CyberWire Daily - Scope of APT33 attacks revealed. GandCrab criminals shift tactics. Slub malware uses Slack.
Episode Date: March 7, 2019The scope of Iran-linked APT33 cyberattacks has been revealed. GandCrab criminals are using more sophisticated tactics. A new type of malware was using Slack to communicate. Chrome gets an important u...pdate. Huawei sues the US, and Germany sets tougher security rules for telecom companies. And people who invest in cryptocurrency often don't know what they're getting into. David Dufour from Webroot with his thoughts on RSA Conference. Guest is Asaf Cidon from Barracuda Networks on account takeover vulnerabilities. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/March/CyberWire_2019_03_07.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The scope of Iran-linked APT-33 cyberattacks has been revealed.
GandCrab criminals are using more sophisticated tactics.
A new type of malware was using Slack to communicate.
Chrome gets an important update.
Huawei sues the US.
And Germany sets tougher security rules for telecom companies.
And people who invest in cryptocurrency often don't know what they're getting into.
into. From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Thursday, March 7th, 2019. Microsoft told the Wall Street Journal that an Iranian cyber attack
campaign hit more than 200 companies over the past two years, causing hundreds of millions
of dollars in damages. The attacks targeted oil and gas companies and heavy machinery makers in
a number of countries, including Saudi Arabia, Germany, the United Kingdom, India, and the U.S.
The group sent phishing emails to more than 2,200 people at these companies.
Microsoft attributes the attack to Holmium, also known as
APT33. The group has been active since at least 2013 and has a history of going after organizations
in the aviation and energy sectors. CrowdStrike says criminals using GANDCRAB ransomware have
exhibited a recent shift in tactics. They're now using techniques more often associated with nation-state APT groups,
such as manual lateral movement within networks.
These observations are consistent with a recent advertising campaign by Gancrab's developer, Pinchy Spider,
which was aimed at individuals with knowledge of remote desktop protocol, virtual network computing, and corporate networking.
The shift in tactics suggests that Pinchy Spider and its affiliates are hoping to maximize their revenue
by launching the type of low-volume, high-return attacks used by sophisticated threat actors.
This strategy, which the CrowdStrike researchers call big-game hunting,
in which threat actors hack into an organization's network
and manually deploy the malware.
This method is far more effective at getting victims to pay up
than widespread untargeted ransomware campaigns,
but it requires a great deal of technical skill.
Threat groups using SamSam, BitPamer, and Rayuk ransomware
have been observed using these tactics very effectively.
GANDCRAB differs from the ransomware used in those attacks, however,
because it requests a ransom payment for each individual infected machine,
rather than asking for a lump sum in exchange for decrypting all of an organization's computers.
Email account takeover is a tried-and-true method for bad actors to gain access to your data and your network.
Asaf Sidon is vice president of email security at Barracuda Networks, and he joins us with the details.
The most common way is to actually phish one of the employees.
So to send an employee a phishing email with a link that looks like a sign-in page to a real service, but in fact is
just a website owned by the attacker. So a lot of folks would receive emails impersonating
Microsoft Outlook or Gmail or perhaps DocuSign or Dropbox. Another way is by basically buying the credential from someone else.
So once credentials are stolen, they then get sold oftentimes in the black market, in the dark web.
And so you have this kind of multi-tiered economy of criminals where one set of criminals is just harvesting credentials, then they sell off the credentials to another set of criminals that then might pursue a much more targeted attack against a specific organization.
Now, if I fall victim of this, if someone takes over my account, would I necessarily know right
away that something has happened? No, not necessarily. And this is what makes these
accounts so nefarious. So most employees don't actually notice that their account has been
taken over. And in fact, attackers take several steps to kind of hide their activity. So one
common thing attackers do is they will set up a forwarding rule from that employee's mailbox to
forward all the emails externally. So they don't even need to log in anymore to that account,
So they don't even need to log in anymore to that account, not to trigger any kind of suspicious IP logins.
And then even when they launch an actual email campaign from that employee's account, you know, sometimes they will actually delete those emails from the sent items email folder so that the employee won't notice them.
And they might even delete any of the responses really quickly when they get received. So we do hypothesize that some of these attackers actually run scripts on the accounts to immediately delete the emails from the sent items folder and immediately delete the replies to the attack.
So that's kind of the more sophisticated attackers.
And is it a typical situation that an organization will have not as stringent security when things are coming from inside the organization?
Absolutely.
In fact, the vast majority of email security systems, including the ones available on the popular email providers like Office 365, they don't even scan or even have the ability to scan for internal emails.
