CyberWire Daily - Ransomware updates. ShadowPad backdoor may have got into the supply chain from a Chinese APT group. Apple Secure Enclave decryption key released. Profexor and Fancy Bear. Misconfigured AWS S3 exposes voter data. Countering extremism online. FBI continues
Episode Date: August 18, 2017In today's podcast, we hear that ransomware strains, old and new, are circulating in the wild. ShadowPad backdoors are tentatively attributed to Chinese espionage operations in the supply chain. A ...hacker releases the decryption key for Apple's Secure Enclave. Profexor may actually not know much about Fancy Bear's romp through the DNC. Another misconfigured AWS bucket exposes data on voters in Chicago. The difficulties of countering extremism online. Malek Ben Salem from Accenture Labs on the cloud security maturity model. Joseph Carson from Thycotic on the evolution of phishing campaigns. The FBI has a roadshow warning companies of the risks of using Kaspersky security products. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Ransomware strains, old and new, are back in circulation.
Shadowpad backdoors are tentatively attributed to Chinese espionage operations in the supply chain.
A hacker releases the decryption key for Apple's secure enclave.
Profexor may not actually know much about Fancy Bear's romp through the DNC.
Another misconfigured AWS bucket exposes data on voters in Chicago.
The difficulties of countering extremism online.
And the FBI has a roadshow warning companies of the risks of using Kaspersky security products.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, August 18, 2017.
Ransomware, old and new, rampant and defeated, is back in the news at week's end.
Spam, representing itself as distribution of a court order,
is in fact distributing a newly observed strain of ransomware.
Observers at security firm Emsisoft say Syncrypt avoids detection
by concealing its malicious zip file inside a JPEG image.
There's as of yet no free decryptor available for affected systems.
Emsisoft points out that Syncrypt's method of distribution is highly effective because
most antivirus products aren't detecting the JPEG files that carry the ransomware as malicious.
Only one product in VirusTotal, Dr. Web, detected Syncrypt as malicious when Emsisoft ran its samples through.
Two older varieties of ransomware, Locky and Mamba, are back in the wild, circulating in evolved and unfortunately enhanced forms.
Locky had been largely quiet in 2017 after hitting hospitals last year.
Security company Malwarebytes notes that it returned in a large campaign on August 9th.
Lockheed traces its coding heritage to the Drydex banking trojan, and like Drydex,
the secret to its success seemed to be volume. It's being distributed in a large old-school
spam campaign, delivering either corrupted Microsoft Office documents or malicious zip
files. The new version is reporting through a fresh command and control
infrastructure. Trend Micro and Kaspersky report that Mamba ransomware, also known as HDDcryptor,
is back and being distributed in the Icarus Dilapidated campaign Komodo has been tracking.
Mamba is perhaps best known for its 2016 use against the San Francisco Municipal Transportation Authority.
It encrypts hard drives as opposed to simply making files unavailable,
and the ransomware is commonly spread by corrupted websites.
There is some good news on ransomware.
This from Avast.
The Prague-based security firm has developed and released a free decryptor for LambdaLocker.
So, bravo, Avast.
Net Sarong, South Korean maker of widely used enterprise connectivity products,
acknowledges that recent builds of its software are afflicted with shadowpad backdoors.
The vulnerability appears to have been inserted from the company's supply chain as it ran through China.
Similarities to tools and procedures used by PlugX Malware
lead Kaspersky researchers to attribute the backdoor to the Chinese Winti APT espionage group.
NetSarang patched the flaw in its August 5th builds, which Kaspersky says is fast work.
Users are urged to stop using old versions and update promptly.
Users are urged to stop using old versions and update promptly.
In other patching news, Cisco has fixed two serious bugs in its application policy infrastructure controller, and Drupal addresses access bypass issues in its CMS software.
Beyond Security has disclosed a proof-of-concept Chrome exploit.
Google will not patch older affected versions of Chrome, instead advising users to move to the current version.
A hacker going by Xerub has published the decryption key
for Apple's Secure Enclave processor firmware.
The Secure Enclave coprocessor within iOS
handles cryptography for data protection key management.
Mostly it processes Touch ID,
unlocks the phone with the user's fingerprint,
and approves purchases the fingerprint sensor authorizes. Apple says user data isn't at risk,
but the leak will give the curious, whether well or ill-intentioned,
opportunities to explore the software. In election hacking and influence operations news,
Profexor, the Ukrainian hacker talking to Ukrainian authorities and the U.S. FBI about Fancy Bear's operations against the DNC during the last U.S. election cycle, may not have any particular insight to offer after all.
The PAS tool he's associated with probably wasn't involved, according to experts, and it was not mentioned in the Grizzly Step report cited by the New York Times.
