CyberWire Daily - RATs, backdoors, and a remote code execution zero-day. Hoods breach Mitsubishi Electric. Telnet credentials dumped.
Episode Date: January 21, 2020A new RAT goes after Arabic-speaking targets. Updates on US-Iranian tension in cyberspace. An Internet Explorer bug is being exploited in the wild; a patch will arrive in February. A pseudo-vigilante ...seems to be preparing Citrix devices for future exploitation. Mitsubishi Electric discloses a breach. A booter service dumps half a million Telnet credentials online. And tomorrow is the last day to file a claim under the Equifax breach settlement. Joe Carrigan from JHU ISI with the story of a random encounter that set him on his professional path. Carole Theriault speaks with Jon Fielding from Apricorn on whether or not anything has really changed with GDPR, 18 months into it. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/January/CyberWire_2020_01_21.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A new rat goes after Arabic-speaking targets.
Updates on U.S.-Iranian tension in cyberspace.
An Internet Explorer bug is being exploited in the wild,
a patch will arrive in February,
a pseudo-vigilante seems to be preparing Citrix devices for future exploitation,
Mitsubishi Electric closes a breach,
a booter service dumps half a million Telnet credentials online,
and tomorrow is the last day to file a claim under the Equifax breach settlement.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 21st, 2020.
Cisco's Talos unit has described Jhonrat, a remote-access Trojan currently active against Arabic-speaking targets in Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain, and Lebanon.
It's custom code, not a commodity attack tool, and its use seems to be part of an espionage campaign. The attack begins with phishing,
offering a Microsoft Word file hosted in Google Drive,
the better to evade detection by email screening tools.
The document itself has the naive name Urgent,
which ought to place people on their guard.
The next step is to induce the recipient to enable editing,
after which the rat will install itself on the victim's machines.
The malware also is installed in four distinct stages.
Cisco Talos points out that this particular campaign offers a good example of how attackers can make use of cloud services
to render its traffic more obscure and less immediately suspicious.
and less immediately suspicious.
CISA Director Krebs is quoted in Fifth Domain to the effect that the threat of a retaliatory Iranian cyberattack was diminishing over time, but the U.S. Federal Deposit Insurance Corporation
has warned the more than 5,000 banks and financial services institutions it supervises
that they should be on heightened alert for cyberattacks.
While Iran may not, as the verdict argues, rush into attacks on U.S. infrastructure,
it's nonetheless worth reviewing Iranian capabilities.
APTs 33, Elfin, 34, Oil Rig, 35, Charming Kitten, and 39 all have well-established track
records, and as Insights explains in this context, there's also
an active hacktivist community more or less aligned with Tehran's goals. So far, the U.S.
has seen the hacktivists conduct some low-grade vandalism, but the big professional APTs,
beyond their year-long reconnaissance of infrastructure targets, have so far been
no-shows. Still, looking to your defenses remains a good idea.
As an op-ed in The Hill points out,
the U.S. and Iran have been swapping cyber operations for about a decade.
Both sides have shown patience and some strategic focus,
and this seems likely to continue going forward.
An Internet Explorer vulnerability is being exploited in the wild,
but Microsoft won't have a patch available until February, TechCrunch reports.
Microsoft has offered some workarounds and advice in the interim.
It's assigned the identifier CVE-2020-0674 to the bug, but information is sparse.
The Zero Day, whose exploitation Redmond optimistically characterizes as consisting
of limited targeted attacks, is a remote code execution flaw. It's believed possible that it
may have some similarities to the Firefox bug Mozilla recently patched. Kihu360, which ZDNet
says Mozilla credited with tipping them off to the Firefox vulnerability, tweeted that the attackers
hitting Firefox were also exploiting Internet Explorer,
but that tweet has been deleted and Kihu360 hasn't elaborated.
Over the weekend, Citrix issued firmware patches for Citrix Application Delivery Controller
and Citrix Gateway versions 11.1 and 12.0.
CISA, the U.S. Department of Homeland Security's Cybersecurity
and Infrastructure Security Agency, recommends that users apply the patches promptly and to do
the same with other fixes for CVE-2019-19781 the company is expected to release over the course of
the week. The vulnerability is being exploited in the wild, and in an interesting way.
Security firm FireEye late last week reported that someone is scanning for vulnerable Netscaler devices,
clearing them of any malware they find, and then installing a backdoor payload FireEye is calling NotRobin.
FireEye acknowledges the possibility that this may be a vigilante operation,
but the installation of a backdoor in addition to clearing out other people's malware suggests it's probably not so.
The company thinks that whoever's been compromising Netscaler devices may well be preparing for a campaign,
and so it's probably prudent to regard this as more battle space preparation than, you know, the man who shot Liberty Valance.
battle space preparation than, you know, the man who shot Liberty Valance.
