CyberWire Daily - Patch Tuesday notes. Skype DLL hijacking vulnerability. Olympic Destroyer malware described. Lazarus Group newly active. BitGrail heist? Cyber Valentine.
Episode Date: February 13, 2018In today's podcast, we hear that Patch Tuesday will not include a Skype fix—that one will take some time and attention. Olympic Destroyer is the malware thought to be infesting the Winter Games. At...tribution remains unclear, but a lot of suspicious eyes are looking at you, Mr. Putin. The Lazarus Group is stepping up its cryptocurrency stealing game. Questions swirl around the alleged BitGrail cryptocurrency exchange losses. David Dufour from Webroot on Mac vulnerabilities. Guest is Mark Loveless from Duo security, looking at IoT personal safety devices.  And, hey—Valentine's Day is tomorrow. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Patch Tuesday will not include a Skype fix.
That one will take some time and attention.
Olympic Destroyer is the malware thought to be infesting the Winter Games.
Attribution remains unclear, but a lot of suspicious eyes are looking at you, Mr. Putin.
The Lazarus Group is stepping up its cryptocurrency-stealing game.
Questions swirl around the alleged Bitgrail cryptocurrency exchange losses.
And hey, Valentine's Day is tomorrow.
is tomorrow.
I'm Dave Bittner with your CyberWire summary for Tuesday,
February 13th, 2018.
It's Patch Tuesday
and Microsoft and other vendors will
be issuing various fixes over the course
of the day. It may be a relatively
quiet month. Adobe put
a new Flash update out at the end of last
week, which may do it for
Adobe for a while. Mozilla updated Firefox last week, too. Google pushed a Chrome patch out a
week ago, so we may see little from them as well. Microsoft is expected to publish its customary
Windows update today. One patch users will have to wait for involves Skype, the widely used telecom
software. The product,
developed by Microsoft subsidiary Skype Technologies, has been discovered to suffer from susceptibility to DLL hijacking that could allow an attacker to gain system-level privileges on victim
machines. DLL hijacking involves an attacker gaining the ability to control which dynamic
link library, that's the DLL, a program loads,
which in turn permits that attacker to insert a malicious DLL into the loading process.
Dynamic link libraries are basic components of the Windows operating system
that provide applications with essential resources.
The problem arises from a flaw in Skype's update installer.
Microsoft won't patch this issue immediately.
It's not because Redmond is indifferent or regards the vulnerability as minimally important.
Rather, it's a tricky problem that will require significant reworking of Skype code.
Microsoft intends to fix it in future versions of Skype.
The bug could be weaponized, but so far there are no signs that it has been.
Exploiting the vulnerability isn't trivial either, and so serious as the issue is,
immediate danger, while real, is still relatively improbable.
We recently received a report from researchers at Duo Security
on a category of devices that aim to increase personal security
and whether the cybersecurity on these devices
is up to the task. Mark Loveless is a security researcher at Duo, and he explains.
These are personal protection devices. Sometimes they're referred to as panic buttons,
very simple little Bluetooth devices that basically if you press a button on the device and the device is essentially only a
button, it talks to an app on the phone that's matched up with it. And then the app uses the
phone's GPS coordinates to send a message to a list of people that the person that pressed the
button is probably in some form of danger, physical danger.
And so what would be a typical use case for something like this?
The main way these things are marketed are typically toward women who feel at risk.
They're afraid of stalkers or some other type of attackers, you know, similar in that nature. Perhaps if they,
for whatever reason, decide that they want to go running in a park for exercise or whatnot,
and they just feel unsafe there. But they're also increasingly being used by human rights workers
in foreign countries, people that are protesting under repressive regimes
that also want some method to be able to say, hey, I'm in danger, hey, come get me.
So the notion being that rather than pulling your phone out and having to make a phone call,
you could, in a very discreet way, just press a button on this device and it'll do that in an automated way.
Exactly. And typically what the scenario that they often repeat is that in some cases getting
your phone out, it might actually escalate the situation.
So we've got this device that is designed with people's safety in mind.
And yet in your research, you all found some potential vulnerabilities in them.
Can you take us through those?
We tested three devices.
One of them, the Aurora Athena, came through with flying colors.
