CyberWire Daily - Mining Monero. A RAT in a 2FA app. The decline of the Cereal botnet. Markets during the pandemic. Ransomware in Taiwan. Twitter appeals to reason.
Episode Date: May 7, 2020A new Monero miner is out and about. Hidden Cobra is pushing a RAT through a Trojanized two-factor authentication app. The rise and fall of a botnet. Markets, criminal and legitimate, react to the pan...demic. Ransomware hits Taiwan. Remcos is resurgent. Michael Sechrist from BAH on where things are headed with ransomware, our guest is Rachael Stockton from LastPass on their Psychology of Passwords report. And, despite what you saw on Twitter when you were “doing your own research,” 5G does not cause COVID-19, and telecom repair crews are not agents of the Illuminati. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/May/CyberWire_2020_05_07.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A new Monero miner is out and about.
Hidden Cobra is pushing a rat through a Trojanized two-factor authentication app. The rise and fall of a botnet. Markets, criminal and legitimate, react to the pandemic.
Ransomware hits Taiwan. Remcos is resurgent. Michael Seacrest from BAH on the future of
ransomware. It's World Password Day, so Rachel Stockton from LastPass shares their psychology
of passwords report. And no, despite what you saw on Twitter when you were doing your own research, 5G does
not cause COVID-19 and telecom repair crews are not agents of the Illuminati.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Thursday, May 7th, 2020.
I'm Dave Bittner with your CyberWire summary for Thursday, May 7th, 2020.
Red Canary reports finding a new threat to Windows machines.
It's observing a cluster of apparently related activities the company is calling Blue Mockingbird that are engaged in deploying Monero crypto miners on infected machines.
The malicious payloads are appearing in dynamic link library form on Windows systems.
Initial access is gained through exploitation of public-facing web applications,
and the most common payload is the XMRig open-source currency miner.
A new version of the Dackels remote access Trojan is being distributed by North Korea's
Lazarus Group, also known as Hidden Cobra and APT38.
Malwarebytes Labs says that this version is designed to work against Macs,
and it does so through a trojanized version of the Mina OTP two-factor authentication app,
an app used mostly by Chinese speakers,
which suggests its probable target set.
Kihu360 NetLab first described the Dackelsrat in December of 2019.
Botnets rise, of course, but they also fall,
especially as affected devices are patched or retired.
One long-running botnet that exploited D-Link NVRs,
network video recorders, and NAS, network-detached storage devices,
has slowly declined through this natural attrition.
ZDNet reports that the Serial Botnet, established by some otaku to download anime,
has been active since 2012.
It peaked in 2015 with over 10,000 bots in its herd, but is now almost gone.
Serial was also driven down by some competing malware.
Cryptor Ransomware suppressed Serial inf also driven down by some competing malware. Cryptor ransomware suppressed
serial infestations this past winter, which wasn't necessarily a good thing for victims.
Forcepoint now thinks it's safe to publish details on the vanishing botnet, and they've done so.
Tech firms, including some in or adjacent to the cybersecurity sector, haven't been immune to the economic pressures of the pandemic.
Here are three examples from the U.S. West Coast,
heart of the industry.
The Silicon Valley Business Journal reports
that Cohesity has cut staff
and done so only a few weeks
after raising $250 million in capital.
That cloud provider Nutanix
has laid off almost 1,500 employees, about 27% of its workforce, and that Cloudera yesterday confirmed that it was readying a round of layoffs.
The cybersecurity sector proper, however, while seeing a slowdown due to the caution so prevalent in the markets it serves, has proven relatively resilient under pressure.
has proven relatively resilient under pressure.
Security needs have remained relatively stable,
and after all, security itself remains a relatively small and bearable fraction of corporate budgets,
Security Brief points out in a survey of industry observations of the sector.
The criminal market has followed opportunities opened up by the crisis.
Not only has it become commonplace that COVID-19 has been dangled all over the internets as effective fish bait,
it surfaced in a new round of attacks by familiar Nigerian gangs.
