CyberWire Daily - Section 702 update. Kaspersky reports on Skygofree—dangerous Android spyware. Recorded Future on DPRK spearphishing. Healthcare hacks. Bogus patches. VR game could expose users.
Episode Date: January 17, 2018In today's podcast, we hear that the US Senate is ready, after a successful cloture motion, to vote on Section 702 surveillance reauthorization. Bipartisan Congressional support for election securi...ty bill. Skygofree is an unusually capable variety of Android spyware. More evidence ties North Korea's Lazarus Group to a Bitcoin spearphishing campaign. German users lured by fake Spectre/Meltdown patch sites. Healthcare organizations hit with a variety of attacks. Zulfikar Ramzan, CTO at RSA, introduces himself as we welcome him to the show. Guest is Mark Orlando from Raytheon Cyber on the Korean Olympics phishing campaigns. Thinking of VR adult content? Think twice. No, better, think thrice. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. Senate is ready to vote on Section 702 surveillance reauthorization.
There's bipartisan congressional support for an election security bill.
SkyGo Free is an unusually capable variety
of Android spyware.
More evidence ties North Korea's Lazarus Group
to a Bitcoin spear phishing campaign.
German users are lured by fake Spectre
and Meltdown patch sites.
Healthcare organizations have been hit
with a variety of attacks.
And are you thinking of VR adult content?
Think twice. No, better think thrice.
I'm Dave Bittner with your CyberWire summary for Wednesday, January 17th, 2018.
Yesterday, the U.S. Senate voted for cloture on debate surrounding legislation that would reauthorize Section 702 surveillance.
This means there will be no filibuster and the bill will proceed to a floor vote, perhaps as early as today or tomorrow.
Section 702 authorities are widely regarded within the U.S. intelligence community as indispensable to modern foreign intelligence collection.
as indispensable to modern foreign intelligence collection.
Critics regard their surveillance programs as too susceptible to abuse and a potential threat to U.S. citizens' privacy.
Senators Wyden and Paul were among a relatively small number of opponents of reauthorization
who had threatened a filibuster.
Congress is also considering a bipartisan bill
that would have the executive specify penalties for election interference. The responses specified would be keyed to specific countries.
Kaspersky Lab warns of a new and unusually dangerous strain of Android spyware.
They're calling it SkyGo Free, and it's evasive and capable. Among its features are location-based
audio recording, interception of WhatsApp messages
through Android accessibility service, ability to connect victim devices to attacker-controlled Wi-Fi,
recording of Skype calls, and a keylogger. Kaspersky thinks SkyGo Free is the work of
Italian lawful intercept shop Neg International, in part because they've found the domain h3g.co in the malware's traces
that domain is registered to neg the audio recording functionality strikes most of the
people covering the discovery as unusually creepy it essentially turns an android device into a bug
when the device is taken into a specified area determined by the attackers. There have been infections reported, for the most part, in Italy.
Kaspersky says the malware spreads via web landing pages
that look like legitimate sites belonging to Vodafone and other mobile carriers.
The campaign is ongoing, and users should be alert to the possibility of infection.
More evidence is out on North Korea's designs on cryptocurrency. Recorded
Future has a report on the Lazarus Group's concerted spearfishing campaign it conducted
in late 2017 against South Korean cryptocurrency exchanges and their users. South Korea is an
attractive target for obvious political and linguistic reasons. It's also attractive because
it has a large number of active cryptocurrency early adopters. In addition to theft of Bitcoin,
the campaign also prospected South Korean university students interested in
international affairs. The campaign's malware used a known exploit, Ghostscript
and went after users of Hancom's Hangul word processor,
a widely used Korean language word processor.
There are interesting connections between this campaign and earlier ones linked to the Lazarus Group.
The malware Payload, for example, shared code with Destover,
a strain used to hit Sony Pictures in 2014 and early WannaCry victims last year.
