CyberWire Daily - Security issues with Zoom for Macs. Astaroth fileless malware reported in Brazil. GoBotKR distributed by torrent. ICO hits British Airways with a record fine. State attacks and state defenses.
Episode Date: July 9, 2019Zoom user security appears to have been sacrificed on the altar of user experience. The fileless Astaroth Trojan is again in circulation, mostly, for now, in Brazil. Torrents are distributing the GoBo...t2 backdoor. The UK’s Information Commissioner’s Office clobbers British Airways with a record fine under GDPR, probably to encourage all the rest of us. Croatian government offices are spearphished. Iran says it’s now got an attack-proof comms system. And NSA’s IG reports. Joe Carrigan from JHU ISI on security issues with D-Link routers. Guest is Martin Mckeay from Akamai on their most recent State of the Internet report. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_09.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Zoom user security appears to have been sacrificed on the altar of user experience.
The fileless Astaroth Trojan is again in circulation, mostly for now
in Brazil. Torrents are distributing the GoBot2 backdoor. The UK's Information Commissioner's
office clobbers British Airways with a record fine under GDPR. Croatian government offices
are spearfished. Iran says it's now got an attack-proof comm system, and NSA's IG reports.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 9th, 2019.
Those of you who use the popular Zoom video conferencing tool on your Macs should be aware
that a serious vulnerability has been
reported. Security researcher Jonathan Lightshoe reports that the flaw allows any website to
forcibly join a user to a call, complete with camera access. So you could be pulled into a call
and watched while you're simply minding your own business. You may not be interested in the call,
but the call is interested in you.
The problem amounts to susceptibility to drive-bys.
There have been other issues with Zoom.
Some versions of it could, for example, induce a denial of service condition in an affected Mac
by repeatedly joining a user to an invalid call.
And should you have uninstalled Zoom,
the conferencing tool will have left behind a
reinstallation feature that could reinstall the Zoom client without any user action on your part
beyond visiting a web page. Zoom has a reputation for convenience, and it's pushed back in its own
defense by maintaining that the vulnerability is really more of a feature, one that enables users
to get beyond an otherwise cumbersome and click-heavy experience
when they're joining a call. If you do use Zoom on a Mac, and if you're not interested in the
possibility of being on unwanted display, go to the Zoom preferences and select Turn off my video
when joining a meeting. That will at least keep you off camera. Microsoft warns that a campaign
using the file list Astaroth Information Stealing Trojan is underway.
Astaroth lives off the land, which can render detection difficult.
The tools the campaign uses would typically be whitelisted,
and so their mere employment wouldn't necessarily trigger any alerts that were simply looking for known malware and known file signatures.
On the other hand, as Bleeping Computer quotes Microsoft,
they do use those tools in anomalous ways,
and that can become fairly obvious to systems on the lookout for suspect behavior.
Most of the current Astaroth campaign victims, some 95% in fact, are located in Brazil,
but that shouldn't move people elsewhere in the world toward a false sense of security.
Security company ESET has identified a campaign using torrents to distribute the familiar commodity GoBot2 backdoor.
ESET calls this particular version GoBotKR.
The bait, in this case, as is appropriate to a torrent-based campaign, consists of movies and television shows.
In this case, they're Korean movies and TV.
Most of the victims have been in South Korea.
GoBot KR, a relatively straightforward bit of badness,
does the sorts of things most botnets do.
It enables misuse of the affected device,
it allows the botnet to be controlled and extended,
and it seeks to evade detection by the victim.
GoBot KR is well-suited
to conducting distributed denial-of-service attacks. ESET notes its ability to seed arbitrary
files using BitTorrent and uTorrent. If you think you're affected, you can scan for the malware and
remove it if it's found. But here's some better, more general advice. Don't download torrents from
pirate sites. It's not just about
GoBot2. Lots of other malicious code is distributed that way. In the most recent version of their
State of the Internet report, Akamai took a closer look at the online gaming community
and the security issues they face. Akamai's Martin McKay is one of the report's authors.
We chose gaming because we knew when it comes to credential abuse,
gaming is a huge target.
And as we dug into it, we found out that it was an even bigger target than we thought.
Even though the number of gaming targets is relatively low
compared to all of the rest of the types of industries that we see,
the amount of traffic flowing to them was over 20% of all of
the attacks that we see. One of the key findings is overall SQL injection attacks are increasing
greatly. They used to be 45 to 55%, usually closer to the 45. With this report, overall,
SQL injection has risen to 65% of all of the attacks we see. That's not gaming. We went
to look at that a little bit later, but that is a huge increase over the last 12 months.
