CyberWire Daily - Phishing for poll watchers. Impersonating Intrusion Truth. Data breach at the LDS Church. SpaceX asks for help paying for Ukraine’s Starlink. Killnet’s potential. The gamer’s attack surface.
Episode Date: October 14, 2022County election workers find themselves targets of phishing. Impersonating Intrusion Truth. The LDS Church discloses data compromise. SpaceX asks for Starlink funding. Does Killnet have potential to d...o more damage than it so far has? Deepen Desai from Zscaler on Joker, Facestealer and Coper banking malwares on the Google Play store. Our guest is Maxime Lamothe-Brassard of LimaCharlie to discuss how the cybersecurity is following in the footsteps of software engineering. And the Gamers’ attack surface? It’s big, big, really big, Noobs. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/198 Selected reading. 2022 Election Phishing Attacks Target Election Workers (Trellix) Suspicious Twitter accounts impersonating research group try to blame the NSA for Chinese hacks (The Daily Dot) Statement and FAQ on Church Account Data Incident (Church of Jesus Christ of Latter Day Saints) Exclusive: Musk's SpaceX says it can no longer pay for critical satellite services in Ukraine, asks Pentagon to pick up the tab (CNN) Killnet: don't underestimate the “script kiddies,” experts say (Cybernews) Gaming Is Booming. That’s Catnip for Cybercriminals. (New York Times) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
County election workers find themselves targets of phishing,
impersonating intrusion truth.
The LDS church discloses data compromise.
SpaceX asks for Starlink funding.
Does Killnet have potential to do more damage?
Deepened aside from Zscaler on Joker, Face Stealer, and Coper banking malware on the Google Play Store.
Our guest is Maxime Lamothe-Brizard of Lima Charlie to discuss how cybersecurity is following in the footsteps of software engineering.
And the Gamers Attack Service, it's big.
Really big.
It's big.
Big.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, October 14th, 2022. Researchers at Trellix have observed a spike in phishing emails targeting county election workers in Pennsylvania and Arizona ahead of the state's upcoming midterm elections. The emails are attempting to steal credentials or trick the users into downloading malware.
The researchers note that an attacker could use this access to achieve several goals, election interference, collection of political intelligence, or conventional cyber-criminal profit-taking through sale of stolen credentials.
None of these, of course, are mutually exclusive goals.
Researcher Dominic Alviere tweeted that an unknown group is impersonating intrusion truth in an attempt to misidentify APT41 as an NSA operation. APT41 is the Chinese threat actor that carries out state-directed operations
while engaging in the occasional for-profit side hustle. It's not convincing. There's much mystery
about APT41. It's also known as Wicked Panda. They're not the NSA. And you can
read all about them in the FBI's Wanted poster, among other places, which comes complete with
five mugshots of the Wicked Panda boys. Who is Intrusion Truth? It's an anonymous, so far
unattributed group that for several years has devoted itself to outing Chinese cyber
operators. The impersonation would seem to be a clumsy attempt to discredit both NSA
and attribution of APT41 to China. The Church of Jesus Christ of Latter-day Saints yesterday
disclosed that it had detected in March unauthorized activity in certain computer systems
that affected personal data of some church members, employees, contractors, and friends.
The disclosure was delayed until this week at the request of law enforcement,
who asked for the information to be held to protect the integrity of the investigation.
It's not known publicly who was responsible for the intrusion, but the
church's statement says, U.S. federal law enforcement authorities suspect that this
intrusion was part of a pattern of state-sponsored cyber attacks aimed at organizations and governments
around the world that are not intended to cause harm to individuals. The church described the
scope of the data exposure, stating,
The breached systems contained personal data, including basic contact information,
of members of The Church of Jesus Christ of Latter-day Saints. The data accessed may include,
if you provided it, your username, membership record number, full name, gender, email address,
birth date, mailing address, phone number, and preferred language. The affected data did not Starlink founder Elon Musk tweeted last week that this operation providing Starlink service to Ukraine has cost SpaceX $80 million and will exceed $100 million by end of year.
