CyberWire Daily - More Eternal exploits found more troublesome. Cryptominer updates. NIST SP 800-171. Paycard skimmers. Tsunami false alarm.
Episode Date: February 6, 2018In today's podcast, we hear that the Shadow Broker exploits have now been found to be more exploitable. Cryptocurrency miners are recognized as a problem: MacUpdate sustained a brief infestat...ion late last week, and a new Android mining campaign takes a page from Mirai's playbook. Smominru botnet rakes in $3.6 million. T-Mobile warns of SIM-hijacking. Comment period extended for NIST Special Publication 800-171. New paycard skimmer found in Pennsylvania stores. Emily Wilson from Terbium Labs on tax fraud issues. Guest is Woody Shea from Covata on S3 bucket leaks. And a tsunami false alarm on the US East Coast. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Cryptocurrency miners are recognized as a problem. MacUpdate sustained a brief infestation last week,
and a new Android mining campaign takes a page from Mirai's playbook.
The Smominru botnet rakes in $3.6 million.
T-Mobile warns of SIM hijacking.
The comment period's been extended for a NIST special publication.
A new paycard skimmer's been found in Pennsylvania stores.
And there's been a tsunami false alarm on the U.S. East Coast.
I'm Dave Bittner with your CyberWire summary for Tuesday, February 6, 2018.
Eternal Synergy, Eternal Romance, and Eternal Champion, all leaked last year by the shadow
brokers and used in the NotPetya pseudo-ransomware
attacks, have since taken a back seat in terms of public awareness to EternalBlue.
But researchers at security firm RiskSense have found that these three exploits work
against all unpatched versions of Windows from Windows 2000 on.
The exploits, which the shadow brokers claim to have obtained from the U.S. National Security Agency's Equation Group,
may be just as easy for attackers to use as the hitherto more popular EternalBlue bug.
This discovery should spur laggards, and there are many, who have yet to apply patches Microsoft issued last March.
All of the Eternals are in the Metasploit framework, and again, they've all been patched.
Cryptocurrency mining continues its unpleasant run through victim systems.
People are saying that miners have become malware, but they've always seemed like malware to us.
What else would you call a program you didn't intend to install that uses your system's resources and that does you no good?
We call it malware.
Yes, you may call it a potentially unwanted program, a pup if
you must, but whatever you call it, it still stinks. Here are some of the latest notes on this problem.
On February 1st and 2nd, the Mac Update site was briefly infested with a crypto mining malware.
Mac Update has apologized and expelled the malicious software, but users who downloaded
updates at the beginning of the month
should check their systems.
Security company SentinelOne reports
that criminals seem to have gotten into the site
and installed a dropper based on the Platypus development tool
to download a crypto miner from Adobe Creative Cloud Services.
The malicious apps were crafted to affect Onyx, Firefox, and Deeper users.
They're gone now, but if you were in Mac Update at the beginning of the month, take a look at your system.
Security researchers at Kihu360 NetLab warn that a new Monero crypto mining botnet is hitting Android devices in the wild.
It infects them through port 5555, which is used by the legitimate debugging tool Android Debug Bridge.
The worm is interesting, and 360NetLab is calling it a worm, because it seems to be
using some of the same scanning code found in the Mirai botnet.
Most of the infected devices so far are found in China and South Korea.
Proofpoint researchers have an update on the Smominru crypto mining botnet.
By the estimates the security firm has compiled, the hoods behind the botnet have now amassed more than $3.5 million in Monero cryptocurrency.
T-Mobile has issued a warning of an active SIM hijacking campaign.
The warning takes the unusual form of a mass text message.
The warning takes the unusual form of a mass text message.
In the phone number port-out scam, the crook either calls a phone provider or visits the store to request a new SIM card for their victim's phone number.
Once they have it, they can further exploit the victim.
Most carriers will give their customers a phone passcode or a PIN
to help protect them against this fraud.
We hear regular reports of Amazon S3 data buckets being inadvertently
left open to the world. Woody Shea is chief technology officer at Covada, a data security
firm, and he provides some background on why this problem is more common than it should be.
Yeah, I guess it's the law of averages, right? So you have these admins putting information into these S3 buckets.
It's really just a single layer of security at that point.
You know, they are in charge of granting access or not to the S3 bucket.
The law of averages says that, you know, eventually somebody is going to slip up.
And we're seeing that happen quite a bit just because so much information is in these buckets.
quite a bit, you know, just because so much information is in these buckets.
And is this a matter of people not properly setting the access restrictions? And I guess the other question is, why wouldn't they be set to be more restrictive by default?
I believe they are set to be fairly restrictive by default. It's more that humans are imperfect.
that humans are imperfect. You know, it's very similar to, in my mind anyway, to Freudian slip or, you know, that time that you drive home and don't really remember driving home after work.
You know, at some point, somebody's going to need access to that information
and you're just going to go on autopilot or make a mistake and open it up to the world.
And I mean, there's just so many people using this and so much data in there.
It just has to happen.
You know, there's no other alternative, just law of averages, right?
And so are there folks out there actively searching out for these open buckets?
So the notion of security by obscurity doesn't really apply anymore?
Yes. Yeah. And that was sort of where we started. The VP of security here at Covada and I were
talking and he ended up posing a writing prompt to me. He said, there's so much stuff on the
internet here. How are people finding these S3 buckets that are open? And the answer is there are a number of tools starting to come out
specifically for scanning S3 buckets,
but the bucket naming convention is very similar to,
possibly identical to subdomain naming.
And there are definitely many tools out there for scanning for subdomains.