And a lot of that luckily seems to be coming from Russia. And I don't mean a lot of, a lot of the
growth seems to be coming out of systems in Russia. And that one was very surprising to us.
We started looking into the gaming and where in
credential abuse, the targets and the source of attacks seems to come from and to the U.S.
For gaming, it was actually, again, Russia that a large part of the attacks are coming from.
I can imagine that perhaps some gamers don't apply the same level of security or
scrutiny to their gaming accounts that they would to, say, their banking credentials.
You would think that, but actually, when you look at what the gaming companies are saying themselves,
their push into two-factor authentication, their pushes into educating their users,
you realize that's not necessarily the case.
There are some users out there who I would suppose actually pay more attention to their
gaming credentials than they do their banking credentials. And the whole reason we're seeing
that move into gaming is because it's a lucrative market. There is value to all of the skins,
all of the devices you can buy for your
characters. Those have value. It's easy to go and say to the FBI or to your local law enforcement,
hey, somebody cracked into my bank account and here's how much they stole. Here's how much it
was I lost. And can you go investigate? If you go and say somebody broke into my Minecraft account and took it over and sold it,
it's a lot harder to explain to a police officer or a law enforcement officer that that has value.
What are your recommendations?
What are the take-homes from this report?
You know, when it comes to protecting accounts,
two-factor authentication is going to be the single biggest thing folks can do.
If your game allows it, do it. If your bank account allows it, do it. The second I would say is
use a password vault, use a notepad, use some form of recording your passwords and making sure your passwords are unique per account.
Between those two things, that can make such a huge dent in credential abuse. That's what I would
say for the consumer. Follow the instructions that your games are giving you to protect your
accounts. But for businesses, and this is outside of gaming, this is everywhere, your APIs are under
attack. Your APIs have people constantly trying to get into them. Be aware of that. Take some
measures to make sure that you're actually monitoring that. Because in a lot of cases,
organizations aren't paying the same amount of attention to that API traffic that they are to
the web traffic. And if you're popped on the API,
it's just as bad as being popped on your website. You need to be aware that it's happening,
that that's where one of the places bad guys are moving to.
That's Martin McKay from Akamai.
The fine the UK's Information Commissioner's Office levied against British Airways for a
September data breach is confirmed to to be 183 million pounds.
That's roughly $229 million, far exceeding the ICO's previous record of half a million pounds, Forbes observes.
High as it is, the fine is shy of the 4% of annual turnover the ICO could have taken.
In British Airways' case, 4% would have amounted to £500 million.
Another way of ballparking the fine is to notice, as Securonics did for one,
that the ICO is costing British Airways about what they'd pay for two airliners.
The airline, which points out that it disclosed the breach within a day of discovery and has since found no sign of large-scale criminal exploitation, intends to appeal.
We received a note from Alyeg Koleskinov, who heads up Securonics Threat Research Lab.
He points out that British Airways was one of many businesses hit by the Magecart operators.
As he puts it, quote,
The malicious threat actors have been continuing the attacks following the BA breach at even larger scale,
infiltrating over 2,000 e-commerce
businesses this year alone, end quote.
The ICO apparently intends the penalty as a deterrent.
Any site that handles personal information should take careful note.
As Kolesnikov wrote, quote, this should send a clear signal that organizations have a responsibility
for protecting personal data and the need to make cybersecurity a business imperative.
Croatian authorities have revealed that earlier this year an unknown threat actor infected
government organizations with a malicious payload called Silent Trinity.
Assembled largely from off-the-shelf components readily found in various corners of the internet,
Silent Trinity as a whole was a distinctive, never-before-seen piece of malware.
The attackers approached their victims by spear phishing.
The fish bait consisted of bogus delivery notifications,
some of them posing as the Croatian Postal Service,
others presenting themselves as various retail services.
Who's behind the campaign is unknown,
but they appear to be using some
of the same infrastructure the Russian organs have employed against Ukrainian targets.
Iran, apparently moved to action or at least proclamation by the cyber attack the U.S.
is said to have executed against Tehran's intelligence and missile units, has announced
the fielding of a new military command and control system.
The commander of the Islamic Revolutionary Guard Corps says they've fielded the domestically developed SEPER-110,
a military communication system designed to be protection against cyber and other modes of electronic attack,
as any such system can be.
