CyberWire Daily - Pegasus and Pakistan. What’s in Legion Loader. Threats to financial markets. Seasonal scams. What would Clippy do?
Episode Date: December 20, 2019Pegasus may have appeared in Pakistan. Legion Loader packs in six bits of malware in one Hornets’ Nest campaign. Someone may have hacked Bank of England press releases to give them a few seconds’ ...advantage in high-speed trading. Frakfurt, in the German Land of Hessen, is clearing its networks of an Emotet infection. Some seasonal, topical scams are circulating. And what would Clippy do? Craig Williams from Cisco Talos with a look back at 2019's most serious vulnerabilities. Guest is Bob Ackerman from Allegis Capital with insights on the cyber security VC environment. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/December/CyberWire_2019_12_20.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Pegasus may have appeared in Pakistan.
Legion loader packs in six bits of malware in one hornet's nest campaign.
Someone may have hacked Bank of England press releases
to give them a few seconds advantage in high-speed trading.
Frankfurt in the German land of Hessen
is clearing its networks of an Emotet infection.
Some seasonal topical scams are circulating.
And what would Clippy do?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Friday, December 20th, 2019.
The Guardian reports that Pegasus spyware, the intercept tool produced and sold by NSO Group,
has been found in the phones of several senior officials in Pakistan's defense and intelligence services.
The infestation apparently took advantage of the same weaknesses in WhatsApp that enabled Pegasus to be installed in devices belonging to journalists and activists in India.
The Indian cases appear to have been potentially instances of domestic surveillance.
Their discovery prompted a public scandal and parliamentary inquiries in India. The Pakistani case seems, the Guardian says, to represent state-on-state espionage.
Pakistani diplomatic missions the Guardian contacted had no comment on the reports.
Deep Instinct's dissection of Legion Loader, which we saw yesterday, displays an impressive mix of bad things.
yesterday displays an impressive mix of bad things. ZDNet calls Legion Loader a grab bag,
including, as it does, information-stealing Trojans, a remote backdoor, a crypto-jacker,
and a cryptocurrency stealer. In all, Legion Loader packs at least six, count them, six,
varieties of badness in that grab bag. The three information-stealing Trojans are VDAR,
which specializes in culling personal information,
including screenshots and data that may be stored in two-factor authentication software.
The second Trojan is Predator the Thief, which not only steals data but can pull images from the infected machine's camera.
And the third Trojan is the new, powerful, and customizable Raccoon Stealer.
In addition to these three Trojans, Legion Loader installs a remote desktop protocol-based backdoor to give the hoods running the campaign the ability
to return, re-attack, and stage new malware. The last two malicious programs bundled both
have an interest in cryptocurrency. One is a PowerShell-based cryptocurrency stealer
that prospects and loots any altcoin wallets it finds.
The second is a cryptojacker, a cryptocurrency miner that uses the victim machine to mine for its own coin.
It's also being used in a high-volume campaign which Deep Instinct calls Hornet's Nest,
in view of the swarm of malicious code that arrives with Legion Loader.
That said, it's still unclear how the malware is being spread
and what infection vectors are being used.
None of the hornets in this particular nest are particularly sophisticated or novel.
Indeed, they can be found traded in various dark web markets
and represent commodity malware.
It looks very much like a dropper-for-hire campaign,
and Deep Instinct
thinks Legion Loader is under active development as its masters improve their wares. Signs in the
code, Deep Instinct says in their report, point to the author or authors of Legion Loader as being
Russian-speaking coders. These are in all likelihood criminals as opposed to intelligence or security
services, and while Hornet's Nest is a swarm of commodities, it should nevertheless not be These are in all likelihood criminals as opposed to intelligence or security services.
And while Hornet's Nest is a swarm of commodities, it should nevertheless not be underestimated.
Sometimes quantity has a quality all its own, and Legion Loader delivers quantity.
Britain's Financial Conduct Authority is investigating a possible case of eavesdropping on Bank of England press conferences. High-speed traders are thought to have hacked access to the press conferences
slightly before they became publicly available,
and this would have given them material information a few seconds early,
which can be, as Law360 points out, a considerable advantage in trading.
The city of Frankfurt, a German and European financial hub,
shut down its municipal networks after they were infected with Emotet, ZDNet reports.
The city is in the process of recovery. Emotet can be used to deliver a variety of other infections, and recently it's been associated with ransomware attacks.
There are a number of topical pop culture and current events- spam campaigns in progress as you'd expect at this time of year.
