CyberWire Daily - More intelligence on Ghostwriter, and a convergence of hacking and influence operations. Naikon APT has a new backdoor. FluBot returns. MAPP reconsidered. Defense counsel on Cellebrite.
Episode Date: April 28, 2021Ghostwriter is back, and has moved its “chaos troops” against fresh targets in Poland and Germany. The Naikon APT has a new secondary backdoor. FluBot, temporarily inhibited by police raids, is ba...ck, and expanding its infection of Android devices across Europe. Microsoft is rethinking how much, and with whom, it wants to share vulnerability information. Joe Carrigan examines a phone scam targeting Amazon Prime customers. Our guest is Tzury Bar Yochay of Reblaze on open-source software and scalability. And Signal’s discovery of Cellebrite issues is finding its way into court. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/81 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ghostwriter is back and has moved its chaos troops
against fresh targets in Poland and Germany.
The Nacon APT has a new secondary backdoor.
FluBot, temporarily inhibited by police raids, is back and expanding its infection of Android
devices across Europe.
Microsoft is rethinking how much and with whom it wants to share vulnerability information.
Joe Kerrigan examines a phone scam targeting Amazon Prime customers.
Our guest is Zuri Bar-Yohay of Reblaze on open source software and scalability.
And Signal's discovery of Celebrite issues is finding its way into court.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 28th, 2021.
Several security companies have released news about revived threats.
We'll run through a few of the more prominent discussions.
FireEye's Mandiant unit this morning updated its research into Ghostwriter,
an influence operator that came to attention last year
as it sought to affect public opinion in Latvia, Lithuania, and Poland.
Its messaging then was anti-NATO.
The campaigns of 2020 relied upon artlessly crude forgeries and implausible rumor-mongering.
But of course, disinformation doesn't need to be art
as long as it can get the right amplification,
which Ghostwriter worked to accomplish.
It was easy for officials to quickly debunk such hogwash
as the claim that Canadian soldiers were spreading COVID-19
or that an internal memo circulating in the Polish Ministry of Defense called for resistance against an American army of occupation,
a forged memo helpfully provided hijacked social media accounts used to lend plausibility to a very implausible narrative.
CyberScoop offered a useful account of these efforts at the end of last July,
but of course lies can have a bit of a run if they're provided with a head start.
In any case, Ghostwriter has now expanded its thematic content
to include disruption of domestic Polish politics,
and also, according to Tagaschau, credential theft attacks on German
political figures. FireEye believes the threat actor it tracks as UNC-1151 operates some portions
of Ghostwriter. The firm characterizes UNC-1151 as a suspected state-sponsored cyber espionage actor
that engages in credential harvesting and malware campaigns.
Tagesschau calls the attackers chaos troops, which is apt enough for an operation that aims
at disruption. At least seven members of Germany's Bundestag have received phishing emails,
as have some 30 members of the Lender Assembly, that is, the state-level legislators.
German authorities are taking activity seriously.
FireEye, as is its practice, doesn't attribute Ghostwriter explicitly to any government,
but the firm does note that its activities are aligned with Russian security interests.
This isn't, it appears, just prim policy on the company's part, but rather a
recognition of the inherent challenges of attribution. FireEye writes in their full report,
quote, at this time, we do not attribute the Ghostwriter campaign to a specific actor or
group of actors. Instead, we refer to Ghostwriter as an activity set with various incidents tied
together by overlapping behavioral characteristics and personas, rather than as an activity set, with various incidents tied together by overlapping behavioral characteristics
and personas, rather than as an actor or group in itself.
The report goes on to say,
It appears, based on the limited public information available regarding the website compromises
we've tied to Ghostwriter, that the actors behind the campaign are relatively well-resourced,
either directly possessing traditional cyber threat capabilities themselves or having ready
access to operational support from others who do. It is plausible that Ghostwriter operations are
conducted by overlapping actors or groups that are also behind other influence campaigns or
incidents of cyber threat activity, end quote. FireEye doesn't say as much,
but the Ghostwriter actors do prowl and growl like bears. But their study is interesting as
a case study in careful study of espionage and influence campaigns. Attribution is inherently
difficult. Operational style rarely amounts to dispositive evidence.
In American targeting jargon, this sort of evidence amounts to a set of possibly related
target indicators, not clearly discerned targets. Bitdefender reports a new approach by the
NACON APT, a group it associates with the Chinese government. Active for more than 10 years,
NACON focuses on government and military targets in South Asia.
