CyberWire Daily - New criminal campaigns out and about. Fancy Bear changes style, but not management. VPNFilter hits more devices. CloudPets overshare, but maybe more benignly than Google and Facebook.
Episode Date: June 7, 2018Iron Group said to use Hacking Team source code to build a backdoor. Operation Prowli both cryptojacks and sells traffic. Fancy Bear may be getting noisier. VPNFilter has a more extensive set of... victim devices than previously believed. ZTE pays a billion dollar fine. CloudPets are oversharing via an unsecured server. The US Senate wants answers from both Facebook and Google about their user data sharing with Chinese companies. Daniel Prince from Lancaster University on the security of Industrial Control Systems. Guests are Kyle Lady and Olabode Anise from Duo Security covering their annual report on authentication. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's join delete me dot com slash N2K code N2K. back door. Operation Prowley both cryptojacks and sells traffic. Fancy Bear may be getting noisier.
VPN Filter has a more extensive set of victim devices than previously believed. ZTE pays a
billion-dollar fine. Cloud pets are oversharing via an unsecured server. And the U.S. Senate
wants answers from both Facebook and Google about their user data sharing with Chinese companies.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 7, 2018.
Intazer researchers say they've found a backdoor in the wild that's based on hacking team tools.
The security firm says that the Iron Group, which they suspect of being a Chinese criminal gang, is behind the
backdoor. Iron Group's code is based on hacking team's leaked RCS source code. Most of the victims,
as well as the perpetrators, appear to be in China. Guardacore Labs describes Operation Prowley, a campaign that manipulates traffic and mines cryptocurrencies.
There are roughly 40,000 infected machines in a wide range of organizations and sectors.
Guardacore regards Prowley as a straight-up criminal caper, not something mounted by a nation-state.
They get paid in two ways.
First, through cryptojacking, installing a cryptocurrency miner
in victim machines. And second, they also earn some change through traffic monetization fraud,
in which the Prowley operators sell traffic for routing to various dodgy domains,
many of which hawk hemi-semi-demi bogus goods or services, or simply distribute malware.
Guardicor has seen two principal attack vectors, a worm that propagates through machines running
SSH, and Joomla servers, whose K2 extension renders them vulnerable to a file download
bug.
To defend yourself, GuardaCore recommends patching, hardening, and if you are hit, changing
credentials as part of the mop-up.
Palo Alto's Unit 42 thinks the Safasi group is quietly changing its tactics.
Safasi, generally regarded as belonging to Russia's GRU,
also known as Fancy Bear, Pawnstorm, Sednit, or Tsar Team,
had tended to prospect a small number of selected individuals within a targeted organization.
They also tended to use the same
exploits and malware against those individuals. For all of Fancy Bear's reputation for being noisy,
this is a relatively unobtrusive approach. But now, Unit 42 sees the group adopting parallel attacks,
a shotgun approach to many more individuals. They're also using a more diversified set of
exploits and malware,
presumably to achieve higher infection rates. All in all, the new approach reminds observers more of a criminal gang's work than a nation state's intelligence service.
But don't be deceived. This is a change in style, not management.
Duo Security recently published the results from their third annual Trusted Access report, comprising data from nearly half a billion authentications per month and almost 11 million devices.
Kyle Lady and Elabadeh Anishae both worked on the report, and they join us to share the results. We hear first from Elabadeh.
One of the major things of this report, or major points of research, was trying to to look into like, what are some of the behaviors of users?
Like, can we, we had a hypothesis of people are working more remotely, people are more
mobile.
We wanted to see if that would bear out in our data.
And we did find that our hypothesis was validated and that people are authenticating from more
unique external networks.
So we saw a big increase, especially in the enterprise space,
about 24% of people in terms of looking at the ratio
of unique external networks that were accessed to users
for each one of our customers
in each of the market segments.
So that was particularly interesting
because it kind of goes to the point of like,
let's allow people to work where they work best,
whether that's a coffee shop, whether that's their home or some other area.
Of course, that does present some different challenges for an IT admin, but that was one of their bigger points.