In fact, we were extraordinarily surprised as to how well it was put together.
The second one was the Revelar device.
And that one was subject to being able to track it via Bluetooth and not only be
able to see the device, but determine that it in fact was one of these personal protection devices
because it gave it up in the name. And then the WearSafe device, it also was subject to tracking,
It also was subject to tracking, but it also had a vulnerability in its Bluetooth implementation so that a remote attacker could disable the device.
And there was no indication because there's no real light or anything on the device that would indicate whether it's working or not.
You just press a button and that's pretty much it.
And by doing this Bluetooth attack, you could disable the device and the victim would not know the device was disabled.
So you could sit there and press the button thinking that help is coming when help is not.
I see.
Overall, what's your advice for someone who thinks that this might be the kind of thing that they want to use?
If someone's out shopping for this sort of device, do you have any tips for them?
Well, first off, I would say you want to go with the one that does not have any vulnerabilities associated with it.
I would look for ones that really make an effort to protect your privacy. While the physical disabling via Bluetooth is an issue, you have
to be close enough to the person to be able to do that. Same with the tracking, but just to prevent
yourself from being tracked, actually, for me, the Roar Athena was by far the best solution for this.
So if anyone spends that much attention to detail
and is really trying to protect someone's privacy with a security device,
that's going to be what I would look for.
That's Mark Loveless from Duo Security.
You can find their complete report on these IoT safety devices on their website.
The Olympics are now generally regarded
as having been the victims of a cyber attack
and not a mere glitch.
The game's sites were taken out
during the opening ceremonies last Friday,
and the malware used against official sites
of the PyeongChang Winter Olympics
now has a name, Olympic Destroyer.
It's also said by Cisco's Talos research unit
to share some code with NotPetya and BadRabbit,
pseudo-ransomware strains famously used last year.
The malware was apparently used with disruptive rather than financially motivated intent,
which argues a political or ideological motive.
How the malware got into systems it infected is unclear,
but Talos did note that the software contained
would appear to be hard-coded credentials based on pyeongchang2018.com, the official
domain for the Winter Games.
While Talos hasn't been able to confirm those passwords' validity, the coding suggests
the possibility that the attackers have some kind of advanced access to Olympic systems.
The two usual suspects are Russia and North Korea, with more of the circumstantial evidence
and motive and opportunity pointing toward Russia.
Russia's Ministry of Foreign Affairs is on the counter-messaging warpath, denouncing
rumors of that country's involvement as nothing more than a CIA and NSA operation concocted
with firms like ESET, ThreatConnect, and Trend Micro.
Bratislava-based ESET is particularly mentioned in dispatches, and a Slavic-American plot against
Russia would at least have the virtue of novelty. But ESET understandably and believably denies
that any such thing is up, characterizing the charges as propagandistic hooey and misdirection.
But nevertheless, in this case, the hijackers seem likelier to answer to Moscow than they do to Pyongyang.
Russia has been taking cyber shots at the Olympics and related international athletic organizations
since its team was banned for doping late last year.
Besides, North Korea has played an unusually strong propagandistic hand these last couple of weeks.
Kim Yo-jong, sister of North Korean leader Kim Jong-un,
has enjoyed a successful stroll around the international catwalk
as the appealing public face of the secretive, impoverished, and repressive Democratic People's Republic of Korea.
Her appearance has amounted to an information ops coup,
as she's been the subject of positive coverage
reminiscent of the flattering treatment
Syrian First Lady Asma al-Assad,
also the glamorous and fashionable face of a pariah state
dedicated to the pursuit of weapons of mass destruction,
received in fawning profiles by Vogue
and other outlets a few years ago.
Kim is now back in Pyongyang.
Treat accounts of her Goodwill embassy with
appropriate skepticism. North Korea may be posing as a global model citizen during the games,
but its Lazarus Group has shown a new spurt of activity in its familiar speciality of
cryptocurrency theft. Researchers at security firm McAfee are tracking the resurgence of the
group's Haubau campaign.
It uses tools pioneered in earlier campaigns, directed principally toward espionage in phishing efforts directed against cryptocurrency users and financial institutions, especially cryptocurrency exchanges.
