CyberWire Daily - Phone spearphishing is catching on after the Twitter hack. Taiwan blames China for hacking government agencies. FritzFrog botnet is cryptomining, for now.
Episode Date: August 19, 2020Phone spearphishing is catching on after the Twitter hack. Taiwan blames China for hacking government agencies. FritzFrog botnet is cryptomining, for now. Whoever’s behind GoldenSpy is trying to cov...er their tracks. WastedLocker ransomware is successful without stealing data. The US Senate Select Committee on Intelligence releases its final report on Russian interference with the 2016 election. Joe Carrigan looks at shady SIM cards. Our guest is Nathan Jones from WhiteCanyon Software on secure data destruction. And an AI company exposes millions of medical records. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/161 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Phone spear phishing is catching on after the Twitter hack.
Taiwan blames China for hacking government agencies.
Fritz Frog Botnet is crypto mining for now.
Whoever's behind Golden Spy is trying to cover their tracks.
Wasted locker ransomware is successful without stealing data.
The U.S. Senate Select Committee on Intelligence releases its final report on Russian interference with the 2016 election.
Joe Kerrigan looks at shady SIM cards. Our guest is Nathan Jones from White Canyon Software on secure data destruction. And an AI company exposes millions of medical records.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, August 19th, 2020.
The phone-based phishing caper that enabled takeover of more than 100 high-profile Twitter accounts is apparently serving as a template for other attacks.
Wired reports that a growing number of organizations are experiencing similar copycat approaches
with varying but disturbing degrees of success.
ZeroFox sees the uptick in vishing attacks affecting not only corporations, but social
media influencers as well.
Like the Twitter hack, these attacks seem to be launched by young English-speaking troublemakers
organizing on Discord and shady forums.
But ZeroFox says their techniques are so effective that organizations should prepare to see these
tactics deployed by more sophisticated criminals and state-sponsored groups.
Voice phishing, also called vishing, isn't new, but in the past it's primarily been used against mobile carriers in SIM swapping attacks.
This recent wave of vishing attacks is more wide-ranging and often involves convincing a victim to enter their credentials on a spoofed
login page. ZeroFox recommends a mix of training, policy, and technical defenses, quote, training
and education, monitoring and preemptive blocking of problem domains, SSO auditing, and employing
role-based access best practices for internal panels, end quote. Authorities in Taiwan have blamed two Chinese government hacking groups,
Black Tech and Taiduor,
for cyber attacks against at least 10 Taiwanese government agencies,
Reuters reports.
The Taiwan Investigation Bureau's Cybersecurity Investigation Office
said the actors had access around 6,000 government email accounts
in campaigns that started as early as 2018.
Reuters says the victims included at least four Taiwan tech companies
that had been providing information services to the government.
Guardacore has found a peer-to-peer Linux botnet FritzFrog,
which it describes as sophisticated, fileless, evasive, proprietary, and aggressive.
It has attempted to brute force tens of millions of IP addresses
using an extensive dictionary
and has succeeded in breaching over 500 SSH servers,
including those of known high education institutions
in the US and Europe and a railway company.
The FritzFrog malware operates completely in memory
and doesn't attempt to survive reboots,
but it leaves a public SSH key as a backdoor, enabling the attackers to return at their leisure.
The malware could potentially be used to deliver a range of payloads,
but so far seems to have, for the most part, been engaged in cryptojacking systems to mine Monero.
The botnet seems to be unique, which is why the researchers
call its code proprietary, although it bears some minor similarities with another P2P botnet known
as Rakos. Trustwave's Spider Labs reports finding five versions of an uninstaller for the Golden
Spy backdoor carried by tax software whose use is required of companies doing business in
China. The uninstaller was dropped by an update module to erase Golden Spy before deleting itself.
Trustwave believes the uninstallers were deployed by those behind the Golden Spy backdoor to cover
their traces. The actors issued modified versions of the uninstallers which Trustwave says were specifically designed
to evade our YARA rules we published. The researchers conclude that their findings
should serve as a wake-up call for organizations because it proves any actions including implanting
and extracting malware can be taken covertly and at the will of the attacker with the help
of the updater module without impacting the functionality of the GoldenTax software.
End quote.
Researchers at Menlo Security warn of an ongoing attack campaign dubbed Duri
that's using HTML smuggling and JavaScript blobs or binary large objects
to download malware onto devices.
The malware itself isn't new, but it was previously delivered via Dropbox download links.