It's now deploying a secondary backdoor, Nebulae,
which Bitdefender believes plays an important role in the APT's persistence in victim networks.
FluBot, temporarily bopped when Spanish police arrested several of the hoods
associated with the Android malware earlier last month is back and expanding its geographical reach, Proofpoint reports.
New infestations have been observed in the United Kingdom, Germany, Hungary, Italy, Poland, and Spain.
Proofpoint expects FluBot to reach North America soon.
FluBot infections begin with an SMS message baited
with a bogus notification from a spoofed delivery service. Should the victim swallow the hook,
FluBot installs a payload on their device that includes spyware, an SMS spammer,
and credit card and banking credentials stealers.
According to Bloomberg, Microsoft is rethinking how it shares information with the 81 corporate members of the Microsoft Active Protection Program.
Redmond suspects that some participants may have tipped off hackers when Microsoft gave MAP members early warning of the vulnerabilities Hafnium rapidly exploited and that were swiftly taken up by cybercriminals.
Microsoft and most others regard Hafnium as a Chinese government threat actor.
While Microsoft continues to see many advantages in MAP,
it's reconsidering how much and with whom it ought to share in the future.
At present, suspicion centers on two Chinese firms that participate in MAP.
Bloomberg asked the Chinese government about the incident
and received the pious bromide
one might expect, quote, China resolutely opposes any form of online attacks or infiltration.
This is our clear and consistent stance. Relevant Chinese laws on data collection and handling
clearly safeguards data security and strongly oppose cyber attacks and other criminal activity.
End quote. Beijing also offered some instruction for the media, and strongly oppose cyberattacks and other criminal activity.
End quote.
Beijing also offered some instruction for the media.
Quote, We hope the media adopts a professional and responsible attitude,
relying on comprehensive evidence when determining the nature of cyberspace events,
but not groundless speculation.
End quote.
So, okay then.
And finally, inevitably, the vulnerabilities in Celebrite's forensic tool that Signal recently exposed have found their way into the courtroom.
Vice reports that defense attorneys for a convicted robber whose collar was enabled by data obtained using Celebrite have entered a motion for a new trial.
obtained using Celebrite have entered a motion for a new trial. The lawyers argue, quote,
in essence, internal security on Celebrite devices is so poor that any device that is examined may in turn corrupt the Celebrite device and affect all past and future reports. They also argue that,
quote, a new trial should be ordered so that the defense can examine the report produced by the
Celebrite device in light of this new evidence and examine the Celebrite device itself.
This is, as Gizmodo suggests, unlikely to be the last motion of this kind.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. There's a popular philosophy that making use of open-source software
not only has the potential to save time in your development process,
but can lead to more secure outcomes as well.
Zuri Bar-Yohay is co-founder and CTO of security company Reblaze, and he believes that
for security, open source software is the way to go. When it comes to cybersecurity, you should aim
using as much as possible open source frameworks, open source platforms, and open source software.
frameworks, open source platforms, and open source software.
The reason is when you use open source, the obscurity is a factor you remove from the equation.
And if there is a bug of, say, security bug, vulnerability within the framework, the platform,
the tool you're using, most likely with the popular open source to be fixed and corrected even discovered quicker than
within any other proprietary alternative open source today security is actually used i would
say almost everywhere anywhere if you're looking at tls ssl gtps secure web application, secure website, secure API. Most likely the underlying software used is either OpenSSL or LibreSSL or any other implementation.
All of them, which are open source.
Encryption, common encryption methodologies and techniques and algorithms are all open source.
So it's everywhere
and most of the cases so far that we have been looking at vulnerabilities were taken
advantage by hackers by i would say by malicious activities those actually were made exploiting
those actually were made exploiting and taking advantage of a time window of which the used software was known to have vulnerability, such as a CVE disclosure, and yet it took time for the organization to patch, to fix, to correct their platform, to update their platform, and to prevent against
that, what was up until that point, a zero-day attack.
So again, with open source, things are done usually quicker and faster.
And when you hear that folks are resisting the use of open source, what is typically
the argument there?
I barely hear those voices, to be honest.
I can imagine people still thinking that security by obscurity is still a thing, which obviously it isn't.
So for them, proprietary is like a smokescreen that makes things harder for hackers to break in, which is not the case.
That's Zuri Bar-Yohay from Reblaze.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
You know, over on Hacking Humans,
you and I cover a lot of stories
about scammers and scams and people being victimized by these folks. And I want to
highlight one of those stories. This is from the Chicago Tribune article written by Kimberly
Fornick, and it's titled, Indian Head Park Woman Loses $48,000 in Amazon Prime phone scam that took a month to unfold, Sun says.
