CyberWire Daily - Pegasus version now affects Android. UK on alert for ISIS infrastructure cyberattack. DPRK tied, again, to Bangladesh Bank heist. Fancy Bear and Turla updates. Samsung Tizen 0-day. Tax season security.
Episode Date: April 4, 2017In today's podcast, we hear that Pegasus is now in the Android ecosystem. British authorities warn of possible ISIS cyberattacks on infrastructure. Russia investigates the St. Petersburg metro bombing.... New evidence connects North Korea with the Lazarus group. Fancy Bear continues to romp unabated, and Turla seems to have remained quietly active for about twenty years. Zero-days reported for Samsung's Tizen. Our coverage of the Women in Cybersecurity Conference continues, featuring a conversation with Endgame malware researcher Amanda Rousseau. Virgina Tech’s Hume Center’s Dr. Charles Clancy describes telephony DDOS. Apple issues an emergency iOS patch. Industry notes, and tax season security advice. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Pegasus alights daintily in the Android ecosystem.
British authorities warn of possible
iris cyberattacks on infrastructure.
Russia investigates the St. Petersburg metro bombing.
New evidence connects North Korea with the Lazarus Group.
Fancy Bear continues to romp unabated, and Turla seems to have remained quietly active for about 20 years.
Apple issues an emergency iOS patch, plus some industry notes and tax season security advice.
notes, and tax season security advice.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, April 4th, 2017.
There's some nasty attack code out there affecting Android devices, a version of the Pegasus malware that Lookout found infesting iOS last autumn.
Now, Lookout's security intelligence
team, working with Google, has found the long-expected Android variant, which you can
call either Pegasus for Android or Crisior. It's a sophisticated bit of malware. Lookout says it
has the same sort of spying functionality as its iOS counterpart, including screenshot and audio
capture, email and browser compromise, and data exfiltration.
If it senses that it's been detected, it will delete itself.
The good news is that Pegasus attacks seem to be very narrowly targeted.
If you, however, find your device infected,
lookout security asks you to contact them.
The British government is again warning infrastructure operators,
especially those concerned with nuclear power plants and airports, to be on alert for ICS
cyberattacks mounted by ISIS. We heard from Edgar Capdeville, CEO of Nozomi Networks,
who notes that these warnings began in February, and he thinks they're unlikely to have been
ignored. Nonetheless, it wouldn't do to become complacent.
Much infrastructure continues to be controlled by older systems
which have, given their long life cycles, only relatively recently been connected.
He sees one silver lining.
Control system traffic tends to be predictable,
which provides a background against which anomalies stand out.
Should these concerns prove a real threat, they would indicate a considerable increase
in ISIS cyber capabilities, which have hitherto been largely confined to information operations.
Russian authorities are investigating suspected jihadist links to yesterday's suicide bombing
in the St. Petersburg metro.
A Russian citizen is thought to have been the bomber.
Kaspersky offers more evidence connecting the Bangladesh Bank fraudulent funds transfers
to the North Korean government.
The Lazarus Group is now generally suspected of being a DPRK asset.
As U.S. pressure on the DPRK over recent missile launches increases,
including efforts to work with China on a bilateral response,
and as the Chinese coal embargo bites Pyongyang harder,
observers expect a corresponding rise in cyber activity both from and against North Korea.
More warnings, this time from SecureWorks, of continued espionage from Fancy Bear,
which they're calling Iron
Twilight, but it's the same familiar GRU crew. A recent victim, the IAAF, apologizes for the loss
of athletes' medical records to the Russian espionage services. SecureWorks predicts that
2017 will see no let-up in Fancy Bear's operations, which have grown increasingly brazen since the spring of 2016.
Another Russian espionage group has been connected to 1998's Midnight Maze operation against the U.S.
Department of Defense. Exactly where this one would appear in a state-cum-criminal organization chart is unclear, but it's the familiar Turla APT. Turla is also known as Snake, Ouroboros, Venomous Bear, or Krypton.
The group is still using, and apparently with success,
versions of the venerable Locky backdoor.
Continuing our coverage of last week's Women in Cybersecurity conference,
I sat down with Amanda Russo, malware researcher at Endgame,
to learn about her work and the path
she took to get there. I'm always looking at security news because I'm following the current
threats and trends as they come along. And then what I'll do is I'll look at those independently
and try to reverse engineer it or recreate it so that I can create a new detection for it.
recreate it so that I can create a new detection for it. And it can be either ransomware one day,
or it can be APT malware another, or even like kernel level stuff. It all depends on what's the hot new thing at the time. Kind of like following fashion trends. What is the pathway
that took you to malware engineering? Like what was, how did that become the thing you were
interested in? Well, OK.
So I'll start back when I got into computer
science and everything.
So I really didn't think I would be doing this field at
all.
I started out in graphic design, which is why all of my
slides and presentations are all pretty.
And then once I took a computer science class, I
couldn't look back.
And then I heard about what reverse engineers do because my dad was in the Air Force.
And he kind of knew about that hacking world.
And he would kind of, you know, drill me in conversations on security and protection and all that.
