CyberWire Daily - Newly disclosed threats and vulnerabilities, mostly criminal. Catphishing peer review. The US may indict North Korea for the Bangladesh Bank heist.  

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. We've got a rundown of recently announced threats and vulnerabilities in stores and documents, Play Store, App Store, and MS Office. Some crooks move to the cloud, GoDaddy buys Sikuri, the U.S. is rumored to be preparing a North Korean indictment for the Bangladesh bank heist,

Starting point is 00:02:11 social media look for bad bots, and some dodgy scientific journals seem to use catfish for peer review. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, March 23, 2017. Some recently discovered threats and vulnerabilities lead today's news. Researchers at security firm Zscaler have found some unusually nasty bits of adware lurking in the Google Play Store. They're unusual in at least two ways. First, they're able to add themselves as a device administrator, and second, they play possum for six hours after installation,

Starting point is 00:02:52 exhibiting only good behavior. That second feature seems to have been put there to evade detection and ejection by Google Bouncer, Mountain View's security feature that executes an app, evaluates its behavior, and kicks it out of the store if it shows itself to be up to no good. Zscaler found 12 bad apps. Four of them have a lot of downloads, between 10,000 and 50,000 by Zscaler's count, so it's putting those on the bolo list.

Starting point is 00:03:19 So be on the lookout for 8th Note Jump, Talk To Me, Photo Editor, Cut Crop Paste, QR and Barcode Scanner, and finally, Smart Compass. Google is neither careless nor negligent about security, but the Android ecosystem is big, open, and complex, and it's difficult to purge all the bad things out there, especially when criminals are devoting a great deal of time, talent, and attention to circumventing security. a great deal of time, talent, and attention to circumventing security. In another report about Android malware, Palo Alto Networks' Unit 42 has found that new aggressive adware is abusing the popular open-source Android plug-in frameworks, Droid plug-in, and virtual app.

Starting point is 00:03:58 Users' private data are at risk if they operate in these environments, so again, be wary. if they operate in these environments, so again, be wary. Apple's App Store, by reputation more tightly controlled than its relatively more open Google counterpart, also draws the attention of crooks and scammers. Trend Micro has a report on how some criminals, apparently in China, at least their code is in Mandarin, have insinuated their own third-party App Store into Apple's App Store. The third-party store got in, cloaked in a legitimate application.

Starting point is 00:04:30 ICS security shop Dragos reports finding malware disguised as Siemens firmware infecting some 10 industrial plants. The infestation has been quietly active for about four years. According to security researchers at Netscope, a new strain of macro-based malware affecting Microsoft Office is now cloud-based. Default Office installations disable macros, so the malware purveyors are seeking to induce their targets

Starting point is 00:04:56 to enable macros in the documents they use as vectors. The malware uses either VBScript or PowerShell script, and its signatures are known. Of course, users fall victim to known threats all the time. What's interesting about this macro-based malware is its use of a cloud service, a fichier, a service based in France, or perhaps one fichier if you're an Anglophone reading news stories. It's not a criminal organization, but it is being used by criminals. Netscope threat research labs don't think too highly of one fichier as far as security is concerned,

Starting point is 00:05:31 rating them an 11 out of 100 on enterprise readiness. The payloads being distributed by the malicious macros are often ransomware. The extortion notes are in English, Polish, Russian, Dutch, Italian, and Mongolian. Most malicious Word files have been crafted to affect either Windows machines or Macs, but analysts at Fortinet have found one that can swing from either side of the plate. The malicious code takes different routes depending on the operating system it detects on the victim's device. Another new potential threat is an attack technique that hasn't so far been observed in the wild.

Starting point is 00:06:09 Security firm Cybellum's researchers have described an escapade they're calling Double Agent. Double Agent uses Microsoft's application verifier, loading its own verifier DLL in place of the one provided by Microsoft. Double Agent, as demonstrated by Cybellum, can subvert antivirus software and either silence them or turn them into attack mechanisms. Potentially affected AV vendors have either verified

Starting point is 00:06:34 that their products aren't vulnerable, patched them, or are at work on fixes. So with some work and some luck, if Double Agent shows up in the wild, it will do so with limited effect. In the fall of 2016, Facebook launched Marketplace, what they describe as a convenient destination to discover, buy, and sell items with people in your community. Facebook has clearly got eBay and Craigslist in their sites as they enter this space.

Starting point is 00:07:01 There's also a security angle. Eric Olson is vice president of intelligence operations at Looking Glass Cyber Solutions, where one of the services they provide is keeping an eye out for customers for unauthorized or gray market goods in online marketplaces. Reviewing data gathered from Looking Glass customers, Eric Olson offers us some insights. The traditional big three were Alibaba, Craigslist, and its many hundreds or thousands of city-specific sites. But collectively, Craigslist, Alibaba, and eBay have for many years been the big three. And in less than 180 days, Facebook has moved to the two or three slot, depending on the type of products. So I'd say that's going pretty well. They've gone from zero to sometimes as much as eight or nine or 10% of the total out of thousands of findings in less