So the common architecture of email security is they sit between the outside world and the mail
server. So they only observe traffic from the outside coming in or from the inside coming out,
but they have no ability to peek into internal traffic. And so this is what makes these attacks highly
successful is they're basically running unimpeded. There's nobody really inspecting emails coming
from internal sources. And so that's what makes these attacks really dangerous.
And so what are your recommendations for people and organizations to protect themselves against these sorts of things? From the most sophisticated side, there are actually now solutions that use artificial intelligence to detect anomalies in internal employee traffic that basically learns over time what's a normal pattern of communication for an employee.
How do they normally communicate with colleagues?
What IPs do they log into? What are the inbox forwarding rules they have on their account?
And then we look for any malicious activity or anomalous activity on any one of these signals.
Another good idea is to apply multi-factor authentication. Unfortunately, multi-factor authentication is not a full solution to this problem.
We've actually seen attackers
bypass multi-factor authentication
by harvesting the SMS code
as well as the credential with a fake login page.
But still, it makes the life of attackers harder
and definitely a good idea
to set it up on all the important SaaS and email systems of an internal organization.
And then finally, the last step is probably awareness.
So you can run security awareness campaigns to actually simulate these types of attacks.
these types of attacks. And anytime anybody that's doing any type of financial transaction or dealing with HR information, you know, I would recommend the old fashioned way of person to
person, you know, you're about to send someone, you know, a file with a lot of, you know, W2s.
It's probably not a bad idea to just verify the email actually came from them or to get on the
phone with them and verify that they actually need it and to see if it's the correct email address, right? So anytime you're, you know,
so that's more like internal procedures. And, you know, that's always just really important as well
on top of all the security measures. That's Asaf Sidon from Barracuda Networks.
Researchers at Trend Micro this morning described a new type of information-gathering malware
that communicates with an attacker via a Slack channel.
The malware is spread through watering hole attacks,
potentially targeting people who are interested in political activities.
Once it finds itself on a system, it runs a downloader, which downloads a backdoor.
This backdoor embeds two authorization tokens,
allowing it to communicate with the Slack API.
It then downloads a file from GitHub and parses it for commands.
The output of each command is sent to a private Slack channel
where the attacker can read it.
The primary target of the malware appears to be the victim's personal communications,
and it goes after platforms like
Twitter and Skype. The researchers have named the malware Slub because it makes use of Slack and
GitHub. They don't know who is behind Slub because the attackers were very good at covering their
tracks. Notably, the researchers haven't seen any related attacks in the past, and they've been
unable to find any similar malware samples.
They believe with strong confidence that it was part of a possible targeted attack campaign,
noting that the attackers, who were very sophisticated,
clearly showing a strong interest in person-related information.
Google's latest Chrome update contains a patch for a high-severity
use-after-free vulnerability
that's being actively exploited in the wild.
The bug is in the browser's File Reader API, which allows Chrome to access local files.
Details of the flaw are being kept under wraps until enough users have updated,
but Chrome's security and desktop engineering lead said in a tweet,
Seriously, update your Chrome installs. Like, right this minute.
TechCrunch notes that Huawei filed its lawsuit against the U.S. federal government last night,
claiming the ban on its products from government use is unconstitutional.
Huawei is arguing that Congress violated the Constitution's Bill of Attainder Clause
by specifically naming the company.
The clause
forbids legislation that targets a particular person or entity without trial. Most observers
doubt Huawei will win the case. Earlier today, Germany's federal news agency set stricter
security requirements for all telecom equipment vendors, rather than singling out Chinese companies.
Under the new rules, critical network equipment will only be used after examination and certification
by Germany's BSI Information Security Agency, which assisted in drafting the guidelines.
A full version of the requirements will be published later this spring.
Facebook has joined Google in rejecting an Australian regulator's proposal
that the government oversee how major tech firms rank news articles and advertisements.
The Australian Competition and Consumer Commission says that companies like Google and Facebook
quote, increasingly perform similar functions as media businesses, end quote,
so similar rules should apply.
A spokeswoman for Facebook said the proposed level of regulatory intervention was unprecedented.
The UK's Financial Conduct Authority published research today warning consumers to exercise
prudence when it comes to cryptocurrency. The research consists of two surveys which found that
many consumers overestimate their knowledge of cryptoassets.
They often perceive cryptocurrencies as a way to get rich quick
and feel like they're investing in tangible assets.
One of the surveys found that one in six consumers
hadn't completed any research on the topic before buying cryptocurrencies.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is David DeFore. He's Vice President of Engineering and Cybersecurity at WebRoot, and he is coming to us live from RSA Conference. David, having a good time out there, huh?
