CyberWire Daily - Rotexy Trojan gets worse. Bad apps in Google Play. Backdoor for crypto-wallets. Facebook goes before Parliament. Pegasus spyware versus journalists. Russian hybrid war. Too-smart devices.
Episode Date: November 27, 2018In today’s podcast we hear that the Rotexy Trojan has evolved into phishing and ransomware. Bad apps found in Google Play. An open source library used in cryptocurrency wallets had a wide-open bac...kdoor. Facebook goes before Parliament, which seems in a pretty feisty mood. Pegasus spyware found to have been deployed against journalists in Mexico and elsewhere. Russia escalates its hybrid war against Ukraine. Do people care if their smart speakers eavesdrop? How about their smart lightbulbs? Johannes Ullrich from SANs and the ISC Stormcast podcast on DNS over HTTPS and network visibility. Guest is Shaun Bierweiler from Hortonworks on the use of open source software in the federal space. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_11_27.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Rotexi Trojan evolves into phishing and ransomware.
Bad apps are found in Google Play.
An open-source library used in cryptocurrency wallets had a wide open back door.
Facebook goes before Parliament, which seems in a pretty feisty mood.
Pegasus spywares found have been deployed against journalists in Mexico and elsewhere.
Russia escalates its hybrid war against Ukraine.
Do people care if their smart speakers eavesdrop?
What about their smart light bulbs?
Do people care if their smart speakers eavesdrop?
What about their smart light bulbs?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 27, 2018.
Researchers at Kaspersky Lab have been following the evolution of the Rotexi mobile malware. It emerged as an SMS spyware trojan in 2014, but it's now boasting additional features in a wave of recent attacks, some 70,000 between August and October.
Most of Rotexi's targets are located in Russia.
The malware has retained what Kaspersky calls its staple and unique feature, a three-headed command and control combination that includes conventional servers,
SMS messaging, and the Google Cloud messaging platform.
The current version spreads by smishing,
and as soon as it launches, it requests admin rights on the victim device.
It checks to ensure that the device is located in Russia,
looks for signs that it's running in an emulator, and then moves on from there.
Rotexi has retained its familiar spyware functionality, but added a ransomware capability and a phishing page that goes after paycard details.
And it's not naive either. Rotexi checks to ensure that the pay card details the victim enters are genuine.
Kaspersky says there are some mitigations available,
but they caution that they may not work for long.
Rotexi's operators have shown a disposition and ability to adapt.
Several malicious apps have been found in Google Play.
Eight of them, according to researchers at Idaho-based security firm Kochava, are ad fraud fronts, which Kochava suggests are associated with two Chinese firms that also operate in the U.S., Cheetah Mobile and Kika Tech.
And Trend Micro is also reporting ad fraud apps posing as Android voice apps.
They suggest that this foreshadows the formation of a significant
botnet. Some, but not all, of the malicious apps have been taken down.
Some unknown hoods succeeded in surreptitiously insinuating a backdoor into the widely used
EventStream JavaScript library. Warned by a researcher on GitHub last week, project manager
NPM issued a warning yesterday.
It appears that the backdoor was designed to steal from Bitcoin wallets prepared by the vendor Copay.
Copay says the infected code was deployed in versions 5.0.2 through 5.1.0.
Users should assume their keys were compromised,
and they should move their funds to new wallets upgraded to version 5.2.0.
Facebook is in front of a parliamentary inquiry in the UK today.
An interesting feature of this particular inquest is MP Damien Collins' threat to release internal Facebook emails obtained through what are being called unprecedented parliamentary powers.
emails obtained through what are being called unprecedented parliamentary powers.
Those unprecedented powers involved, according to the Telegraph, the House of Commons Sergeant-at-Arms intercepting a traveling executive from a company that's been involved in litigation with Facebook.
Ted Kramer, who founded U.S. app maker 643, was given two hours to hand over the emails.
When he refused, he was frog-marched to Parliament and threatened with fines and imprisonment,
which brought him around to Westminster's way of thinking.
