CyberWire Daily - News about Russian and Chinese government threat actors. Powerful crimeware active in Brazil. BlueKeep really needs to be patched. Messenger Kids issues. Dispatches from the cryptowars.
Episode Date: July 25, 2019Did you know that Fancy Bear has taken to wearing a Monokle? A new Chinese cyber espionage campaign is identified. Intrusion Truth tracks APT17 to Jinan, and China’s Ministry of State Security. Guil...dma malware is active in Brazil, and may be spreading. BlueKeep is out in the wild, and now available to pentesters. Facebook’s Messenger Kids app has been behaving badly. And an update on the cryptowars, with some dispatches from the American front. Michael Sechrist from Booz Allen Hamilton on municipalities paying ransomware. Guest is Eric Murphy from SpyCloud on threat intelligence at scale. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_25.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Word on the street is Fancy Bear has taken to wearing a monocle.
A new Chinese cyber espionage campaign is identified.
Intrusion Truth tracks APT-17 to Xunan and China's Ministry of State Security.
Guildma malware is active in Brazil and may be spreading.
Bluekeep is out in the wild and now available to pen testers.
Facebook's Messenger Kids app has been behaving badly.
And an update on the crypto wars with some dispatches from the American front.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 25th, 2019.
Security researchers at Lookout have announced the discovery of Monocle, which the company describes as a new and sophisticated set of custom Android surveillance-ware tools.
There are some indications that there may be an iOS version lurking somewhere, but for now the Android toolkit is in use in the wild.
Lookout attributes Monocle to the Special Technology Center Limited, also known as STC Limited or simply STC.
The company is based in St. Petersburg, Russia,
and along with two other companies,
was sanctioned in 2016 by a U.S. executive order
for its work on behalf of the GRU.
That work involved information operations against U.S. elections.
Monocle is advanced mobile malware
designed to collect and exfiltrate personal data from infected devices.
Lookout says Monocle uses familiar methods but in novel ways
and that it's been extremely effective against its targets.
Its functionality includes profiling of the users it targets
to gain a sense of what interests them.
So if the bears are sporting some new eyewear,
what of the pandas? Well, they haven't been idle either. Proofpoint yesterday published a report
describing the activities of a Chinese advanced persistent threat group it calls Operation Lag
Time IT. The security firm tracks the group internally as TA428. We parenthetically express some regret that they haven't named the threat group after a cute animal.
At any rate, Lagtime is a cyber espionage operation that collects against East Asian targets,
for the most part government agencies that oversee government information technology,
domestic affairs, foreign affairs, economic development, and political processes.
domestic affairs, foreign affairs, economic development, and political processes.
The campaign uses a remote-access Trojan, Kotex rat, as well as poison ivy payloads.
These it distributes by phishing, which remains probably the most common vehicle of cyber espionage.
Activist group Intrusion Truth has linked the threat actor APT17 to the Xunnan Bureau of the Chinese Ministry of State
Security. APT17 has sometimes been known as Axiom or Deputy Dog, and it's been implicated in a
number of operations over the past few years. Intrusion Truth makes a case that a Ministry
of State Security officer by the name of Guo Lin is running front companies that engage in cyber espionage on
behalf of the Chinese government. Intrusion Truth also says APT17 engages in some domestic crime on
the side, selling stolen data from Chinese targets. This may be read at least as the familiar
interpenetration of the more ambitious security services and the more rapacious criminal gangs.
That's been seen for some time in Russia, where elements of the mob act on behalf of government
organs. But the nature of the theft here suggests something more than that. As Intrusion Truth puts
it in their blog, quote, either APT17 has some sort of domestic remit acquiring data on Chinese
citizens and selling it to the MSS,
but that is unlikely because China's new intelligence law compels companies to provide
information required by the government, and the price list certainly wouldn't be circulated online.
Or the MSS has lost all control of APT17, which is hacking Chinese victims and selling the data
to the highest bidder.
The white-hat doxers of Intrusion Truth have achieved a certain cachet over the last three years.
Their identification of individuals involved in the Chinese hacking groups APT3 and APT10 in 2017 and 2018 eventually found official confirmation in the form of U.S. Justice Department indictments
of some of the people Intrusion Truth named in their reports.
There's unambiguously criminal activity out and about as well.
Security company Avast has published an account of Guildma malware.