Both the Sony hack and WannaCry have been widely attributed to North Korean cyber operators.
Despite falling Bitcoin prices, off about 40% since their December highs,
ordinary criminals as well as sanction-avoiding rogue states are still attracted to it and other alternative currencies.
CoinHive is the tool most favored by cryptojackers.
With the Winter Olympics less than a month away,
there have been reports of increased phishing campaigns
using the games as the focus of their social engineering.
Mark Orlando is Chief Technology Officer at Raytheon Cyber,
and he joins us with his perspective on
these higher-profile phishing attempts. As time goes on and more and more business and logistics
support and just really more things are done online, we're going to see a rise in these types
of social engineering attacks. So I think it's natural to assume that more individuals and more organizations that are tied to these games will be targeted this year than what we saw with the Rio Olympics.
And I would imagine the next games, we're going to see an even wider target set, again, as more and more of this work and the coordination and the logistics and the communications are done over the Internet versus, you know, in person or telephone or some of the
ways that it might have been done in the past. And so what sort of specific recommendations
do you have for people to protect themselves? Really what it comes down to is trying to
practice good cyber hygiene. These are things like user training and awareness, making sure that
anyone who is conducting business or working with other groups, other support elements, other individuals
and businesses tied to supporting the games in this case, that they're aware that these threats
are out there and that they may be targeted. Even if they feel that maybe the information that they
have or they're using is not particularly useful to anyone, they can still be a target. So making
sure that everyone involved and everyone
who's participating is aware of the threats and aware that they may be a target and what to do
if they receive an email, for example, that has been unsolicited or looks suspicious in any way
or comes from someone they don't know. And then hardening your systems and making sure that
whatever information technology, whether it's
your laptop or your mobile phone or any network infrastructure you're using, is as hardened as
it can possibly be to these types of attacks. What we've seen in the security sector is that
eventually users will fall victim to these types of attacks. It's just a statistically assured that
someone will fall victim to these attacks. So understanding that, what precautions have you taken on these devices, laptops,
computers, mobile devices, that makes them as resistant as possible should a user click on a
malicious link or go to a malicious website or open a malicious attachment. So having those
controls in place, in addition to making sure that the users are
trained and aware of the threat, those are probably the two biggest things that organizations can do
to defend themselves. You know, given the story and given the visibility of it, and, you know,
obviously the games are such a high profile event, you know, multiple countries involved. And so
there's that sort of espionage kind of element to it. I think there's a tendency to put a lot
of focus on the who and the why,
which are reasonable questions to ask. But it's also important to note that from a defensive standpoint and a cybersecurity standpoint, you know, this is a threat that organizations face
every single day. So really from a defensive perspective, you know, it's really just about
focusing on the fundamentals and trying to defend yourself as well as possible,
It's really just about focusing on the fundamentals and trying to defend yourself as well as possible,
as opposed to focusing so much on the who and the why.
It's really just understanding that, hey, you may be targeted,
and you've got to take those steps to defend yourself, no matter who it is or why.
That's Mark Orlando from Raytheon Cyber.
Bogus patch sites promising to fix Spectre and Meltdown are up in the wild. They target German users by spoofing the Federal Office for Information Security.
Instead of patches, Malwarebytes reports, the sites serve up malware loaded in a zip
file.
Let the buyer beware.
Several healthcare organizations have been hit by a variety of attacks, showing the range
of threats these attractive targets face.
DDoS, data theft, and extortion by ransomware.
Latvia's National Health Service was taken down early in the week by a distributed denial-of-service attack.
Latvian authorities say it was a deliberate attack, that it was staged through a variety of foreign servers and IP addresses,
and that it was probably the work of a foreign government.
Which foreign government they think it was hasn't been specified,
but it's difficult to avoid thinking of the usual suspect, that big country just to the east.
Two attacks have been reported in the United States.
One is believed to be unsuccessful.