The little-known Bitgrail cryptocurrency exchange, based in Italy, says it's lost $195 million to hackers, but observers are skeptical.
The currency they lost is Nano, formerly known as Rayblox.
Bitgrail blames the Nano development team for the loss, but Nano core cries foul and says Bitgrail has been misleading people about its solvency for some time.
Bitgrail has filed a complaint against Nano-developers alleging aggravated defamation.
It's too early to know what actually happened here.
Two weeks ago, the Next Web noted rumors
that Bitgrail was attempting to scam users
in the course of an announced suspension of support
for non-European users.
Matters should become clearer
as investigation and litigation proceed.
Finally, tomorrow is Valentine's Day.
Did you notice?
Did this reminder prompt you to hustle over to online purveyors of chocolate, flowers, pajamas, jewelry, cute stuffed animals, and the other impedimenta of la vie d'amour?
We thought so. Well, caveat amateur.
Experts caution the lovelorn against entrusting their hearts to
the internet. Believe it or not, scammers are out there looking to relieve you of cash, credentials,
and whatever residual self-respect you may still be clinging to. Catfish are out there looking for
you in chat rooms and social media. And one very odd dating site is being described by Security
Boulevard. The service matches soulmates by, wait for it,
their passwords. Enter your password and it will find someone who uses the very same one
for a match made in cyberspace. So hop to it, Ninja1234. Put yourself out there, letmein789.
The one you've been looking for is out there. But seriously, don't let credential harvesting let good love and go bad.
We'll have more on the topic of Valentine's Day tomorrow
when we talk to those experts in affairs of the heart,
the researchers at IBM Security.
The heart has its reasons, which the reason knows not.
But apparently, Watson's got a pretty good idea of what's going on. with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when
it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000
companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Hello, dearest listener. In the thick of the winter season, you may be in need of some joie de vivre.
Well, look no further, honey, because Sunwing's Best Value Vacays has your budget-friendly escapes all the way to five-star luxury.
Yes, you heard correctly.
Budget and luxury all in one place.
So instead of ice scraping and teeth chattering, choose coconut sipping and pool splashing.
Oh, and book by February 16th with your local travel advisor or at... And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform Thank you. third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is David DeFore. He's the Senior Director of Engineering and
Cybersecurity at WebRoot. David, welcome back. One thing we saw in 2017 was an increase of attacks
on the Mac. And Apple also had a handful of, I call them high profile software issues that had
affected security. Are we having a problem here with the Mac? Is the Mac more vulnerable than it
used to be? Well, I would say it's probably not more vulnerable than it used to be. I always like to say, why do people attack Windows machines?
It's like, why do bank robbers rob banks?
Because that's where the money is.
So I guess my point in saying that is there have been vulnerabilities in the Mac environment,
but they've just not been heavily used or heavily attacked because it's easier to attack other types of machines out there.
So they're there, but it's just not as readily available.
It's a little more challenging.
And just like the rest of us, cyber criminals can be lazy.
So is it that combination that there may be more vulnerabilities on the Windows side, but also there's just so many more installations?
One man's opinion, it is there are more installations. And OS X was built from the
ground up with security in mind, where Windows, the initial, when it came out, it was really built
for collaboration, integration, getting things to talk together. So there's a lot of communication
back and forth. I will tip my hat. Windows 10 is a very good operating system
rebuilt from the ground up with security in mind.
But the Mac, again, and we're just talking here,
the Mac is inherently more secure, the OS X,
but it does have vulnerabilities.
And so in terms of best practices
for someone on the Mac side,
what sort of care should they be taking?
In every single segment that you let me say it,
I'm going to say you should be backing up your data.
Backing up your data is the best way in case something happens.
And Apple makes that absolutely simple with OS X.
But most importantly, and again, you should do this
no matter what operating system you're running on what device,
you need to apply patches.
And Apple does a great job of when a vulnerability comes out in
their OS or even a third party that runs on their OS, they do a great job of getting a patch out
quickly. And patching is the best way to make sure new attacks or exploits, you're not susceptible
to those. So when you get that notice from Apple saying there's an update available,
go ahead and install it. Absolutely. Go ahead and install it, especially if it's from Apple.
They're very reliable.
They're very good in how they approach their security.
All right, David DeFore, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.