They're calling it a powerful combination of RAT, that is a remote access tool,
with spyware and a password stealer and banker
malware. It's being distributed for the most part in Brazil and usually arrives as a baited
attachment in phishing campaigns. The usual cautions about phishing awareness, of course,
apply. Gildema has been in use since 2015, and while Brazil remains its principal zone of action,
the criminals behind it have also hit targets in Argentina, Chile, China, Ecuador,
the European Union, Peru, and Uruguay.
Integrating a threat intelligence program into your organization presents a specific set of challenges.
There's making sense of streams of incoming data, separating the signal from the noise,
and filtering in such a way to make the intelligence actionable. And while you're at it, you'll want to make sure the systems you put in
place are scalable. Eric Murphy is VP of Security Research at SpyCloud. In general, it's kind of
defining what your paradigm or what your methodology is. So the two general concepts are,
are you a reactive organization or are you a proactive organization?
In general, most, I guess the standard operating procedures for CISOs these days,
and this goes back the last 20, 30 years, is to build what is perceived to be as a reactive org.
So you build out a SOC, a security operations center, you staff it with analysts,
and you kind of look for threats as it
relates to your perimeter. The proactive approach is almost the opposite of that, where you kind of
follow these data science practices, you have an ingest pipeline of some sort, and you're actively
involved in, say, the criminal communities, or trying to understand the trends as it relates to your
vertical or your business. So those are kind of the fundamental differences.
And is it right to say that it's not all one or the other, that many organizations have a,
they sort of dial in a mix between the two? Yes, I think that's an accurate statement. I
think most kind of err on the side of reaction or reactionary. And that's mainly due to kind of the tooling available or how big your organization is.
Keep in mind that this practice has been around for a very long time.
So most of the enterprise or security software out there kind of focuses on that.
And so what's your advice for folks who are out there trying to consider how they can integrate threat intelligence into their organization? How do they begin? threats are. But what I actually mean is there's a difference between a perceived threat and an actual threat. If you have a better understanding of, say, the criminal communities or the types
of people that target your business, that's always a really good starting point. So it starts out
with building kind of an intelligence function into your security organization. From a tech
standpoint, it's first establishing how you're gonna gain visibility, not only into your organization but outside of
your organization, and then instrumenting the proper security layers, right? So the
application, network, host, human, that sort of thing. And then it's a matter of
really finding the right kinds of talent that understand the criminal world, more
or less. So it starts with building out the
proper tech, staffing appropriately, and then building out your data pipelines. For example,
you would build out a human intelligence team, HUMINT. That team is responsible for managing
human assets or developing assets in the field. These could be actors, these could be higher level
criminals. It's the relationship part that informs kind of what trends or what's hot at any given
time. That's one facet. The other facets include, you know, or traditionally might be like signals
intelligence, which today has kind of been adopted for the web. But I guess we think about it in terms of active and passive intelligence.
The human side falls into the active category,
again, developing those assets, obtaining data, that sort of thing.
The passive side, then, would be developing the technologies
to either scrape or pull data from sources
that are deemed sensitive or interesting in some way.
That's Eric Murphy from SpyCloud.
Assessment and penetration testing company Immunity is selling a Bluekeep version as
part of its Canvas penetration testing suite, ZDNet reports.
Let's be clear about this.
Immunity isn't trading on the black market or selling crimeware to the mob.
But the reason you incorporate an exploit into a penetration kit is because there's a greater than zero possibility
that the hoods will be using it. Still, people in the security community are uneasy with this.
Various security firms say they've developed proof-of-concept exploits for Bluekeep,
but they've kept the details to themselves, lest criminals take
advantage of them. Once a vulnerability is weaponized, even for good, there's of course
a greater likelihood that it will get into the wrong hands. Bluekeep, by the way, is already
being exploited in the wild. Researchers at security firm Intezer have found it incorporated
into the latest version of the watchbog cryptojacking botnet.
If you haven't already done so, please patch for Bluekeep.
Not to pile on that social network based out of Menlo Park,
but they're having an uneasy week, public image-wise.
Naked Security reports that Facebook has had to tell parents that a group chat option in its Messenger Kids Android app
circumvented the core feature of that app,
parents' ability to restrict the child user to communication
with only parentally approved contacts.
The issue seems to have been a simple glitch
without any nefarious monetization agenda at its root,
but the optics, as they say, aren't good.