CNN now reports that Starlink has said it can no longer bear the cost out of pocket of delivering resilient Internet service to Ukraine.
The company has asked the U.S. Department of Defense for funding.
SpaceX's Director of Government Sales wrote the department early in September to say,
We are not in a position to further donate terminals to Ukraine
or fund the existing terminals for an indefinite period of time.
There's no immediate word on the Pentagon's plans,
but Starlink has become essential
to Ukrainian command, control, and communications, and it seems unlikely at a time when Western
material support for Ukraine is rising that the service will be permitted to lapse.
Kilnet, an auxiliary under the direction of Russian intelligence services, has so far shown itself capable of little more than minor DDoS operations and website defacements.
But an essay in CyberNews argues that it would be a mistake to dismiss the group
as unlikely to ever amount to more than a low-skilled collection of script kiddies.
Killnet had been a known criminal group before turning its attention
to operations designed to advance the cause of Russia. It was a botnet-for-hire operation,
and the group's criminal background and the support of the Russian state suggests that it
could be quickly augmented with the personnel and tools necessary to pose a more serious threat.
On the other hand, of course, it's always possible that Killnet has peaked
and won't get beyond its present punk-with-a-spray-can identity,
hanging out on virtual street corners, sniping butts, and throwing rocks at cars.
Let me ask if any of you are gamers.
There's no shame in that.
The New York Times has an appropriately lurid account of how the current enthusiasm for online gaming has translated into increased criminal activity in that corner of the world.
So let's say you game, as the Times puts it, to cast spells, kill zombies, and compete as your favorite athletes.
Maybe your guard is down, because after all, it's zombies.
But the real hoods are up and active. Given the sort of disinhibition one can feel in the middle
of crushing it with cascade effect or even doing the Fortnite dance, your attack surface can be as
open as a biome in a spleef. The rise of in-game purchases has opened up opportunities for scam artists.
The amounts are often small, a few dollars, even a few cents, but as is so often the case with scams,
the secret is, as Crazy Eddie used to say, volume.
Who's going to think it worth their while to investigate the loss of 60 cents?
One father of a disappointed Roblox purchaser pointed out to the
Times. But the gaming world has bigger risks. Consider cheat codes, popular among the competitive
but lazy segment of the gaming community. The Times summarizes some conclusions from Kaspersky,
stating, criminals can use fake cheat programs to disable a target's computer and steal information.
In Kaspersky's analysis of threats to 28 popular games,
the company found thousands of files of this type,
which affected more than 13,600 people from July 1st, 2021 to June 30th, 2022.
So, game with caution, friends, and don't cheat, and stay in school.
After the break, Deepan Desai from Zscaler on malware on the Google Play Store. Our guest,
Maxime Lamothe-Bressard of Lima Charlie, discusses how cybersecurity
is following in the footsteps of software engineering. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Maxime Lamothe-Brazard is CEO and co-founder at security infrastructure as a service provider,
Lima Charlie. I spoke with him about his notion that the cybersecurity of tomorrow
will look a lot like the software engineering of today. We talk about software engineering
really because that field has had a similar kind of trajectory as an industry. What I mean by this is there was a point where software development or software products,
like the industry of building software, was a very highly specialized one.
And it was very unaccessible. You had a lot of product that were in the boxed software realm.
lot of product that were sort of in the boxed software kind of realm.
You wanted a database.
You had to go and buy the shiny box database from one of the three vendors that had the secret sauce to do database in the world, in the enterprise space.
And what happened is that the industry matured a whole lot. And people started really understanding the big pieces,
the big underpinning concepts that allowed for what modern software development is,
which is, hey, all of a sudden, everybody knew what a relational database was.
Everybody knew what a virtual machine was, what maybe a load balancer was.