Starting point is 00:07:51 than six months. From a cybersecurity point of view, what are the concerns? Well, I think there are a couple of things to consider from a security standpoint. On the one hand, this is in some ways potentially beneficial. Facebook is a, if you will, a monolithic source. Facebook is developing the same kind of abuse reporting or response program that you see at eBay in place for many years. And so by being another large monolithic source that draws in large numbers of buyers and sellers, from a security standpoint, it is nice in some sense to have one place to go to ask for assistance, for example, in removal or takedown or investigation. So that's helpful. On the flip

Starting point is 00:08:37 side, the problem is that it is a system so easy to use for the non-technical seller and buyer that it may actually grow the pie, not just change where things are being distributed within it. So I think that is certainly one concern. account. And I think the proliferation of accounts will be even greater on Facebook than they might be on a site like eBay. The third and final thing that comes to mind is unlike eBay or Craigslist, where companies have long had programs or vendors or a process in place to monitor, had programs or vendors or a process in place to monitor. You've now added hundreds of Facebook city markets, similar to what Craigslist does. They are city-specific markets. You now have hundreds of new markets you have to keep an eye on. And from an operational standpoint, unless you work with a vendor who specializes in such things, I think it adds one more thing for a security professional to have to keep an eye on, and that may mean new processes or procedures or services.

Starting point is 00:09:51 That's Eric Olson from Looking Glass. In industry news, GoDaddy acquires security firm Sucuri. GoDaddy's cloud platform caters mostly to small, independent businesses. It appears that they believe Sucuri's website security products and services will be just the thing their users want. The U.S. considers indicting North Korean hackers in the Bangladesh Bank Swift fraud case. The Department of Justice, the New York Fed, and Swift aren't commenting, but the word on the street is that it was the North Korean government, aided and abetted by Chinese middlemen. Finally, have you heard of fake news? Sure you have. And all sorts of people are grappling with the old problem of telling truth from lies

Starting point is 00:10:32 and from their epistemic cousins, error and BS. The issue is complicated by the challenge of telling the humans from the bots, a difficulty that's troubling Twitter's business these days, as bots are now thought to compromise some 15% of Twitter accounts. Other social media platforms are believed to suffer similar infestations. So we should call in science to find the fix, right? Alas, science has its own problems. Hand in hand with the replication crisis researchers are talking about quietly comes comes another problem. Scam journals. Why are they scams?

Starting point is 00:11:09 Well, good science is peer-reviewed. So are the scam journals. It's just that the reviewers are, wait for it, bots, catfish, and other online riff-raff. It's enough to make any scientist, well, a mad scientist. It's enough to make any scientist, well, a mad scientist. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.

Starting point is 00:11:38 Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security,

Starting point is 00:12:14 but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta

Starting point is 00:12:48 when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son. But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+. Cyber threats are evolving every second, and staying ahead is more than just a challenge.

Starting point is 00:13:42 It's a necessity. Thank you. ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Dale Drew. He's the Chief Security Officer at Level 3 Communications. Dale, we wanted to touch base today about, I guess, what you could call some evolution in the Mariah botnet. Yeah, we're actually very excited to talk about this. We're actually seeing, and I'm going to knock on wood here, but we're actually seeing part of the wind coming out of the sails of Mariah. When we first

Starting point is 00:14:41 started tracking Mariah during its sort of bubble period, we were tracking 500,000 to 600,000 compromised end devices being controlled by some 100 different botnet operators. We're now seeing what we're calling controllable Mariah nodes at around the 100,000 mark. And what we mean by that is a controllable node is there's still about 500 to 600,000 compromised Maria N nodes out there. But the command and control systems can no longer connect to those devices. Those devices are now stranded. So the devices that the bad guys are still able to operate is around 100,000. And so we're definitely seeing a significant reduction in that footprint. We're seeing a lot of frantic activity from some of the operators trying to increase the amount of devices they have by looking for new exposures. I do believe in the next few months, we're going to see some pretty significant exposure with regards to

Starting point is 00:15:42 the number of new IoT vulnerabilities that are going to be out in the industry, because these bad guys are definitely looking for new ways of breaking into these devices. Now, when you say stranded, what do you mean by that in terms of an endpoint device? Well, so what's happening is that when a bad guy breaks into, say, a home DVR or home camera or a router, and he loads his own sort of botnet code to be able to control it. Moments later, another bad guy will also break into a device and try to upload his own code. So we saw a lot of infighting between botnet operators. And so what was happening is the consumer had no idea this fighting was happening on their home device. But one bad guy would

Starting point is 00:16:21 actually patch or fix the exposure so the other bad guy couldn't break in. In a lot of cases, we've seen botnet operators essentially hard code the command and control system that that compromised endpoint would talk to. So when Internet service providers or security researchers are taking down those C2s like us, then that C2 can no longer talk to those compromised devices. When the bad guy finds a new C2, he can't re-break into those devices because those devices have been hard-coded to the previous command and control system. All right. So there's no honor among thieves. Dale Drew, thanks for joining us. Thank you for having me.

Starting point is 00:17:10 And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.

Starting point is 00:17:58 I'm Dave Bittner. Thanks for listening. Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.

CyberWire Daily - Newly disclosed threats and vulnerabilities, mostly criminal. Catphishing peer review. The US may indict North Korea for the Bangladesh Bank heist.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.

CyberWire Daily - Newly disclosed threats and vulnerabilities, mostly criminal. Catphishing peer review. The US may indict North Korea for the Bangladesh Bank heist.  