Okay, first of all, as Ms. Swift would probably say, ZDNet reports that Taylor Swift images have been found to conceal cryptojackers.
Oh, barf. Since it's Swiftmas, we should have seen that one coming. Totes.
There are a lot of dodgy holiday e-cards in circulation, including hokey invites to office parties.
There are also bogus season's greetings purporting to be from climate activist Greta Thunberg,
which are no doubt intended to appeal to the naive, people thrilled to click before they reflect that Miss Thunberg is unlikely to have actually emailed them.
Proofpoint warns that these particular greetings have been serving up
emotet, piping hot. And of course, there's the new Star Wars movie, Rise of Skywalker. Have you seen
it? Anywho, PCMag and lots of other media outlets are saying that phony Rise of Skywalker files are
carrying malware. That's not only the obvious come-on offers of pirated copies, which anyone
should of course steer clear of,
but also some innocent-appearing trailers.
Reach out with your feelings and discern the stuff that's no good for you.
Otherwise, the malware will be with you.
Always.
And finally, the question of what operating system Russian President Putin
really has on his personal machine remains very much up in the air.
Could it really be Windows XP, or is this some elaborate disinformation campaign? President Putin really has on his personal machine remains very much up in the air.
Could it really be Windows XP, or is this some elaborate disinformation campaign?
It's tough for Americans to tell. In matters Russian, we feel like a nation of poker players up against a nation of chess players. Both have their strengths, but you're not playing the same
game. On the one hand, you have quick estimation odds and willingness to take a risk and trust your luck.
On the other, you're negotiating a complex but deterministic system where luck never plays a part.
But over in the UK, Naked Security is asking the really important question,
if Mr. Putin is really using XP, is he also using an older version of Office, complete with Clippy,
the helpful anthropomorphic paperclip?
Naked Security asks, is Clippy telling the Kremlin,
it looks like you're trying to destabilize another country's democratic process using an army of fake social media accounts.
Would you like help?
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of
new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Craig Williams.
He's the director of Talos Outreach at Cisco.
Craig, it's always great to have you back.
We wanted to take a chance to take a look back.
You all recently published your Talos Vulnerability Discovery Year in Review, looking back at 2019.
Take us through what are some of the highlights here.
Well, so every year our vulnerability research team decides that they're going to target certain things, right? And their overall goal is to find
vulnerabilities and software that we use every day, right? And so that can include desktop software,
office software, and everything in between, right? Anything from your thermostat to your laptop to
your 3D printer, potentially. We did have a really interesting finding this year, and that this was the first year
where we had more vulnerabilities discovered in ICS platforms than non-ICS platforms.
And so what that means is basically, you know, when we started looking at IoT devices,
we found lots of issues. I know there's the pessimists out there,
right? One or two. Yeah. You know how the internet is. Everybody's mostly positive.
But there might be people out there who would think that, hey, well, that means IoT devices
aren't secure. You know, I saw that newspaper article about the ring doorbell getting hacked
and therefore I don't want one. You you know, the whole song and dance.
But I think this is actually a positive thing, right?
When I look at this and I think about the way that software works, you know, the fact
that all software has bugs, right?
It's the nature of the beast.
Basically, what it means is that, you know, IoT companies are taking software more seriously.
They're looking for issues.
Of course they're finding issues, right?
If you look at any piece of software, you're going to find issues.
What we can say here is that we found issues.
We worked with the vendors to address them.
Their maturity model is improving.
And I think what we're seeing are definite steps in the right direction.
So we were surprised and we were very pleased with how it turned out.
So really reflecting, I don't know, a maturation of the ecosystem overall?
I think so. I think that's a great way to think about it. You know, one of the jokes we used to
tell was that IoT was stuck in the 80s, or maybe if you wanted to be generous, early 90s.
Yeah.
And, you know, and the reason we say that, you know, it's tongue in cheek.
But the reason we would say that is because you would see vendors when you would report
a security issue, deny that it was an issue or they would say, well, that's not feasible.
No one's going to connect that to the Internet.
And it's like, bro, have you seen the Internet?
And so I think those realities, those denials that used to come
in to try and like basically not fix things have gone out the window. People are realizing that,
yes, you know what? Local devices can be targeted. Even if it's not accessible to the internet,
it's still a serious issue because someone could be compromised behind it. Think about it, right?