A business email compromise campaign Palo Alto Networks is calling Silver Terrier,
and Elusive Networks believes it's detected a nation-state-sponsored ransomware campaign with strong similarities to the techniques used by TrickBot. Bots have also been causing trouble through automated applications
for emergency relief. Some of the problems with emergency relief programs are technical,
not necessarily nefarious, but rather artifacts that emerge in any rapidly expanding system
that wasn't designed to handle large volumes of requests. TechTarget reports that
the U.S. Small Business Administration will no longer process applications for payroll
protection program loans filed using robotic process automation tools. So many requests have
come in by RPA that the system was overwhelmed. But some of that activity is nefarious since RPA
tools benefit criminal as well as legitimate enterprises.
The Wall Street Journal says that the U.S. Justice Department is actively investigating fraudulent applications for assistance.
Another area where criminals see opportunity under the present state of emergency, ZeroFox reports this week,
is with compromise attempts against celebrities' accounts and attacks offering free streaming services. Sports and entertainment figures, when their social media accounts can be
turned to criminal use, can be used to drag their fans in. And when you're stuck at home with little
to do, free streaming services can be dangerously attractive. In case you are looking for something
to celebrate today, it's World Password Day.
And no matter how you and your loved ones celebrate, whether it's sending the kids searching the house for passwords written on sticky notes,
stuck to the underside of keyboards, or breaking out the boggle game to see who can generate the most complex string of random characters,
World Password Day is a good reminder to take stock of your password hygiene.
Rachel Stockton is Senior Director of Product Marketing at LastPass.
So I'm a psychology minor, and I have to say this just plays right into my interests.
And one of them is the concept of cognitive dissonance, right?
You know something is right, yet you continue to behave against it, and then you have that friction.
And that's really one of the key things that we have come up with in this report. And it's that
91% of people know that reusing passwords is insecure, that that's not a best practice.
They shouldn't do it. 66% of them still do. And this has been a consistent finding over the three years we've
been doing this report. So I think this cognitive dissonance still exists, despite people being much
more educated about the risks of password reuse and all the data breaches we hear about consumer
passwords being stolen. So how do we come at this disconnect here? Is it a technology solution? Is it a training solution or a combination of all those things?
I think the first piece there is there is a psychology behind it, right? They have to understand that there is something that they can change, a behavior that they can change.
One of the things we hear from people is why they don't want to really change their passwords or even use a solution like a LastPass
is they want to maintain control. If I know it, it'll be safe. But what we also found is that
people underestimate the number of passwords that they have. They estimate that they have between
one and 20. But when we compare it to our anonymized information, people have about
40 different passwords.
This is consumers.
So the concept of I can control this by being really insecure and reusing and I'm underestimating how much I'm trying to do.
I think that's something that as humans we have to realize it's okay we don't control this.
Like phone numbers.
I don't know anybody's phone
number. I'm sorry, dad, in my phone, but I'm okay with it because I trust that I'm going to be able
to get to that. It's the same with passwords. And then once they've made that leap, there's a
plethora of ways that they can have secure passwords, easy to remember. But it's also
really interesting that people are still trying
to memorize passwords. What about the fear that some people have? I've heard this one mentioned
where if I use a password manager, well, then it's just the keys to the kingdom. If someone
gets that password, well, then they have everything. You know what? Very valid concern.
And that was one of the best things that we actually saw in
psychology of the passwords is the concept of multi-factor authentication is really going
mainstream. And so what we've seen is that in this survey, that over half of people are saying
that they're using MFA for some of their personal accounts. But you know what's worrisome? This does
bleed over to work and less than 40% are saying they're using
it at work. So I do think we do need to think about, particularly as everybody is working at
home right now, we expect this trend to continue in the future and our real lives are becoming more
and more virtual and we're opening up more accounts. This blending between work and personal
is happening rapidly.
So I think that's where we really need to see
the continued adoption of MFA on the consumer side,
but businesses have to be thinking about this more as well.
That's Rachel Stockton from LastPass.
Microsoft is tracking a surge in Remco's attacks
that it says are using COVID-19 lures to prospect organizations across many sectors.
Remcos is a remote administration tool marketed for various legitimate purposes, but it's been widely used in criminal and espionage campaigns as a rat.
The phishing is pretty much a dead giveaway with respect to intent.
And finally, Twitter is still trying to control
the rumor that 5G causes COVID-19. One would have hoped the odd belief that cell towers are
somehow the cause of coronavirus infections would have now passed its expiration date. Alas, no.