The other thing was, I guess the next point was at the Windows 10 adoption.
We saw a huge increase in Windows 10 adoption going from 2017 to 2018, almost hitting that 50% mark, but not quite yet. And last, we saw that phishing was
still as effective from the data that we gathered from the Duo Insight phishing simulation tool.
Now, do you find that folks out there have common misconceptions when it comes to authentication?
A lot of times people don't see the value in additional security measures. And a lot of that is a communication
question. A lot of users don't understand the threats that are out there. That said,
they shouldn't have to have a comprehensive understanding.
Now, one of the things that your research pointed out was, as you touched on, was the prevalence of
phishing and how successful it is.
One of the things that caught my eye was how quickly people who are phishing are successful.
Yeah, that's one of those interesting things, especially when you have
maybe a well-crafted phishing email that's not just like a spear phishing template. I don't
think it's a matter of someone being really negligent in a way, but more so just trying
to get their work done. They see, hey, maybe this is an email from my boss or a superior or something that needs to
get done. So let me try to access that email, do it as quickly as possible. So I think it's one of
those things where, of course, you have to increase user education in terms of phishing and trying to
be able to identify some of the signals of, okay, maybe this is not the website I'm supposed to be
on. But that can be a little bit more difficult depending on the environment or the particular device that you're using.
Of course, like when you're on a desktop, you can hover over a link and say, okay, that is not the internal page that I'm expecting from this link.
Versus when you're on mobile, it's a little bit more difficult.
We see with all of these password leaks, while passwords are certainly important as a first factor, if you've ever reused a password, there's an increasingly good chance that it's out there somewhere.
And so having this second factor at least stops an attacker and, depending on the system, hopefully alerts your administrator that somebody was trying to get into your account
and that they already have your password. Now, was there anything based on your report,
the research that you did, was there anything that was particularly surprising? Were there
any unexpected results that came back? I guess one of the things that we were kind of surprised at
was kind of the big kind of jumps that we saw in terms of remote access. We expected increases, obviously.
In our report, we see that very small businesses had the smallest increase,
but they were already the most mobile in terms of market segments.
And which kind of makes sense in terms of when you look at,
these are very small businesses, so you maybe expect a remote team that's distributed.
So they may be accessing from their home or a coffee shop and things like that.
But it seems like the really big gains in enterprise shows that people are moving to
the cloud. They're allowing people to work from where they want to, or they're moving applications
for the cloud. Even though it was something that we thought, we didn't know that those
increases would be as big as they were. Another surprising result was actually seeing this increase in Windows 10, which is really encouraging. It
almost doubled over the past year. This is in particular encouraging because Windows 10 has
a lot of security improvements, just simply as a baseline, as well as then you're setting yourself
up for that many more years of updates before it's obsoleted. And so seeing that more businesses are
using Windows 10 than other versions of Windows is definitely a positive result that we saw.
That was Kyle Ladey. We also heard from Alabade Anishe. They're both from Duo.
You can check out their authentication report on the Duo website.
You can check out their authentication report on the Duo website.
VPN Filter is not only attempting to reconstitute its botnet of routers,
but it's now been found to infect more models than it had formerly captured.
Cisco's Talos unit has found infestations in Asus, D-Link, Huawei, Ubiquiti, Upvel, and ZTE devices. Seeking to return to American good graces,
ZTE pays a $1 billion fine and replaces its leadership.
So China's number two device maker seems to have gotten a reprieve,
but suspicion continues to surround it.
Several retailers have pulled cloud pets from their physical and virtual shelves.
The plush toys share audio messages in a cloud, which is fine,
but those messages transit an unsecured MongoDB server,
a known issue, as the kids in IT say, for some time.
This reminds us somehow of the earlier problem with Furbies,
bestsellers in the 1998 Christmas season.
By the middle of January 1999,
the Scrooges and Grinches, who then ran Fort Meade, made everyone in NSA leave their Furby
friends under the trees. Furbies, it seems, tended to repeat the things they heard.