Like you don't want to have a refrigerator that you can get remote code execution on through say, you know,
some sort of Linux overflow vulnerability inside of a Starbucks because somebody could walk into
the Starbucks, scan the network. They don't know it's a refrigerator. They see, you know,
what looks like potentially a low end Linux box. It's very old. It's unpatched. It gets exploited.
And then all of a sudden,
they control the refrigeration unit for that store.
And all kinds of nefarious things can happen.
And so I think things like that,
stories like devices and things being held for ransom
are what's helped push this along.
And I think with any industry,
we certainly saw growing pains.
We certainly had our share
i i think the record holder for voldev uh time to patch is held by a certain iot vendor now i'm
happy to say that the issue was fixed but i think what we're seeing here has taken it from that
original vulnerability we found years ago to a place now where not only are IoT and ICS
vulnerabilities something we find, but we routinely find and we routinely work with
vendors to get them fixed. So I think overall, it's a very positive message. It's saying that
the vendors are working with us. They understand security. They're not perfect, right? Nobody ever
is, but they're taking great steps and they're on the right path.
And I think it's an awesome outlook for 2020.
Give me some insights here.
In your publication here, you group together IoT and ICS.
And obviously, IoT is Internet of Things.
ICS is Industrial Control Systems.
I guess in my mind, my initial reaction when I hear IoT, I tend to think toward consumer devices.
And I don't think of ICS stuff as being consumer devices.
What's the rationale here for lumping them together?
It's a little bit like debating politics, right?
There's definitely valid views on both sides.
Now, the reason we lump it together is because when you look at it
from a device perspective, from a hardware perspective, from a software perspective,
they're almost always the same, right? The equipment on my TV is going to be the equipment
in any potential industrial display, or at least very similar to it. The software stack is going
to be very similar to it. The open source libraries used are going to be the same.
It's almost always going to
be Linux BusyBox based install running probably the exact same protocols or very similar protocols.
And so just for simplicity's sake, we tend to lump them together.
All right. Well, the report is Talos Vulnerability Discovery Year in Review for 2019.
Craig Williams, thanks for joining us.
Thank you. solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
My guest today is Bob Ackerman. He's Managing Director and Founder of Allegis Cyber Capital,
an early-stage venture capital firm. Prior to starting Allegis Cyber Capital,
Bob was the President and CEO of Unisoft Systems, a global leading Unix systems house, and founder and chairman of Infogear Technology
Corporation, a pioneer in the original integration of web and telephony technology. Full disclosure,
he is also among the leadership team at Datatribe, which is an investor in the CyberWire.
Our conversation focuses on his insights on where VC funding which is an investor in the CyberWire. Our conversation focuses on his
insights on where VC funding for cyber is heading in the coming year.
Well, I think there's a growing appreciation for a number of aspects of the cyber environment from
an investor's perspective. I think, number one, we've all witnessed sort of a massive influx of capital into the cyber innovation ecosystem.
I think there is concern today that the sector may be overcapitalized, overinvested in.
I think that's probably a legitimate concern.
So I think investors are becoming more discerning as they look at the cybersecurity marketplace.
So looking forward to the year ahead, what areas within cyber have your attention?
What has your gaze?
Well, I think one of the things that I'm spending a fair amount of attention on is how do we get better at managing?
You know, so much of what we do today is basically a knee-jerk reaction.
You know, we do the best we can. We deploy as many tools and technologies as we can to secure our infrastructure, to secure our data.
But sometimes it reminds me a bit of whack-a-mole, you know, just trying to stay ahead of the evolving threat landscape.
And I think we've taken that approach out of necessity as we try to catch up with the various threat
vectors. But I think we need to transition to a more holistic view of cyber risk. And we need
to manage cyber as a risk type. And we need to get better tools and better technologies to
understand our exposure. With all of the pitches that you see, and you see a lot of pitches,
is there a pattern?
Are there things that make people stand out from the crowd, things that draw your attention and make you want to dig in and take a closer look?
Cyber is not something that you can pick up along the way.
Cyber is something where you have to have a solid foundation upon which to build if you're really going to do innovative things. You know, if you look at our playbook, that reflects itself in our bias towards engineers coming out of the intelligence community,
either deep data science engineers coming out of the intelligence community or former offensive engineers coming out of the intelligence community.
So if I go back to your question about when we're being pitched by entrepreneurs, we parse very, very quickly based on folks that have got a career
of domain expertise and those that don't. And so we select for entrepreneurs that have spent
their careers in cybersecurity. That's Bob Ackerman from Allegis Cyber Capital.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro. It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly produced in
Maryland out of the startup studios of DataTribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.