As FireEye explains, the actors, quote,
remove other known malware, potentially to avoid detection by administrators that check into their devices after reading Citrix security bulletin CTX-267027.
Not Robin mitigates CVE-2019-19781 on compromised devices,
but retains a backdoor for an actor with a secret key.
While we haven't seen the actor return, we're skeptical that they will remain a Robin Hood
character protecting the internet from the shadows. And those, friends, are words to the wise.
We are a good 18 months or so into GDPR being in effect. The world keeps on spinning as it tends to do, but how much of an impact has GDPR actually had?
Carol Terrio takes a look.
So the world of GDPR.
On the 11th of December, a German internet provider, One and One,
faced a whopping $10.6 million fine for not adequately protecting personal information
of its users. Now, according to the BBC, Germany's data protection watchdog said that anyone who
called 1&1 Telecom could get extensive personal information about someone else solely by giving
their name and date of birth. I've invited John Fielding of Apricorn,
who is a bit of an expert on all things GDPR,
to try and give us some insight on where GDPR is today
and whether all these fines are working.
John, thanks so much for coming on the show.
It's my pleasure. Thank you for inviting me.
So what do you think about fines like this one,
the one that one and one are facing?
There have been some significant fines or notices of intent the one that one and one are facing? There have been some significant
fines or notices of intent to fine that have been applied since GDPR became live. I think the
notable ones are British Airways and Marriott Hotels in the UK, at least, who have an intention
to fine from the ICO of around about 300 million pounds, just short of that, and Google in France,
who were hit for 44 million euros. Do you think, in your own opinion, do you think GDPR is a good thing, good thing for the EU?
Yeah. So I think irrespective of geography, it's good for you and me as a resident,
as a citizen of a country. The main tenet of GDPR is to make sure that that data that we provide,
whether it be, you know, our health information or our financial information, you know, or whatever else is protected.
Do you think companies that are headquartered outside the EU take GDPR seriously? So like big
American companies, which have perhaps less strong data protection laws in most states,
as far as I know, it must be very difficult for them to
have to meet these standards. Yeah, I agree. I mean, I think if we're talking about, you know,
something that's happening wholly within the European Union, then it's much easier to understand
how the sanctions will apply and the process will be followed. When you start to look at
companies outside of the EU, but still handling EU citizen data, then, you know, I'm not truly sure how that would all work.
I think it's more about, you know, where is your data going to be held, right?
So if the app is in a country that you don't necessarily trust, then you could make a personal decision as to whether you wanted to move forward with it.
The one big beef I had was that every company seemed to implement it in their own way with their own
plugin. And they all had different layouts and approaches. And that seemed to me just incredibly
wrong. Yeah, I agree. I think one of the challenges that we've had with GDPR that it's been completely
non-prescriptive in terms of technology and how people do things. So it gives you kind of best
practice buzzwords about, you know, you will keep information secure,
you will protect the individual,
but there's actually nothing underneath that
as to how you, or recommendations or suggestions
on technology or as you say, page layout.
So that then is left to each individual company.
John Fielding, thank you so much for all your insights.
It's been very interesting.
Okay, it was my pleasure.
Thank you very much for inviting me. This was Carol Theriault for all your insights. It's been very interesting. Okay, it's my pleasure. Thank you very much for inviting me.
This was Carol Theriault for The Cyber Wire.
According to the Japan Times, Mitsubishi Electric yesterday disclosed that Chinese actors hit the company with a massive cyber attack last year.
In addition to personal information on some 8,000 individuals,
attackers may have obtained, quote,
email exchanges with the Defense Ministry
and Nuclear Regulation Authority, as well as documents related to projects with firms including
utilities, railways, automakers, and other firms, end quote. The personal data exposed in the
incident belonged to nearly 2,000 new graduates who applied for jobs at Mitsubishi Electric
between October 2017 and April 2020. Others who were job hunting
with the Tokyo-based firm between 2011 and 2016 were also affected. The company noticed an anomaly
in its networks in June 2019. Investigation of irregular activity on devices in Japan
eventually revealed that someone had obtained unauthorized access to management networks.
Those parties are believed to be Chinese criminal gangs.
In other news from the cyber underworld,
the operator of a booter service,
that is, a service that offers distributed denial-of-service attacks for hire,
has published Telnet credentials for more than half a million servers,
home routers, and smart devices.
Why would they have done this?
According to ZDNet, which asked them,
the booter service has now been upgraded to a higher-end model.
Instead of just riding atop vulnerable IoT devices,
henceforth it will rent high-output services from cloud providers.