As the Washington correspondent of The Independent put it at the time,
having endearingly asked for a cookie, the Furby might then suggest
bugging the Russian embassy and intercepting wireless traffic from the Iraqi military.
No mistletoe for you, Mr. and Mrs. Cratchit, not if you want to keep that clearance.
No, wait, that's right, the Cratchits work on the other side of the pond,
not in Laurel. Sometimes you can't tell your five eyes without a scorecard.
Anyway, this time it's Amazon and Walmart and the likes playing the killjoy,
but they're probably right to do so.
Little kids should leave their unsecured interactions with strangers on their smartphones,
just the way Silicon Valley intended.
Speaking of Silicon Valley, the U.S. Senate wants answers from both Facebook and Google
about data sharing with Huawei and other Chinese manufacturers.
Salons on both sides of the Atlantic just won't let it go.
Over in Westminster, Parliament is still chewing on the former head of Cambridge Analytica.
What's a little bit of data sharing among colleagues anyway?
Besides, people probably must have consented to it somewhere.
We're pretty sure there was something in the EULA and terms of service about it.
And besides, as everyone knows, the large print giveth and the small print taketh away.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Daniel Prince.
He's a senior lecturer in cybersecurity at Lancaster University.
Daniel, welcome back.
You wanted to take us through some information about industrial control systems today.
What do you have to share?
So at Lancaster, we do quite a lot of work on what we call cyber-physical systems.
That includes industrial control systems, the Internet of Things,
anything that's really a smart piece of technology that can affect
or sense the environment in which it operates.
Industrial control systems are of particular concern
because they control some of the most important parts of our lives,
from water treatment, power generation, power distribution.
And so they form naturally a part of the critical national infrastructure.
And there's considerable concern about how open and vulnerable they are.
But we've been doing some work here looking at industrial control systems
and how complex they actually are and how you would actually formulate a way to get into them at a sophisticated level.
formulate a way to get into them at a sophisticated level. So one of the key things is that in some levels, industrial control systems are quite easy to stop working, so to shut them down. And in and
of itself, that is a particular problem. But to be able to produce the more sophisticated effects,
the type of effects that we might see within standard
computing systems, the subtle manipulations, the theft of data, that type of thing, is actually
quite complicated. And the reason for that is within the industrial control system, there's a
device typically called a PLC that controls the process. And all that does is run a specific
program. Now that program doesn't have any other
additional details on it about what it does. So if you took that program, all you're doing is
you're getting a binary effectively of how the device works. And there's no other information
about what that device is connected to, the sensors and the actuators. So being able to
reverse engineer from that is incredibly difficult.
So when attackers are trying to look at more complex and sophisticated attacks, they're having
to go for other devices within the whole control system itself. So looking at things like historians
that record data, looking at the devices which provide the graphical representation of the control system.
And from that, you have to then start piecing together how the whole plant infrastructure works.
So that's unlike a standard computing system, computer network, in which a compromise of, say, a server or something like that can lead to quite sophisticated understanding of the rest of the infrastructure.
With a sophisticated attack against industrial control systems,
you have to start doing a much broader attack against the multiple systems.
And that makes it much harder for the attacker.
But as defenders, we must be aware that actually to be able to do that sophisticated attack,
we need to defend across a much larger part of our
operational environment. Now, it's true as well, isn't it, that part of the complexity of these
systems is that very often these are one-off systems. It's not like every power plant or
every water treatment plant across a nation are identical to each other. These are custom built.
Yeah, that is true. So even the same supplier to, say, a large electrical distributor will have a
series of engineers which may implement these control systems completely differently because
of their background, because of their programming environment, because of the specific environment that part of the electricity grid is operating in.
And so even if you compromise one particular environment, a small section, you can learn some lessons about the overall structure,
but it's very difficult to then extrapolate to other parts of the operational environment. And so the data gathering part, if you're going through
sort of the kill chain approach to thinking about how an attacker gets into the operational
environment, the information gathering phase is much larger, has to be much larger and much
more comprehensive for the really sophisticated subtle attacks against control systems.
All right. Well, as always, it's interesting stuff.
Daniel Prince, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.