CrowdStrike, the security firm retained by the DNC to fix its security issues,
told Krebs on Security that it did not find evidence of PAS in the DNC's servers,
and the Grizzly Step report is itself now regarded as problematic,
more a compendium of behavior observed by various Russian threat actors than a study of election hacking.
There are reports that WikiLeaks declined to publish discreditable information about Russia
that was fed to Julian Assange's leak service during the time it was leaking material from U.S. sources.
This will surprise few who've watched WikiLeaks with attention over the past few years.
When one asks the source of
WikiLeaks releases, a recurrent answer that suggests itself is Moscow. A Washington Post
op-ed expresses the opinion that President Putin overplayed his hand in attempts to manipulate
elections. The efforts probably had little effect on outcomes beyond sowing a degree of mistrust,
surely one of its objectives, but it did anger Washington and put most of Europe on high alert.
There are, of course, other concerns about voting systems,
particularly election-related databases.
ES&S, supplier of voting machines to many U.S. jurisdictions,
learned from an UpGuard warning that it had misconfigured its Amazon S3 bucket,
exposing records on approximately
1.8 million voters. Only Chicago voter data was affected for unknown reasons, and ES&S says it
secured the database. Personal information was publicly exposed, but neither vote totals or
voter registration were affected. This is the latest in a series of misconfigured Amazon Web Services databases.
It's worth recalling that ensuring such data isn't publicly exposed is the user's responsibility,
but Amazon is trying to help. The cloud provider has introduced Macy, a security service designed
to automatically discover and protect sensitive data in AWS customers' buckets.
U.S. President Trump announced today that U.S.
Cyber Command will be elevated to a full combatant command. The president said in a statement,
the elevation of United States Cyber Command demonstrates our increased resolve against
cyberspace threats and will help reassure our allies and partners and deter our adversaries.
There will also be a review of whether Cyber
Command should split from NSA, where it was spun up less than a decade ago. That review will be
led by Defense Secretary James Mattis. CyberScoop reports that the FBI is quietly
advising companies, for OPSEC reasons, to stop using Kaspersky products. The Bureau's
counterintelligence officers have been briefing
companies on the threat they think the Russian company's software could present and urging them
to stop using it and to refrain from including it in new products. Users of industrial control
systems, especially in the energy sector, are receiving the briefings on a priority basis.
Kaspersky says the suspicions are baseless. The FBI briefings are having a mixed effect.
Big tech firms are relatively unreceptive, but big SCADA users, spooked in part by Russian
operations against the Ukrainian grid, are said to be listening attentively. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times
faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com
slash cyber for $1,000
off.
In a darkly comedic look at motherhood
and society's expectations, Academy
Award-nominated Amy Adams
stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way
for cyber criminals
to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Malek Bensalem. She's the R&D manager for security at
Accenture Labs. Malek, welcome back. You wanted to take us through today a cloud security maturity model.
What do we need to know about that? Yeah, so we know that organizations are
continuously moving operations to the public cloud, but as they do so, they need to protect
their sensitive workloads. So my colleagues at Accenture Security, and in particular Dan Mellon,
So my colleagues at Accenture Security, and in particular Dan Mellon, has worked on a cloud security maturity model where they came up with five simple steps to follow in order to climb that security maturity ladder in the cloud provider's built-in security features with third-party security packages designed specifically for the cloud.
Many organizations basically use their existing on-prem security tools
and they start applying them to the cloud.
But this approach means that they replicate their segmented network architecture of a legacy environment to the cloud,
which also means that they can incur some additional costs because of virtual security appliances must be provisioned and configured within each of the virtual private networks. The second step is to pre-bake security into architectures and design
patterns that are aligned to approved technology stacks. And Amazon, Microsoft, and Google all
offer templates to support a secure configuration directly in their technology stack. The third step
is to streamline the testing and auditing activities by taking a unified
approach to security and providing security functions via an abstraction layer. Through
that abstraction layer, developers can develop and reuse pre-built packaged routines to manage encryption across multiple platforms. So this
obviously reduces implementation variation, it promotes code reuse, and it lowers development
cost. The fourth step that we recommend is to pre-provision some hooks into these workloads
running on the cloud in order to allow some instrumentation and enable an easy integration
of SOC monitoring directly into the critical application data and infrastructure hosted in
the cloud. And then finally, the fifth step is to adopt DevSecOps, a holistic methodology to
achieve security consistency from design through operations.
So, for example, companies could automate the design review and verify that those secure code patterns are integrated earlier
in the software development lifecycle.
By following these steps, we're sure that companies can protect
their sensitive workloads running on the cloud.
All right. Good information as always.
Malek Ben-Salem, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
My guest today is Joseph Carson. He's the chief security scientist at Thycotic,
a cybersecurity company focused on protecting privileged accounts
and providing enterprise password management, among other services.
Our conversation centers on phishing,
specifically how phishing campaigns have grown more sophisticated
in the age of online personal information.