So, Commons now has the emails and says they can dox Facebook if they please,
as a matter of parliamentary privilege.
643 sued Facebook when the House of Zuckerberg changed its privacy policies
in ways that drove 643 to shut down one of its apps, bikinis. Until Facebook fessed up to what
was going on and decided it was all in poor taste and probably going to wind up in litigation
somehow, users could employ bikinis to search for pictures of their Facebook friends who were wearing bikinis.
A European commission joined by Britain, France, and Belgium is also interested in talking to Facebook about privacy,
and they've warned Mr. Collins not to release the emails, which are under seal by the state of California.
Mr. Collins says that's for the commons to decide.
Both Facebook and Google have come in for criticism recently in Europe, the former for alleged data abuse and fake news,
the latter mostly for alleged monopolistic practices. Paradoxically, GDPR has seemed
to work in the two companies' favor, as the EU data protection regime may have suppressed upstart competitors.
Organizations in the federal space have their own unique set of cybersecurity challenges,
and many of them have come to rely on open source solutions to meet their needs.
Sean Bierweiler is Vice President of U.S. Public Sector at Hortonworks,
and he joins us to provide some
perspective. They are probably one of the leading vectors of having data being populated every day
from sensors and their missions and just being able to store that and access it. One of the
biggest challenges that they have is they have very antiquated legacy systems that were
developed for very specific missions and very specific use cases at a time when data was much
more predictable. You knew exactly what a cell was going to contain and it would always contain
that specific structure. And so an anomaly was easy to detect. Fast forward to today where you've got significant different producers of data in varying formats coming at rapid paces.
And the expectations for that information are growing exponentially as well.
So not only do you have much more complicated information data coming from different directions, but users have much greater expectations,
both from a use case as well as a response, right? They expect real-time information from that data.
And so you're advocating that open source solutions help break down some of those silos.
Take us through what leads you to that conclusion.
When you look at the innovation of technology, open source has been a prevailing enabler of that.
The approach, the culture, the ways that you have various groups coming together to help continue to advance technology is undeniable.
Those cultural enablers are not limited to specific technologies.
They can also be applied to the cyber landscape when you think about threat detections and various anomalies that are being detected.
And so that open approach of promoting sharing, collaboration, interoperability is one of the reasons why you see the greatest technical
advancements happening in that open collaborative environment. And so what are your recommendations
for those who are in the federal space, in the public space, in terms of approaching this? What's
the best way that they can get started if they want to integrate some of these open source tools?
Well, I think the number one step is first taking a step back and identifying
what your requirements are and acknowledging that a holistic data approach is necessary.
All too often, we have these very quick band-aids that we put on solutions that may solve a specific
problem but effectively create more problems tomorrow. Second is, you know, look for the right
partners that are able to harness the power of the open source community and package it in an
enterprise consumable fashion. We don't do everything, but we have a very vast and broad
community. And we're able to bring the strength of numbers to customers and partners alike to
be able to address potential concerns,
potential requirements. One of the great things about the community is that if a capability or
feature doesn't exist currently, you're able to get that into the roadmap and develop it and push
that innovation forward. Are there any things that people need to look out for? Are there
any downsides to taking this approach that
people should be cautious of? Well, it's important for every customer to understand
their specific requirements and the timelines that come with them. I don't think any approach
is a silver bullet, one size fits all for anybody. But I certainly think, generally speaking, that
an open architecture and an open collaborative approach to addressing
those requirements has limited downside in any application. I think it's important for customers
to truly understand what it is they're trying to accomplish, their specific constraints and
their priorities and requirements, and then to find the right partners to address them.
priorities and requirements, and then to find the right partners to address them.
That's Sean Bierweiler from Hortonworks.
Citizen Lab reports that associates of slain Mexican journalist Javier Valdez Cardenas received texts carrying NSO Group-manufactured Pegasus spyware.
Cardenas was murdered in 2017, apparently by the drug cartels he investigated.
Citizen Lab notes that Mexico's government has been a customer of NSO Group.