And then that's how I learned what reverse engineer did. Reverse engineered it. So I worked my way up through the DOD at the Cyber Crime Center
and incident response to get to malware reverse engineering research and development.
When you're looking ahead, sort of looking over the horizon
and what the challenges are facing people in your field, what are those things?
I think it's just plain knowledge of it.
A lot of people don't know about the hacking world,
and when they see it on the news, they think it's some type of magic or it's evil.
But a lot of people out there, they want to protect other people,
and that's how I feel about it.
I want to protect the normal person.
I want to protect a nuclear power plant.
I want to protect a nuclear power plant. I want to protect the critical
infrastructures. But to do that, you know, I need to look at threats and trends and build something
that's actually useful. Coming at this field as a woman, has there been any specific challenges
from that point of view, you know, for you to be able to get where you are today? Oh yes, a lot of imposter syndrome all the time.
When I started, you know, you're in computer science class and you're like one of the only
girls in the class, or one of five in the whole department, and you feel, am I on par
with everyone else?
Like, what am I doing wrong?
But I was actually average.
I wasn't bad, I wasn't too too good I would understand it and get it and it was the same in my
career you know I was young I was a girl I didn't know how to act in a corporate
environment you know trying to deal with social situations that you grew grew
that over time and eventually you know you start to gain confidence in what you do.
And then that's when you can focus on just your work and not what's going on socially.
That's Amanda Russo from Endgame. You can hear more from her in our upcoming CyberWire Women
in Cybersecurity Conference special edition. She's on Twitter at Malware Unicorn, and it's
a feed worth following.
Israeli security researcher Amahi Neiderman reports finding 40 zero-day vulnerabilities in Samsung's Tizen OS.
Tizen runs on smart TVs, smart watches, and on some Samsung phones.
If exploited, they would give an attacker control over the device.
Apple issues an emergency iOS patch to close a Wi-Fi drive-by vulnerability. This is in addition to last week's regular patches. In industry news,
Verizon will combine its AOL and Yahoo acquisitions into a unit called Oath,
and Intel security has now spun out and become McAfee once more.
And finally, we're just two weeks away from tax filing day in the U.S.
Fraudulent returns have, according to experts,
resulted in tens of millions of dollars lost.
We'd like to pass on some advice from the encryption company AlertSec.
They recommend that businesses protect themselves
by using a VPN tunnel with encrypted communications,
full disk encryption, multi-factor authentication, and a good firewall.
It's familiar advice, but good advice.
It's also good to remember that your personal information,
always a target for criminals, will receive particular attention this month.
So be prudent, stay safe, and happy filing.
Taxes are the price we pay for civilization. Or so we hear.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning
with purpose, and showing the world what AI was meant to be. Let's create the agent-first future
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
Joining me once again is Dr. Charles Clancy.
He's the director of the Hume Center for National Security and Technology at Virginia Tech.
Dr. Clancy, we are certainly familiar with denial-of-service attacks here on the Cyber Wire,
but today you wanted to touch base about denial-of-service when it comes to our telephone system.
Yeah, there's an interesting new set of control plane attacks that are happening within the landline and cellular telephony
infrastructure. Your listeners may be familiar with many of the control plane protocols on the
internet. There are similar but different control plane protocols within our telecommunications
infrastructure, with the legacy protocols being SS7 and some of the newer ones with voice over IP
all being based around SIP. So in the same way that you can launch a distributed denial of service attack against an IP network,
you can do the same thing against a phone number, right?
It's a unique identifier, just like an IP address.
So there have been a number of cases with an increasing rate of such cases
where bad actors have essentially gotten a whole bunch of devices to simultaneously call 911.
And what happens is essentially the trunking line from the local landline phone operator
into the public safety answering point where there are operators who answer these 911 calls
becomes overwhelmed with calls and there aren't enough channels in the trunk
in order to have additional
calls terminated within the PSAT or the public safety answering point. But I guess there is
some light at the end of the tunnel. There are some standardization efforts underway right now
within the Internet Engineering Task Force that are looking at adding authentication to some of
the newer SIP protocols associated with the caller ID,
which would give telecommunications companies the ability to start blocking calls rather than having to sort of manually trace them back to the originator.
And in terms of overwhelming a 911 system, are the people who are doing this at this stage,
are they simply pranking and testing out their abilities,
or is there any sort of ransom component?
What's their motivation?
Right now, there doesn't appear to be any kind of criminal component associated with it.
One of the more recent examples was essentially someone who walked into a cell phone store in Texas and walked around to each one of the display phones in the store and dialed 911 on each of
them. And since cell phones are required to place outbound emergency calls, regardless of whether
or not they have a SIM card active within them, all of these calls went through despite the fact
that these phones didn't have valid SIM cards. So far, there have not been any examples that
are associated, as far as we can tell, with a ransomware type attack or an effort to prevent other people from calling 911 as part of some sort of criminal activity.
But many believe that it's only a matter of time before that sort of behavior begins to show up in the landscape.
All right. Dr. Charles Clancy, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their
families at home? Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.