Right.
What's going on here, Joe?
So what happened was actually this woman was brought to police attention in early March, on March 4th, when she went to a grocery store and purchased two $500 gift cards.
She's an older woman.
She is 87 years old.
And the clerk, who is actually kind of an unsung hero in this story,
the first thing this clerk does is call the cops and go,
look, I think this lady is getting scammed out of some money
because generally 87-year-old women don't come in here and buy two $500 gift cards.
And the police managed to find this woman. They went to her house and the woman was adamant, absolutely adamant that she had
purchased these gift cards for family members. But come to find out what had happened was
she was a victim of an Amazon scam. And we're seeing these more and more in the news.
People say, scammers call you up or notify you and say, hey, there was a big purchase made on your account, and we need to work this out, right?
And I don't even know if this woman has an Amazon account.
Maybe she does.
Maybe she doesn't. But the scammer said it was a $600 purchase, and then it became a $6,000 purchase.
And somehow he managed to get her to start sending
gift cards to him. And he was saying, look, if you don't help me out here, I'm going to get fired.
Right. So he was playing on this woman's sympathies, her desire to help people,
along with her fear of having to owe money for something she didn't do. But in the end,
this guy had managed to get her to send him $48,000 worth of gift cards by constantly telling her, these gift cards, I can't access the money because you purchased them with cash.
This is things that absolutely don't make sense to me, right?
These are non sequitur statements.
But to somebody who's not familiar with how gift cards work, it may make sense. It may be some kind of thing that you can wrap your head around or some kind of model that you can fit in there to complete the thing.
But it's important to remember.
It's important that we have to educate these people.
Oh, well, one thing I want to say about this story is that this scammer did a remarkably good job at isolating this woman.
She did not talk to people about it.
She, when the cops showed up and asked her about it,
she was prepared by the scammer.
She was groomed by the scammer to say,
no, no, I'm buying these for a family member.
Even though this, because the scammer knows
that's what's going to happen is somebody's going to say,
who are you buying this for?
And the scammer says, you tell them that you're buying it
for a family member, regardless. Right. Whatever they ask. You don't want me to get in trouble.
You don't want me to lose my job. Right. Yeah. This is a gift card scam with a new angle. And
I think maybe that's why they're going after it is because Amazon does accept gift cards,
but they have to be Amazon gift cards. So maybe they're instructing this woman,
go out and buy some Amazon gift cards because you can walk into any store and buy Amazon gift cards. So maybe they're instructing this woman, go out and buy some Amazon gift cards because you can walk into any store and buy Amazon gift cards. And if I'm pretending to be from Amazon,
that might be a plausible scam. Yeah. And I guess part of what we're after here is trying to get
the word out to your loved ones. Most of us are probably in a situation where we're providing tech support for many of our family members who may not be as, you know, sophisticated when it comes to devices as we are.
And so part of that is educating them that if anybody asks you for anything having to do with a gift card, that is a big red flag.
Right.
Absolutely.
And the problem here is that this,
this woman was isolated.
So you have to get out there now and tell people about this.
Because once,
once the scammer gets,
gets their talons into the victim,
they're not letting go,
you know,
they're there and that,
and that victim is probably never going to tell you about it.
Which is,
which is the way these guys want it.
They want this to be an
under the rug kind of event, you know? Yeah. In this case, the woman's son found out what had
happened and he was the one who went back to the police. Right. And as you mentioned earlier,
she'd been conned out of $48,000. $48,000. And there's probably nothing she can do to get that
money back. Nope. Nope.
All right.
Well, go out there, tell your friends and family, remind them to be aware of these sorts of things.
And, you know, gift cards are a red – you know, it's funny, Joe.
I was at the local Home Depot just last week.
I was buying some stuff to, you know, prep my gardens for spring.
And right there next to the checkout was a sign that talked about
gift cards. Yeah. Actually, I had the exact same experience at Lowe's. Both Home Depot and Lowe's
have these signs up, I guess. Yeah. It's a big sign that says that this is a scam. And good on
Home Depot and Lowe's. If someone has asked you to buy gift cards, it's likely a scam. That's right.
Thank you, Home Depot and Lowe's for putting those signs up. That's fantastic. Yeah. Yeah. It's a shame it's gotten to that point where it's necessary, but
here we are, right? Yep. Absolutely. All right. Well, Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland at the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.