So people really got to the point where a lot of
those concepts were very well understood by everybody in the industry. And as that happened,
what we saw was the AWS come through. And AWS, I think, for me, is like a catalyst of
modern software development where we're saying, hey, if you're doing software development,
you don't have to rebuild every single piece
at every single kind of company
where you're building software.
But instead, you're able to reuse the parts
that everybody understands how to build them.
And as you do that,
is how you get to the point where
you can start reasoning around
software development in the modern enterprise in really nice ways because you're demystifying
a lot of the big underlying components. So now you're able to plan how you're going to do a
certain product, explain it to people in different industries,
explain it to leadership, and then produce a repeatable process around that.
So all this to say, security, I think, is getting to that same kind of spot where
security is no longer the really kind of arcane knowledge that a couple of people
possess and people aren't talking and everybody thinks about it differently.
But rather now, people are getting to the point where we have things like the MITRE framework, the MITRE attack framework,
which is a common way for everybody to think about security and the types of attacks, the types of techniques and threats. And as we're putting those
pieces of shared understanding in the industry, right, at the core of everything that we do,
now we are getting to the point where we can start talking about how we're going to defend
against a specific attack, how we're going to detect it, what it looks
like, how it can be tested against, which is one of the really core things in software
development.
And as you put those pieces of the puzzle all in a line, what you end up with is a very
similar kind of mentality to software development, where we're able to, hey, let's
start planning about what things need to be done, how we're going to do these things,
how they're going to work together to be assembled, what's the outcome going to be, and how we're
going to keep that process going into the future to make sure that we keep a lot of
the value that we build and we test against it.
So it's kind of a long answer to say that really it's just a similar kind of trajectory
that leads to a more mature industry, how we reason about security.
It strikes me that these sort of transformations can often happen in fits and starts.
of transformations can often happen in fits and starts. And, you know, I've heard several people say that we really need to shed this kind of rock star mentality where, you know, there are some
cybersecurity superstars out there, you know, names we all know, but if we're going to reach
a level of professionalization, we can't continue down that path. And I'm curious what your thoughts
are on that. It's a very interesting
question. I think that's a partially correct statement. Here's what I mean. You know,
those rock stars, right, I think are a symptom, positively, I mean that, of the fact that a lot
of people in cybersecurity came to cybersecurity because of passion, because it was a field where
they could really push the
boundaries, do more different things, really cool things, kind of go outside the envelope,
the challenge. So all those positive feelings, I think, are very precious. And it's a great thing
for us as an industry to try to keep those, right? I think that's the positive side of what we want to keep.
Now, where that statement is correct is that we want to move past that point so that we're not
just relying on this idea of, I have three different people and they're amazing.
How exactly? Well, they're doing a bunch of different things. That's good. But that does
not make, to this point, a reliable, well-understood path to becoming more secure.
It's not a reproducible process. It's one that can work in some cases, but not everybody can
have that. So I think where the sweet spot is for us is to be able to
keep growing the maturity in terms of repeatability and the software engineering
approach to things and really define that as the framework by which we want to grow.
which we want to grow. And then I think, in my opinion, what it means is that those, you know,
those rock stars are, you know, I'll kind of shift that in terms of saying those very passionate people are able to still, you know, tap into that passion and drive a lot of value,
but to do it in a way that very predictably benefits the company.
That's Maxime Lamothe-Brizard from Lima Charlie. There's a lot more to this conversation.
If you want to hear more, head on over to the CyberWire Pro
and sign up for Interview Selects,
where you'll get access to this and many more extended interviews. And joining me once again is Deepan Desai.
He is the Chief Information Security Officer and Vice President of Security Research and Operations at Zscaler.
Deepan, it is always great to welcome you back to the show.
I wanted to touch base with you today on some stuff that you and your colleagues are tracking.
This is some malware on the Google Play Store.
What are you all looking at here?
Thank you, Dave.
