investigations into those activities continues.
For its own part, WikiLeaks, unchastened by l'affaire Macron, continues its Vault 7 dumps Friday, releasing Archimedes,
said to be a CIA tool used to compromise devices operating within a single LAN.
Two other instances of political action in cyberspace merit mention. First, ISIS is back
and has reverted to its distinctively repellent propaganda of the deed, posting video it claims
shows the beheading of a captured Russian
officer. Russia has reacted with outrage, as has most of the rest of the civilized world,
and is investigating the clip's authenticity. Second, people are wondering where North Korea
is getting the money it needs to fund its nuclear and missile programs. Since it can't sell coal to
China anymore, or at least not very much coal,
it appears that Pyongyang is now mainly reliant on cyber theft from banks to pay for its strike
ambitions. The Pegasus lawful intercept tool made the news last summer when it was discovered
exploiting three zero-day vulnerabilities in Apple's iOS mobile operating system.
Pegasus could access all sorts of data
on a compromised phone, including messages, calls, emails, and logs. Apple quickly patched the zero
days that made Pegasus possible, but researchers at Lookout have discovered a new version of Pegasus,
this time on Android. Andrew Blach is a security researcher at Lookout.
Right around the time when we were investigating the iOS sample in August,
researcher at Lookout. Right around the time when we were investigating the iOS sample in August,
we started to then take a look at a variety of different identifiers, devices that were infected with Pegasus, where they were coming from, account behavior, and looking at kind of apps that were on
these devices that we believed that were infected with Pegasus. And from that, we were able to
correlate and look through our data and noticed a bunch of anomalous findings that we didn't see
anywhere else on devices in the world. And from that, you know, we highlighted some couple
interesting apps. And then from that, we basically opened up a joint investigation with Google,
where we said, hey, we believe these apps may be the Android side of the product.
What do you guys think? Let's continue collaborating and look at this data and see
if we can go any further with it. So in terms of regular users, because this is a lawful intercept tool, that means that
it's really a targeted tool.
Does that mean that day-to-day people going about their business, this isn't something
that they should really be worried about?
Should it be on the radar?
Can other people take the technology from Pegasus and apply it to regular run-of-the-mill
malware?
Yeah, that's a great point and question, actually. So with Pegasus, this type of
lawful intercept technology is used in kind of very targeted cases, right? So this is not something
that the general population necessarily has to worry about or will encounter in their day-to-day
lives. However, some of the similar techniques in terms of how they can grab data and stuff,
definitely those can be borrowed into kind of the commodities SPGNR software that you see out there, right?
So there's kind of different buckets of SPGNR software that was there where Pegasus will be like the high-end using, you know, very targeted specific cases where there's actually commodity malware where anyone can actually go online and buy it.
If you just do some Google searching, you can actually find many, many different products that use some similar techniques, not as advanced as the Pegasus sample, but they still try to go after the device and get the data off it that any user can buy, basically.
And those you'll probably find more commonly, but things like Pegasus are used only strictly in highly targeted cases. That's Andrew Blach from Lookout.
A new Internet of Things botnet, Perserai, has been discovered by security firm
Trend Micro. It affects internet-connected cameras, exploiting a known password-stealing bug about a
thousand models of cameras share. Trend Micro says they've run a Shodan search that found about
120,000 cameras vulnerable to Perserai. Many of the camera users, Trend Micro says,
are probably unaware that their systems are even connected, let alone exposed.
It's thought that Perserai will be used in much the same way Mirai was
for distributed denial-of-service attacks.
Today is Patch Tuesday, but one problem couldn't wait.
Microsoft late yesterday fixed a remote code execution vulnerability
that Google's Project Zero found in Windows' Malware Protection Engine,
commonly known as MSMP Engine.
Google called the bug crazy bad.
The Malware Protection Engine is enabled by default in most versions of Windows.
The vector that enables attackers to get into MSMP Engine can be an email,
an instant message, or a visit to a link.
Remote code execution becomes possible if MSMP Engine scans a maliciously crafted file.
With its fix, Microsoft warned that, quote,
an attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the local system account and take control of today's regular security update.
Banks and their customers, mostly in Germany, have been hit by criminals who exploit a weakness in the Signaling System No. 7 messaging protocol, also known as SS7, to bypass two-factor authentication.
The crooks have enjoyed some success, so watch your SMS messaging.
It's worth noting that this isn't an exploit that gains a hacker initial access.
Rather, it bypasses the final line of defense.
To get that far, the criminals first need to get the banking customer's username, password, and telephone number.
But those, alas, are often gettable.
So when the SS7
exploit enters, it's't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1, dollars off. home with her young son. But her maternal instincts take a wild and surreal turn as she discovers the
best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Joe, I was speaking to a security researcher recently who was talking about people's ability to hack into TVs.
And one of the things he brought up was this notion of within your home network basically segmenting it,
having a separate Wi-Fi network for your IoT devices versus your regular laptops, your phones, your regular web browsing.
What's your take on that?
I think it's a great idea.
The only issue I see with it is it's not something every layman is going to have the ability to do.
It might be out of reach of guys or girls like my parents, for example.
They're probably not going to be able to do this.
And my parents actually do have a smart TV in their house.
It would be nice to be able to segment it.
So it would be simple enough to do.
You could either have a piece of equipment
that can handle the VLAN
or perhaps have a guest network segmentation.
Or you could actually buy two pieces of hardware
and have one piece of hardware handle
the Internet of Things products in your house, like your TVs, your thermostat, or whatever,
and have the other piece of hardware that you control handle your Wi-Fi network for
your family's devices. Yeah, this is something we did in our house for a while, just sort of to
control access for the kids, to keep them from being on the network at all hours of the day and night.
We had a separate network set up for them
that had time restrictions on it,
and then one for my wife and I that was unrestricted
that was actually hidden.
It didn't broadcast its name,
so they didn't even know it was there.
That's great.
Because if they knew it was there,
they would certainly crowdsource a solution
to hack into it.
Right, absolutely.
So I've been thinking about doing this as well,
simply because my ISP is Verizon.
And I think last time we were talking and you asked if I had any IoT devices in my house,
and my immediate response was, oh, no, I don't have any of those.
And then you asked, well, what about your cable boxes?
And I went, oh, yeah, those are essentially just little Linux boxes that sit on my network.
They creep in.
Exactly.
So, you know, these things, you don't even think about what you have as an IoT device.
Right.
We have a television that can run Netflix, can run, you know, Spotify, and it can run apps.
And it's on the Wi-Fi network.
That's right.
Spotify can run apps, and it's on the Wi-Fi network.
That's right.
And my daughter has one of those as well that she uses as a streaming device and a computer monitor.
So again, as we talk about, you and I talk about over and over again, is attack surface.
Exactly. And so if you can separate the attack surface of all these IoT devices.
Right.
And now if somebody compromises one of your IoT devices, and these things never get updated,
then that's the problem with them.
So now if somebody compromises my IoT device, it's isolated on a network, and the only thing
it's going to have access to is other IoT devices, things that I might not consider
to be critical.
I'm certainly not going to store my data on that part of the network.
Right.
All right.
Good advice as always.
Joe Kerrigan, thanks for joining us. My pleasure.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks, Thank you. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data
products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.