And finally, we've noted that U.S. Attorney General Barr fired another shot in the
crypto wars this week, making a constitutional argument that, quote, the Fourth Amendment
strikes a balance between the individual citizen's interest in conducting certain affairs in private
and the general public's interest in subjecting possible criminal activity to investigation,
end quote. The other side pushed back with arguments to
the effect that no one has any idea of how to ensure access to non-cooperating encrypted systems
without dangerously weakening security for everyone. Critics also maintained that as a
matter of fact, the extent to which going dark is an actual problem has been exaggerated,
and the government's ability to access the traffic it needs to access for legitimate law enforcement and intelligence purposes has in general been underestimated.
There are also political objections from those who believe they discern in the Attorney General's
remarks a disposition to see data security in terms of first-class citizens, that is the
government and especially the Defense Department and the intelligence community, but also big business, and second-class citizens, which is basically private citizens.
In any case, the Department of Justice is convinced that going dark is a real problem,
and it seems prepared to double down on an anti-encryption position it's held
at least since the early days of the Obama administration.
But one suggestive bit of reporting on CNN hints at either
a motive or a retrospective justification for the renewed offensive in the crypto wars. Special
Counsel Mueller's investigation of Russian election influence collected a lot of messages
that would have been really good, but darn it, too many of them were encrypted.
It will be interesting to see if this particular story has legs. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora,
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta
brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Michael Sechrist. He's Chief Technologist at
Booz Allen Hamilton, and he leads their Managed Threat Services Intelligence team. Michael,
it's always great to have you back. I wanted to touch base about some of the things we've
been tracking in terms of ransomware. We've seen some cities who have been choosing to pay the ransom.
And I can't help wondering, even though they think they're getting their data back, could there be issues here with data integrity?
Yeah, thanks. Thanks for having me back again.
Definitely. This is an issue that we're concerned with as well for what we're seeing in this space.
Again, this is potential for some sort of integrity attack on the data itself.
And having sort of these companies or cities in this case that are potentially under ransomware attack, when they receive sort of the files back,
ransomware attack, when they receive sort of the files back, how do they know that they're not being altered or that there's not some sort of backdoor being implemented into the data they're
receiving? This again gets to known good and known bad for a company and for an organization or a
city, something that we are working closely to try to mitigate and build internally within our clients.
So let's dig into that a little bit. When you say known good and known bad,
what are you talking about?
Building a process in place within a company structure that, or within an organization,
like even a city government, that can associate what, and determine what something that they've
produced is what they've produced,
or is this something that's potentially been altered by a third party in an unauthorized way?
So getting to an authorized and unauthorized sort of content or media or file is a difficult
challenge in and of itself based on sort of the ecosystems that are in place digitally across these organizations. But having sort of a way, and one of the ways we believe is the best
way, is to build a intelligence lifecycle that's well-functioning within these organizations,
but building a way that you can associate known good and known bad for your company or enterprise.
Yeah, I'm thinking about these cities who have been going through this, and I suppose
any organization that's gone through a ransomware incident and has decided that paying the ransom
is their best option, perhaps their only option.
I suppose that if they're faced with that, that probably means they don't have a functional
backup system, which would also lead me to believe that they probably don't have some way of tracking data integrity.
That's a potential for sure.
Obviously, a lot of the ransomware problems that we're seeing are due to not having appropriate offline backups of critical data
and are forcing enterprises to kind of engage in a potential
payment of a ransom. This is guidance that's been issued by the U.S. CERT for years and from others
that that's definitely a critical component that's needed. But that's a very difficult thing for an
enterprise or an organization to tackle in and of itself. What is your most critical data and how
are you going to build an offline capability to restore it in times of crisis?
That's one.
But then the other question we're asking here is the data that is restored, how do we know that that is the data that we consider our data or data that is good and data that is authorized on behalf of the enterprise?
And that's a much more difficult
question. It is reliant on the organization to know that information and to know what's
potentially been altered. And that requires kind of almost a central repository of truth
at these companies or these enterprises. And that's kind of what we're getting at. That's
why the intelligence lifecycle is so important, because it really should be your own internal mechanism for deriving the truth of
data in your enterprise all right well michael secrest thanks for joining us thank you
cyber threats are evolving every second and staying ahead is more than just a challenge Thank you. total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you. can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.