Yeah, well, you know, it can be a little hectic, especially once you're on day four,
but yeah, things are going pretty good. What are you seeing out there? What's your
take on the show this year? Well, I got to tell you, David,
I've got some really good news for your listeners because it seems like everything has absolutely been automated, integrated, simplified, and they're using pervasive, predictive, zero trust, AI, threat detection, security analytics.
And so it sounds like they're making it so we can stay connected longer, innovate faster, and then stay online safely while we digitally transform our organizations.
So I'm feeling like, David,
I feel like we've fixed it. It's over. We can just check off cybersecurity. It's done.
I was going to say, no need for a conference next year, right? We've got this solved.
I've been talking to some folks and we're thinking next year we'll just have a big party
kind of as a going away because we've got it figured out.
Yeah, that's good. That's good. All right. Well, besides all of those marketing messages,
what's the real scoop? What's your sense of where we stand this year?
Well, you know, there's a couple of things really sticking out because they're not here. And we're
not seeing a lot of discussion on blockchain. And last few years,
there's been a ton of talk about blockchain
and things like that.
So I think the lack of noise on that
is kind of interesting.
And maybe people are realizing
that's more of a management audit tool
and not something that's in the near term
going to be huge in security.
So this has sort of lost its buzzword status.
Yeah, it has for sure. You know,
there's still everybody's got their AI and ML, which is going to save the day. But some really
interesting things that we're seeing discussion is a lot of talk about privacy versus security,
and how a lot of the things that are making us protect our privacy online are affecting
our ability with a lot of the tools we have to actually do security. So, for example, if you're
doing maybe I'm picking on HTTPS here, if you have a secure connection from your PC to a server
on the Internet, your organization isn't able to look at that traffic and not in a PC to a server on the internet, your organization isn't able to look at that traffic
and not in a way to see what you're doing, but in a way to see where you're going. And a lot of the
tools need to be able to monitor that traffic to make sure the bad guys aren't injecting things in
that network flow. Security giveth, security taketh away. That's exactly right. And I think,
I don't know that there's really any answers, but it's nice to see a discussion around how do we find that balance of ensuring people have their privacy, because I'm a huge privacy advocate.
But there's got to be some balance where we can ensure people have their privacy, but we're also building the tools we need that'll protect us.
building the tools we need that all protect us.
Yeah, it definitely seems like privacy is certainly getting a brighter light shown on it than it has in years past.
I'm wondering, what do you see walking around in terms of diversity, people of color?
Are we seeing a better representation there?
You know, I got to say we are.
I've seen a couple of groups that are from different countries, you know, the African group and then folks from the Middle East.
So we're seeing from different locations, some South American organizations as well.
You know, the countries have their booth. But in general, there's more diversity now.
Am I going to say it's diverse? You know, this can be, you know, kind of a slanted show.
But I've been going six years.
They gave me a little badge, a thing for my badge that says loyalty plus.
You know, I guess I'm some RSA loyalty personnel.
And I have to say it's getting better.
We have a long way to go, though.
But it's nice to see inroads being made and a lot of attention being paid to diversity.
What is your sense in terms of overall tone, people's spirits?
Are people feeling, do you sense that there's a feeling of optimism?
Well, I think there's more of a feeling of pragmatism, where I think a couple years ago
we were going to, you know, fix all the world's problems.
But where we've landed now is what are the things we can do how do we do it better how do we try
to make things a little more simpler for people but I think there's an idea
around how do we start simplifying stuff for folks that so magnetism with the
hope of simplifying and what are you seeing in terms of folks coming up to
the web root booth and asking questions?
Are you getting good leads, smart questions from people?
So what's ironic, we don't get a lot of leads in terms of new business here.
We have a lot of partnerships.
It's good for meeting those folks.
But we do get a lot of questions, and it allows us to really put our finger on the pulse of what people are wondering about.
And endpoint has been a really big topic.
You know, we had some EDR for a while where, you know, companies were focused on, you know,
the detection component. But people are really looking for holistic solutions that actually
remove threats if they get on the machine as well. So there's a lot of talk about, you
know, good old tried and true endpoint technology.
And then everybody wants to talk about threat intelligence.
It used to be a big buzzword, but it's kind of calmed down.
But people are looking for quality threat data to do analysis again.
All right. Well, David, safe travels home.
I hope you're able to kick your feet up and relax a little bit when you get there.
But in the meantime, enjoy the rest of the show. All right. Thanks, David. It's been great being on.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant. And that's the Cyber Wire. For links to all of today's stories,
check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.