Thus the fire sale, we guess,
although the specific motive for making mischief in this
way still strikes us as obscure. The leaker said they compiled the list by scanning for devices
with exposed telnet ports and then tried first factory default credentials,
followed by easy-to-guess password combinations in a credential stuffing effort.
And finally, are you thinking of filing a claim
in the Equifax breach settlement?
Well, if you are, the deadline is tomorrow,
and you'll need to have your paperwork ducks in a row to qualify.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1 thousand dollars off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute,
also my co-host on the Hacking Humans podcast.
Joe, great to have you back.
It's good to be back, Dave.
You have an interesting story to share with us this week.
I think for folks who are getting into the industry
or think about how they got into the industry,
you've got some interesting insights here.
Yeah, I didn't start off in the tech industry at all.
I started off in trying to go into mass media, and that turned out not to work out well for me.
And then I went into what I called my failed sales career.
I'm not really a good salesperson.
Okay.
So you learned?
So I learned, yes.
So I learned.
I thought I was.
I was not.
Right, right.
learned. I thought I was. I was not. Right, right. After my failed sales career, I took a job doing some test and evaluation stuff for a government contractor. And it was good work,
but it was not very engaging. And at the time, I was living in a place called Knoxville, Maryland,
which is next to Brunswick, Maryland, which is way out by West Virginia and Harper's Ferry,
just across the river from Harper's Ferry in Maryland. Okay. So. The middle of nowhere.
The middle of nowhere. Yeah. And my job was in Arlington, Virginia, down in Crystal City.
Ooh. Right. So. For those who aren't from this area, that is a hike. That is a hike. So my
commute every day involved getting up, driving to the Metro. Then that took about 45 minutes.
And then taking the Metro for
about an hour down to Crystal City and then coming back. It was a long, arduous commute.
And I'm sitting there, I've got a wife and a daughter at home, infant daughter at the time.
And I'm wondering, what am I going to do with my life? That's really the kind of phase of my life
that I was in. And one day I'm walking out of the Metro coming home from work and there's a
guy standing there and he goes, I need a ride to the park and ride.
I need a ride to the park and ride. I missed the last bus.
I need a ride to the park and ride.
And he's just standing there asking for a ride. And I said, I'll take you.
And he gets in my car and we drive up to the park and ride and on the park
and ride, he goes, you have any technical skills, right said well you know not really officially i i taught myself how to program a computer when
i was 12 but i haven't really spent a lot of time working around computers lately because this was
the early 90s um and you know i have a computer and i i know how to work on it and fix it and
everything and the technology fascinates me but i don't know that I have the skills that merit calling myself technical. And he goes, if you have any technical capabilities,
you need to get into this field now. And he tells me that he has a high school diploma,
right? He doesn't have a college education and that he is a Linux administrator and he is making
twice what I'm making, right? And I'm thinking, that's interesting.
That's very interesting.
So I take him up to the park and ride.
I drop him off and he gets in his car
and I never see him again.
To this day, I've never seen him again.
He did not try to sell you any magic beans
or anything like that?
Nothing like that.
Just off he went.
As far as I know, he walked out of my car
and disappeared.
But the next day I was talking to a guy I shared a cubicle with, and he said, you know,
you already have one degree.
You could just go get a second degree at University of Maryland University College, now Global
Campus, University of Maryland Global Campus.
Right.
At the time, they had in-person classes, but it was targeted for military and working people.
And that's what I did.
I went out, and the first thing I did was took a Novell network class to be a network administrator. And immediately after taking,
completing that class, I, uh, I had a job in it. So this guy changed the entire course of my life
in one car ride. Uh, and, and I'd never had the chance. I think I at least owe this guy dinner.
And I never had the chance.
I think I at least owe this guy dinner.
Right, right.
So if you're out there listening, reach out to me.
I'd like to say thanks.
It was about 20 years ago.
Yeah, yeah.
In the Maryland area.
In the Maryland area, right.
Yeah.
How interesting if that person would remember that encounter that set you off on a particular path. There is a very good chance that person has absolutely no recollection of this encounter,
that it was unremarkable to him.
But to me, it was absolutely life-changing.
Well, and I think there's an important lesson for our listeners here,
which is that you should be open to having your life go in a different direction.
You never know where that catalyst is going to come from.
That's right.
And also,
you took the initiative to take those classes. Yep. It didn't take a lot for you to equip
yourself to be able to go on that other path. And you probably, who knows if you would have
even explored those possibilities had it not been for this person. Yeah. You found out that,
hey, I can do this. Right. And here you are today. And here I am. Yeah. All right. Good
story. Good stuff to know. Yep. Joe Kerrigan, thanks for joining us. My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.