Yes, so we have a mobile and IoT threat team that is continuously tracking different sources
for threat actors trying to push those mobile malware
onto the devices, user devices.
So as part of the tracking activity,
we do monitor apps that are being downloaded
through our cloud from even official locations like Google Play Store.
So in the recent research,
we talk about three different families
for which we observed the apps making it
on the Google Play Store.
And there were more than 300,000 downloads combined
that we observed for these apps, which were actually malicious in nature.
Well, let's go through them one at a time here. What were you all looking at?
Yeah, so there were three different families involved. The very first one is a fairly
prominent malware family. It's the Joker malware. It's known to target Android devices. And despite
public awareness of this particular family, it keeps finding its way into Google's official
app store by regularly modifying the malware's trace signatures. So including things like how
do they update their codes, execution methods, and payload retrieving techniques.
That's Joker malware.
The second one that we noticed was a Face Ste banking trojan that's targeting various banking applications in Europe, Australia, and South America.
Are there any things that stand out about these three?
Anything particularly clever about the way that they're going about getting themselves onto the Play Store?
Yeah, I'll mention a few things here.
I mean, look, Google is doing a great job
of tracking this, wetting it in their sandbox,
and they do end up removing hundreds,
if not thousands of these before they ever make up,
before they ever show up on the Play Store.
But there are these more sophisticated families
that continue changing their tactics.
So one of the techniques that we've seen
being more and more successful
is where they're pushing this initial app,
which is then known to download stage two payload
from a different location.
And that location may be serving something completely benign
until the app is live on Google Play Store.
So the payload retrieving technique,
in fact, we saw as part of the code itself,
where they will check, is the app live on Google Play Store?
And if the answer is yes,
then the download that will result
from the destination
will be actually Joker malware payload.
So that's one of the things
that we're seeing being fairly successful
in evading some of the checks
that are being performed.
The second thing is where
they will continue to segment the code, obfuscate the code, and change the execution flow as well to match at times some of the legitimate applications.
And that's where probably it's, again, getting through those static analysis modules that might be running on Google's side.
One thing I'll mention, though, we've discovered, say, if I were to talk about the Joker payload,
we saw more than 50 different Joker downloader apps in Play Store.
As soon as we reported to the Android security team,
they were fairly quick in taking those down.
So the response time, the tracking time,
is very good from Google's part.
What is an Android user to do here?
I mean, obviously, the Google Play Store, in terms of sourcing your apps, is a relatively safe place to do this.
Are there any additional steps people should be taking to help protect themselves against these sorts of things?
Yeah, so sticking to the official Play Store is always the first thing.
I mean, yes, some of these apps were found on Google Play Store,
but still, that's very, very safe compared to third-party app stores
where the chance of you hitting one of these malicious apps will be much higher.
So that's number one.
Number two is, it's always a good idea to do a second level check
where install apps that have very high install numbers,
relatively positive reviews.
The developer is a known developer as well.
So having that second level check done always helps for the end users,
especially if the app is asking for a lot of permissions. One permission that I'll mention
for the listeners, a very important one, don't grant notifications listener permissions
and escalated accessibility permissions to apps that
you don't fully trust. The notifications listener service specifically enables the application to be
added to enable notification listener provider. And in simple terms, what this means is this app
will be able to read notification,
and it includes critical access notifications like auto-generated one-time passwords and PIN codes.
So they're able to bypass two factors if you give that level of permission to some of these untrusted apps.
All right. Well, good advice as always.
Deepen to sign. Thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant. with a handcrafted espresso beverage from Starbucks. Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com. Be sure to check out this weekend's Research Saturday
and my conversation with Brigitte O'Gorman
from Symantec's Threat Hunter team.
We're discussing Nobaris ransomware.
Darkseid and BlackMatter's successor
continues to evolve its tactics.
That's Research Saturday.
Check it out.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Keltzman,
Trey Hester, Brandon Karp, Eliana White, Our amazing CyberWire team is Thanks for listening.
We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your