Twitter is still grappling with the dissemination of that particular theory,
often linked by the credulous to suspicion that the whole matter is linked to a deeper conspiracy
to cull the herd, to prepare for some horrendous world order of social control,
and that fear exists in left, right, and center forms.
The Telegraph says that Twitter's most recent approach to the rumor
is to prompt people who tweet it to read an official British report debunking the cell service origin theory,
which is so direct and almost charmingly naive, and we mean naive in the best possible sense of the word, that one wishes them all success.
Why not give the invisible hand of the marketplace of ideas a chance to work its magic?
Give reason a chance?
marketplace of ideas a chance to work its magic. Give reason a chance?
This particular bit of misinformation is dangerous not because it's affecting treatment or compliance
with public health advice.
It's dangerous because it's inspired people to vandalize cell towers.
An ex-Googler told The Telegraph in an earlier piece that he sees structural problems with
social media that tend to cause misinformation cascades.
He's concerned mostly with YouTube and sees the algorithmic push to optimize watch time at all
costs as fostering the propagation of spectacularly false and spectacularly attractive content.
Substitute engagement for watch time to generalize the problem.
The problem has involved more than just vandalism. Some telecom maintenance
workers in the UK were attacked by locals who accused them of setting up the virus infrastructure.
One almost wishes for a return of alien invasion conspiracy theories. At least you'd know what to
say. Klaatu Baradu Nikto. See, you can learn things from television. A true otaku would add,
But that's just gravy.
Or so we hear from the old 5G.
We're kidding, of course.
We're kidders.
We like to kid.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Michael Sechrist.
He's the chief technologist at Booz Allen Hamilton.
Michael, it's great to have you back.
I wanted to touch on where you think things are headed with ransomware.
We're kind of in an interesting situation right now dealing with the global pandemic,
and that puts different pressures on people all over the globe.
Yeah, thank you so much for having me back.
It certainly does.
Like we've seen, cyberspace is an extension of the physical world.
So as we deal with strains and crises going on with COVID-19,
we're seeing kind of an influx of COVID-19 potentially related
activity in cyberspace. And generally, the attackers have, you know, see some kind of
opportunity here. And they're seeing, one, they're seeing weakness on corporate environments,
on federal environments, government environments, where, you know, they are having difficulty potentially with, you know,
work from home capabilities, with availability, with being able to kind of baseline activity.
So that's kind of one, you know, thing that the attackers will see. The other thing they'll have
is they'll have a motive, right? They'll have a more of a need potentially for actually just money
for goods and services to operate and continue
their activity. And that's going to change. And the other thing is they have more time on their
hands generally. If they're potentially confined as well, basically having access to potentially
a device that allows them to get access to funds or to do things that they need to survive, they're going to probably take advantage of that.
So you have this kind of like this storm brewing
that they're going to use to their advantage.
And ransomware is certainly on that list.
We've seen the COVID.
There was a map of COVID-19 infections that was being distributed
that produced potentially a malware infection
that would drop a particular variety of ransomware that they were calling COVID lock,
which was related to obviously the campaign here. We're seeing, you know, other ransomware,
you know, going after groups like Epic Global, which is a legal services provider,
falling victim to a large ransomware attack.
We're seeing other kinds of ransomwares continue to be dropped
through mouse spam campaigns,
through compromising cloud backup providers.
So this will not slow down.
Yeah, you bring up an element that I hadn't really considered,
which is that we're going to have people who have technical abilities who are not going to be working.
And so out of desperation, perhaps, you know, they could find themselves with a little more moral flexibility than they had before when it comes to spinning up some of these kits to make ends meet.
That's right. Yeah. And, you know, there was previously interviews with some cyber criminals
where they will literally talk about, you know, the need to support their family or treating this
as also a day job that they go and perform to bring in, you know, money in for their family.
And so you can't think of that and not relate it to the current environment.
You've got, again, folks that this was potentially a source of income now completely almost relying
on not being able to move in certain environments and likely going to use that as an attack
factor.
Yeah.
All right.
Well, Michael Sechrist, thanks for joining us.
Thanks so much. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett
Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave
Bittner.
Thanks for listening.
We'll see you back here tomorrow. ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.