That's actually where I started was,
okay, let me collect these tools and see how easy it is to find exposed data. And it turned out to
be way easier than I thought. So if you're someone who's using one of these S3 buckets,
is there an easy way to activate an additional layer of protection for yourself to protect
yourself against yourself? Yes and no. So that's a really complex question, I think. So what you really want,
and what we saw in previous years, if you will, is layers of protection. On-premises,
you had the firewall, then you had system permissions, and then maybe you had permissions
within the application that the system was in, and those might be mutually exclusive
depending on how the application is set up. But you had at least two layers. So if you accidentally
opened things up on one of those layers, the other one would be there. And traditionally,
it would be two different people controlling those two layers, right? You had your network admin
managing the firewall, and then you had your data owner or system admin managing the
access controls on the application. In the cloud, we're really not seeing that second layer. Now,
the S3 buckets, you can, but it's not very intuitive. And everyone just sort of by default
has access to the multiple layers. And I would say cloud services as a whole are
moving towards this, but they're not there yet. But you really do need those separation of duties.
You need one person sort of providing swim lanes, if you will, right? Here is a group of people that
you might want to share with or you're allowed to share with, and then the data owner within that,
okay, this file will actually go to that person. And yes, that's within the swimline. So that's allowed. And it's just not quite there yet. So what happens is if you have access to AWS systems,
you also have access to the AWS firewall. So it's hard to maintain those separations of duties.
firewall. So it's hard to maintain those separations of duties.
That's Woody Shea from Covada.
Apple and Cisco have partnered with insurance giant Allianz in an arrangement that will give Allianz customers lower cyber insurance rates if they use certain Apple and Cisco products.
U.S. federal agencies and their contractors prepare to implement NIST information sharing guidelines.
NIST's special publication 800-171 was intended to take effect on January 1st of this year,
but the deadline for figuring out how to comply has been extended.
NIST is now taking comments from the public on SP 800-171 until June of this year.
Attention Pennsylvania shoppers.
Take a look at that pay card terminal before you swipe,
especially if you're using a debit card.
Police are looking for two hoods who've been caught on surveillance cameras
installing overlay skimmers on customer-facing scanners
of the kind you see in checkout lines everywhere.
The two crooks were seen putting them in place at a few Aldi's supermarkets.
The card skimmers are thin, convincing,
and snap on in seconds.
They steal debit card pins.
Retailers should remind their people
to keep their eyes open.
And finally, a couple weeks ago,
fumbled tests of emergency alert systems
in Hawaii and Japan
resulted in false alarms of a missile launch,
presumably from North Korea, that set off brief, fortunately minor, panics.
They weren't the results of cyberattacks, but they did expose problems with the systems.
There was a similar oops this morning on the U.S. eastern seaboard when a National Weather Service test of a tsunami warning system found its way into AccuWeather and other outlets.
Parents and children in the mid-Atlantic states who were checking for advance word of school closings in response to tonight's expected ice storms were instead surprised to get an
alert telling them to hightail it for high ground.
It was all a mistake and quickly retracted and corrected.
We've looked out the window and can report there's no tsunami surge up the Chesapeake.
Not yet.
Sorry, kids, you'll have to wait for that promised ice storm if you're hoping for a day off.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Emily Wilson.
She's the Director of Analysis at Terbium Labs.
Emily, welcome back.
Good to be back.
Thank you for having me.
I'm enjoying the new office space. Oh, well, thank you very much. It's radio, so we don't get to talk about it very
much. But yes, we're enjoying our time here at Data Tribe as well. So a new year is upon us,
and that is usually a time for predictions. But you wanted to make the point that when the new
year kicks off, that is when we start seeing people rev up their efforts
at tax fraud. Yes, it is one of the most wonderful times of the year on the dark web. Everyone still
loves Black Friday. But yeah, this is I mean, when you think about it, this is everything the dark
web fraud community loves, right? You get to steal other people's money and you get to steal it from
the government. It's a cause everyone can get behind. So how does that play out? What do you see on the dark web when it comes to people
going at this? Sure. So we see a couple of things. One, there's the information that's available all
year round that gets remarketed for tax season. This is your your foals, your full identities,
your tax fraud guides, hopefully walking you through step by step,
other personal information, socials and what have you,
and then a couple of things that become more particularly relevant
around tax fraud season.
This is your W-2s, your EINs, that sort of thing.
I see.
Now you mentioned there was something you saw called infant foals.
Describe that for us.
Sure. So this is one of the few times, really one of the only times that we see the information of
children being brought into play on some of these markets. As I've mentioned before, a lot of the
material you tend to think of for children on the dark web, child exploitation, is really kept
separate. These communities are really discreet from one another.
But we do see, we saw a couple of years ago and again this year,
information of children being sold for tax fraud purposes.
So in this case, what we saw were infant foals being marketed.
And this is a baby, right?
So they can't have but so much information.
But you're talking about a name, social, date of birth, some information about the mother.
A couple of years ago, we saw children's socials being sold.
So the socials of a child and both parents, you can get a nice little family pack.
And these are marketed explicitly for tax fraud.
That's really the only time of year we see them.
And is there anything you're expecting that's going to be new this year?
Is it more of the same?
Do we expect it to ramp up?
Is this one that people are getting a better handle on? I think this is one that we're
going to kind of see progress steadily. But I think every year, you know, the IRS makes just
a couple of tweaks and there are guides there ready to kind of handle those tweaks. And really,
there's not a lot that can be done about it. That's the hard thing. The only thing you can
really do is try and get your return in before the criminals get to you. And even then it's luck of the draw whether
or not it's your information they have on hand. Wow. All right. Good advice. Be careful as always.
Emily Wilson, thanks for joining us. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
Thank you. Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.