One of my main goals as part of my job and responsibility with Lycotic
is to really understand the techniques and the mechanisms that hackers and cyber criminals use
in order to really manipulate people, in order to really get them to reveal their sensitive information
or to share their credentials or their email accounts and so forth.
So earlier this year, me and the team, we decided to conduct some sample research into some public available information
that would allow us to run a really effective campaign.
And what you really look for is you look for, do you have the possibility of gathering the actual email templates,
you know, authentic templates that are actually sent to people?
you know, authentic templates that are actually sent to people, can you capture those and can you actually create and manipulate them in such a way that to share their information or to click on that
link or to enter their credentials or transfer money that's time-sensitive, authentic-looking,
and they don't want to wait because it has some elements that means that penalty is greater.
And one that we decided to run, which was a vehicle speeding ticket campaign. So of course, with things like speeding
tickets, you look at what times the office location for actually calling in for inquiries
is available. So you find out that the office times are Monday to Friday, nine to five. So the
most effective time and the longest window of opportunity you have is after 5 p.m. on Friday,
because the next available time that you
can call back in to inquire about any type of complaint is on the Monday morning. You target
your schedule to go out at 5.30 p.m. on a Friday evening. Many templates are available, those
speeding tickets, so you can go and look for those templates and gather them from authentic received
speeding tickets and then reuse that template to create your own authentic. And of course, spoofing the email and the domain that those campaigns of
phishing emails are coming from. And the next thing that you really look into is that a lot of people
have shared personal information. So if you're targeting a specific company, and some countries,
it's actually the vehicle information is available. The type of make and model of people's cars are available online.
A lot of them are due to, of course, selling and buying for checking for insurance claims or crashes and so forth of the vehicles.
So a lot of that information is available that you can go and gather information about the car model, license plate, and registration details of vehicles, etc.
And also a lot of people have shared things like their home
addresses so now with all that information available what you can now do is intelligent
collect that all information automate it in such a way that it pre-populates these templates
with the person's first and last name their home address their telephone number their vehicle
information and then the street in which uh of course close to their home is where the speeding ticket was
issued and then of course being time sensitive what's great about these types of campaigns is
that when you make it time sensitive that you say that okay if you pay within the next 24 hours are
you going and fill in this information if you don't do that within 24 hours then the penalty
increases so saturday it doubles by sunday it triples so the last thing you want't do that within 24 hours, then the penalty increases. So Saturday, it doubles.
By Sunday, it triples.
So the last thing you want to do is wait till Monday to basically challenge the actual ticket because the information is so authentic, the source is so trusted that you don't want to wait because the penalty gets greater and greater.
And this particular campaign, when we ran it, we actually had close to 100% success rate because of the time sensitivity.
People are willing to sacrifice clicking, downloading, giving up their information in order to rather than actually have that type of penalty or legal issue when it comes to Monday.
Now, the interesting thing was that there was a few that did not.
We weren't successful of gaining the information.
And it was quite interesting that those who finished work on Friday at 5 p.m. and didn't
read their emails until Monday morning, they were the ones, the ones that didn't work on the weekend
were the ones that were able to avoid us actually compromising and gaining access. And the only real
ways that organizations can really ensure authenticity is when they get
into making sure that their emails are signed of authentic signatures, that you can check the
trust of those. When organizations are not doing that today, they're really exposing themselves
to being on the end of either being the issuer of those phishing campaigns or on the receiving end.
So it really makes a point for, you know, I can imagine people going to their boss and saying,
you know, I'm protecting the organization by not checking my email over the weekend.
Absolutely.
And so what happens next when people fall for these sorts of things,
even in a situation like yours where you're really trying to discover the vulnerabilities within a company?
Is this a matter of training your employees?
Is there a technical fix for this?
Absolutely. There's multiple methods.
A lot of the things we end up identifying is that the awareness and education
and cyber hygiene of employees is important.
Also, the technical security controls you can put in place in order to minimize the risk as well.
Things about having
multi-factor authentication is another important area, making sure that the systems on those
machines are up to date and have the latest trusted sources so that when you do enter a spoofed email
in or the URL of the website you're going to is not the authentic one of the company,
that you can actually detect those types of things. So a lot of different techniques can be put in place, but it's really about
protecting the identity of that employee, making sure they are aware of the responsibilities,
and making sure that they can identify potential risks, and then providing technology that really
helps provide that balance between security, identifying, challenging the user to do multi-factor
authentication. So even if we were to compromise those credentials that the user gave us,
we would not be able to use them because of multi-factor authentication would be in place.
So really making it much more difficult and also making the awareness of the employee
as best as you can. That's Joseph Carson from Phycotic. There's an extended version of this interview
available to our Patreon subscribers.
You can find out more at patreon.com slash thecyberwire.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Pure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.