The attackers have switched to other cloud hosting providers
and added the HTML smuggling technique to evade detection.
Securonix released a report on the Wasted Locker ransomware
attributed to the Evil Corp cybercriminal group.
The researchers say the ransomware's operators have been effective
at extracting multi-million dollar ransoms in targeted attacks.
The ransomware has hit more than 31 organizations,
eight of which were Fortune 500 companies.
The researchers also confirmed that Wasted Locker's operators
don't appear to exfiltrate data for the purpose of extortion,
although they could easily add this capability in future attacks.
The U.S. Senate Select Committee on Intelligence
has released the final volume of its report
on Russian interference with the 2016 election.
It found that President Putin directed the campaign
and set its goals, generally disruptive,
but specifically anti-Clinton,
and that despite troubling behavior
by sometime Trump consigliere Paul Manafort, there was no collusion between the Trump campaign and
Russian intelligence services, and that the FBI made loose and careless use of the retrospectively
implausible Steele dossier. Democrats emphasize Manafort's counterintelligence problems.
Republicans point out that the FBI didn't exactly cover itself with glory in the investigation.
Secure Thoughts reports that artificial intelligence company Sense AI exposed 2.5 million medical records and PII,
including names, insurance records, medical diagnosis notes, and much more.
The data were left in two folders stored at the same IP address as Sense's website.
The information appears to be related to individuals who had been in car accidents
and received neck or spinal injuries.
The databases were secured on July 8th after Sense was notified by a security researcher,
but the company hasn't yet commented on or disclosed the matter.
And finally, the New York Times reports that President Trump said Monday
he would pardon a very, very important person on Tuesday.
Who it was going to be, he refused to tell,
but he did explicitly say that it wouldn't be Edward Snowden.
It turns out it was Susan B. Anthony.
Mr. Snowden and others will have to wait their turn. Calling all sellers. Salesforce is hiring account executives to join us on the
cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. We routinely discuss the many ways organizations go to great lengths to protect their data,
using everything from encryption to multiple off-site backups.
But what if you need to destroy data to delete it and make sure it's gone for good?
For more on that, we turn to Nathan Jones from White Canyon Software
for his insights on secure data destruction.
So if you go back into the 70s, 80s, and 90s,
almost every use case was for physical destruction.
Whenever you were getting rid of your old laptops, desktop servers, you would just physically destroy those drives.
And we found that that was being obviously quite wasteful and unnecessary in a lot of cases.
So it really came about because we were looking for a better solution than just destroying everything and everything ending up in a landfill.
So take us through some of the reasons why securely wiping a drive is better than physically destroying it.
It has a lot to do with the audit report that's generated as part of the process.
So a lot of what you're having to do is to prove
that the data is secure.
And part of what the software does is it creates
an audit report that says this drive
with this unique identifier was wiped at this spec.
It started at this time and ended at this time.
And then it was performed by this technician.
It was done in this location.
So that report gives you the context of everything that was done to that drive, when, where, how, all the important information about that.
And that's required for meeting standards like HIPAA and NATO and GDPR, where you're trying to meet the requirements that are on you from a regulatory standpoint.
So that report is actually quite impossible to do with a physical
destruction. So part of the erasure solution is that we're doing this via a secure application
where we're going through and we're capturing all this information, we're encrypting the audit
reports, so it's impossible to spoof these reports.
So just from a compliance standpoint, it's a far superior solution.
What about just the notion of not having so much waste end up in the landfills?
Absolutely.
But you've got to make sure you've checked the boxes on the security side and on the compliance side.
You got to make sure you've checked the boxes on the security side and on the compliance side. But then that's the most compelling reason after the security side is that these devices that have been working in a data center for a couple of years, they could have a second and a third life.
And realistically, a lot of these drives, you know, 90% of them plus are still in great shape.
They don't have any remapped sectors.
You know, they still have 90%
of their life left. So these drives that are coming from these giant data centers could then
have a second life in more of a mid-range system where these companies aren't wanting to pay top
dollar for the top of the line equipment, but these could be repurposed or reused. And when we're talking about laptops and desktops,
hey, they could be going to schools or libraries.
That's Nathan Jones from White Canyon Software.
Cyber threats are evolving every second, Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
also my co-host over on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave.
Interesting article from Vice,
another one from Joseph Cox.
This one is titled,
The Secret Sims Used by Criminals to Spoof Any Number.