Russia's guttering war against Ukraine erupted in naval attacks against Ukrainian ships in the Sea of Azov.
Ukraine says Russia's intent is to consolidate its control of Crimea
and ultimately establish sovereignty over the Black Sea as a whole.
Ukraine has declared martial law.
Expect an escalation in the cyber operations that have marked this hybrid conflict.
And finally, privacy?
Bleh.
How many people are really as interested in it as one might think they ought to be?
People are really as interested in it as one might think they ought to be.
If Motherboard is right, if you've got a smart speaker,
you're not particularly interested in keeping things to yourself.
They reference a University of Michigan study that talked to 17 people,
all of whom said, in effect,
well, Amazon and those guys already know a lot about you, so what does it matter if Alexa or Samsung hear a few conversations?
The researchers find this disturbing enough to call it privacy nihilism,
but we do note that 17 seems like a pretty small sample size.
Maybe they tried to talk to a couple hundred who didn't want to answer a survey
because they maybe felt it would compromise their privacy.
And not only may your smart speaker be spying on you,
but that smart light bulb could have its metaphorical eye on your data as well. And not only may your smart speaker be spying on you,
but that smart light bulb could have its metaphorical eye on your data as well.
In a demonstration by researchers at Checkmarks, they figured out a complicated method of using light from Bluetooth-connected bulbs to transmit data.
You need a smartphone, a telescope, and an uninterrupted line of sight through a window.
But it could happen. isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new
way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich.
He's the Dean of Research for the SANS Institute.
He's also the host of the ISC Stormcast podcast.
Johannes, welcome back.
Interesting topic you wanted to share today.
We want to talk about DNS over HTTPS and what that does to network visibility.
What do you have to share today?
Yeah, so this is a relatively new development where browsers, foremost Firefox, are adding the capability to send DNS requests over HTTPS.
Up to now, DNS has really been sort of the one protocol that didn't really consider privacy.
All your DNS queries are sent in the clear.
And of course, to visit any website, to do anything on the internet, you need DNS and you're leaving a footprint here.
Of course, from a defensive point of view, that has also been really useful because with DNS,
point of view that has also been really useful because with dns you're able to check for example if people are connecting to known malware sites or in general if software on your system is doing
things it's not supposed to do particular of course with everybody now using hdps and
encrypting their web or the hdp traffic So this has been really big in the sense that it really sort of blinds network defenders.
And it can actually be enabled by a user just by changing a browser configuration.
Now, is this all browsers are capable of this or is just particular one so far?
Right now, it's really Firefox that has enabled this feature and makes it really easy to turn it on.
Other browsers haven't really done it yet, but have announced they may do it fairly soon.
So you'll see it show up in certain browsers like Chrome, for example, which is a major browser and has a large market share.
Also, on mobile devices, Cloudflare, which is somewhat pushing the standard,
has come up with a little app for iOS and Android.
It allows you to very easily enable this feature on these devices.
And so what's the upside here?
The upside is privacy. So if you are traveling,
if you're connected to a network that you don't necessarily trust, you're hiding this DNS traffic
from this network. Now, there's an alternative, and that's DNS over TLS. Now, DNS over TLS
also provides privacy, but it's easily blocked by a network.
So let's say you're connecting to a foreign network or from a foreign network that you don't trust.
They could just block DNS over TLS.
Blocking DNS over HTTPS is much more difficult because it just looks like any other HTTPS queries. So it uses port 443 and the rest of mixed in with all the other HTTPS
traffic, which makes it very difficult to distinguish it and block it.
So if I'm an administrator at an organization, what should my attitude towards this be?
Well, you should be certainly careful about it because like I said, you lose visibility.
Your option is to either tell your
users not to enable it or really to control your endpoints much more closely, which of course with
bring your own device and such tends to be quite difficult. Like most times we are using network
security tools like monitoring DNS logs, like intrusion detection systems, in order to make
up for some of the lack of control we have on the endpoint.
Well, it's interesting as always. Johannes Ulrich, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you.