A Mississippi care provider, Singing River Health System,
says it parried an attempt by hackers to get into its systems
with the apparent intention of stealing patient information.
The other attempt was successful, and it was a ransomware attack.
Hancock Regional Hospital in Indiana suffered a ransomware attack last week
that caused it to take its systems down for remediation.
The infestation was sufficiently bothersome, however,
that Hancock decided to pay the $55,000 the extortionists demanded just to get them out of their hair.
Hancock Regional had backed up its systems, as is a best practice against ransomware,
but in this case it wasn't enough.
As always, it's better not to be infected in the
first place. And finally, not that this would be of direct concern to any of you, but you might be
interested on, say, a friend's behalf. There has been a high risk of vulnerability discovered in
SinVR, a virtual reality game that allows player to explore what are described as various
adult environments,
sort of what we always suspected Commander Riker was up to in the holodeck on Star Trek
The Next Generation.
I make it so, number one.
Anywho, researchers at Digital Interruption found the flaw in the course of research they
were conducting into the security of various adult websites.
Research, they stress.
The flaw could result in the exposure, embarrassment, and potential blackmail of people who play the security of various adult websites. Research, they stress.
The flaw could result in the exposure, embarrassment, and potential blackmail of people who play the games.
News that not you, but your friends, perhaps, can use.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. And I'm pleased to welcome to the show Zulfikar Ramzan. He's the Chief
Technology Officer at RSA, their Adele Technologieszan. He's the Chief Technology Officer at RSA.
They're a Dell Technologies business.
He leads the development of RSA's technology strategy,
and he's responsible for bringing to market innovations that protect customers from advanced cyber threats.
Zulfikar, welcome to the show.
Thank you for having me. It's a pleasure.
Yeah, so before we get going on some actual topics here,
we always like to take a few minutes and introduce our new partners to our audience.
So why don't we begin? How did you get started in cybersecurity? What's your background?
Well, interestingly enough, I think I've always been somehow interested in cybersecurity. I began
probably about a couple of decades ago. My school at the time had won a competition and got access
to a number of, at that time, internet-connected computers, and that was a big deal for us.
And what was interesting is that the people maintaining those systems at the time were
teachers, so they didn't know much about security, and they were just trying to keep
these systems up and running.
But it was really good fertile ground for somebody interested in cybersecurity because
there was an opportunity to understand how these systems worked, how to bypass them,
and so on and so forth.
I think around that same time, I read Cliff Stoll's book, The Cuckoo's Egg, which is, I think, a bible for many people who are in the field today. And the combination of
reading The Cuckoo's Egg and getting access to these internet-connected computers sparked an
interest and love for me in this field, and it's been a fun ride ever since.
And you're an MIT grad. You also have a PhD in electrical engineering,
and you've got over 50 patents on your name.
That's right. I've been very fortunate to work with a lot of really smart people on fun problems,
and being able to work in a field that's growing and where innovation is such a big part of what
you do, it's a real good fertile ground for coming up with new ideas and trying to
advance the state of the art.
And so there at RSA, what kinds of things take up your time day to day?
Well, a number of things. I think I have two parts of my role.
I mean, the big part of my role is what I think of the external facing part of the CTO role,
which involves going out, talking to customers, meeting with our partners,
talking to people like yourself,
really thinking about the way that the overall security landscape is trending.
What are some of the major trends overall and how are things evolving in general?
And then I take that knowledge and bring it back
in-house to figure out what we should be doing in terms of our technology strategy, how should
we look at different areas. And sometimes it's a mix of both. Sometimes I learn about new technology
areas so I can help advise our customers on how they should be thinking about those areas. So
topics like artificial intelligence and machine learning, blockchain, which has been very common
and popular lately, and so on and so forth. All right. Well, Zulfikar, we're certainly excited to have you be part of the show. Welcome.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can
keep your company safe and compliant. And that's the Cyber Wire. For links to all of today's
stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Databe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.