What's going on here, Joe? So there are these providers of SIMs out there,
SIM being the network card that you put into your phone.
there, SIM being the network card that you put into your phone. And these are being called Russian SIMs or encrypted SIMs or white SIMs. And some of the features of this SIM
allow you to change the phone number that you're calling from. So when you make a call, you have
caller ID information that gets sent along. And it looks like that
information can be changed on these SIMs so that when you make the call, you're essentially spoofing
a different phone number you're calling from. And so the way these SIMs are working is that
the providers are basically buying up access in bulk to other people's networks?
Right. That's how a lot of these SIMs work.
Like Google Fi works this way as well.
And the article says these are called Mobile Virtual Network Operator.
They have a really great acronym here, the MVNO.
All these cell phone terms boggle my mind, Dave.
But essentially what it is, is you're piggybacking off the existing
infrastructure of another provider like T-Mobile or AT&T or Verizon, and you're striking an
agreement with them. And there are a lot of different companies that do this, and they all
do them. I think TrackPhone does this as well. In fact, I know TrackPhone does this and Mint Mobile does this. A lot of prepaid companies
do this and they make money by selling, essentially reselling the existing network's phone
services for a premium. You know, if it's a prepaid card, it's something that you're,
you know, maybe you can't go out and get a regular phone contract, so you have to get a prepaid phone.
There's a cost associated with that as well.
Google Fi actually is fairly inexpensive.
You can get that service starting at around $20 a month, plus they charge you for data.
But if you don't use data, you can get pretty good phone service for around $20 a month.
But what these people are claiming is that their system is built on top of these other systems, but it's more secure
and the information is encrypted and they let you spoof phone numbers. And they also, the SIMs also
have the capability of augmenting your voice. So you can disguise your voice, which is interesting
to me. I would not have guessed that that capability was built into a SIM. So I don't,
I'm not sure what's behind that, but that's an interesting tidbit for sure. I guess the point
here is the danger is that, for example, if I buy one of these and I spoof my phone numbers being from, say, a bank, a local bank or any major service provider.
So if I called you up and you looked at your phone and it said, oh, it's my M&T bank is calling me or Verizon's calling me.
That's a great first step into some sort of social engineering issue.
Absolutely. It's a great way to break that
first barrier of getting the phone call answered, right? What's interesting is that, at least in the
U.S., this kind of works when people spoof phone numbers. The caller ID system looks up the phone
number and then displays the actual company that is calling you, right?
So we hear about this, and we talk about this over on Hacking Humans.
Somebody is calling, purporting to be from, like, Verizon.
I think you even had this happen with your father, right?
Somebody was spoofing Verizon's phone number, and it came up as they were Verizon on the phone call.
So just spoofing the number is enough to fool the caller ID system.
There's probably some technical solution there
that needs to be implemented, right?
Yeah, yeah.
That's got to be verified.
So yeah, it's a great way to, like I said,
break that first barrier
of getting the phone call answered.
These things are not cheap.
This Vice article has a picture of costs in here.
To get a prepaid card that works worldwide for one week and functions for one week, $150.
But if you want one that works for six months, that's only $250.
But even that's kind of expensive, I think.
But towards the end of the article, they talk about how these things are being used to evade law enforcement, but they're
not entirely effective. You know, you still have to connect to a network and you still have to make
phone calls and you still might be connecting to a Stingray device, even though you might not be
making your call over that device. It says you may actually give away your location on it.
They quote somebody in here who says you cannot be invisible on the
mobile network. That's just not possible. And they also make a point that it's really hard to
protect yourself against a government that's very upset with you. It's the way they put it in here.
Yeah. Well, and it seems like, I guess, one of the attractive things to folks who may not be up to
good things is the sort of don't ask, don't tell kind of way that they're selling these.
They don't really require any information from you.
You can buy one of these pretty much anonymously,
plug it into your phone, and you're in business.
Right, exactly.
And that's one of the things that all these websites are saying,
is that, you know, just send us a Bitcoin, we'll send you the device.
In fact, in this article, they sent $100 in Bitcoin to somebody
and they got that SIM card the next day.
Yeah, that's service.
Yeah, that's service, exactly.
Right, right.
All right.
Well, again, it's over on Motherboard,
written by Joseph Cox.
The title is
The Secret SIMs Used by Criminals
to Spoof Any Number.
Joe Kerrigan, thanks for joining us.
Yes, my pleasure, Dave.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions
that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.