Whether the SEPER-110 represents a real capability, a misfire, an aspiration,
or simply strategic deception,
remains to be seen. Finally, the Inspector General's Office at the U.S. National Security
Agency has rendered its annual report to Congress. The report finds no serious or flagrant problems
or abuses, but it does list a number of issues it judges significant. That is to say, Fort Meade struggles with many of the same cybersecurity issues
that concern other government agencies,
and indeed non-governmental enterprises as well,
things like compliance, continuity planning, and so forth.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's Vanta.com slash cyber for a
thousand dollars off. And now a message from Black Cloak. Did you know the easiest way for cyber
criminals to bypass your company's defenses is by targeting your executives and their families a message from Black Cloak. Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives
are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute and also my co-host over on the Hacking Humans podcast. Joe, it's great to have you back.
It's good to be back, Dave.
We got some news in the past few days here about a major manufacturer of, I guess, primarily consumer devices.
Yes, dealing.
And they have, I guess they've made an agreement with the FTC. What's going on here? They have. This starts from an FTC action.
It started with a 2017 complaint specifically mentioning D-Link routers and IP cameras.
And the FTC, which is the Federal Trade Commission, pointed out that there were hard-coded login credentials for the IP cameras.
Hmm.
Right?
Okay.
Which is bad.
Very bad.
That means that everybody knows what they are, and they're the same for all the cameras. And they don't change. And they don't change. Right? Okay. Which is bad. Very bad. That means that everybody knows what they are,
and they're the same for all the cameras. And they don't change. And they don't change. Right.
And storage of mobile app credentials in clear text. So if I'm using the mobile app,
the storage of the credentials are happening on my phone in clear text. So the mobile app to,
I guess, control these devices. Right. Yeah. Yeah. Clear text. Another bad thing. These are bad.
Yeah.
So as part of the settlement, D-Link will implement a new security plan.
They'll have threat modeling and vulnerability testing before releasing a product, which
they should already have, right?
But they don't.
And they're going to move in a more secure direction.
That's good.
I'm happy with hearing this information.
They're going to move in the more secure direction.
That's good.
I'm happy with hearing this information.
Additionally, the company will monitor existing systems for security flaws.
They'll start pushing automatic firmware updates, which is good, right?
A lot of these IoT vendors are not going to be able to do that.
There are some that you're just never going to get to be updated because the companies may not exist anymore because they're cheap and just manufactured on the fly.
They're going to create a bug bounty program as well, a vulnerability reporting system for security researchers,
which is something that every company out there who produces a product should do, but very, very, very few of them do.
This is one of the things that you work on at Johns Hopkins, right?
I am actually the Information Security Institute's Vulnerability Disclosure Coordinator.
So when some of our students or our faculty or staff find a vulnerability, it's my job
to reach out to the company or to the organization to disclose that vulnerability.
And your experience is this is not an easy job.
It is almost never an easy job to do.
Right.
It's very easy with Apple, much so that when when when people
find vulnerabilities in Apple they don't even work through me they just contact
Apple directly. I'll say that Apple does a very good job with this. Yeah not
everyone does. Not everyone does. I've had people I've tried to disclose
vulnerabilities to who didn't react until someone from Bloomberg contacted
them and that got the attention of the vice president of communications. So, yeah.
Now, oh, now the media is looking.
And that's really the only way to get these companies to do it.
Companies should be actually in this and the government regulation as well as we're seeing here.
But, you know, these companies really should be proactive in this.
They should, hey, have you found a security vulnerability?
We want to know about it.
Right. And the counterproductive knee-jerk reaction is, well, don't disclose it or we'll sue you.
That is not helpful at all.
I guess it's a shame that it got to this point, too, that you have to have a government action to get this sort of positive change.
Yeah, well, all these things, the reason, Dave, is all these things have costs, right?
Yeah.
change. Yeah, well, all these things, the reason,
Dave, is all these things have costs, right?
Yeah. And the motivation is not to
produce a vulnerable product,
but it's actually produced the product
cheaply and effectively,
not necessarily securely.
So I guess the only way to change the economic
paradigm here is to actually impose
costs and sanctions. Yeah.
From a government standpoint. And I'm not
one who's
big into government regulation. Yeah. Personally. But I don't know what else you can do here.
Well, and I'm thinking of that consumer, you know, standing there at their local electronics shop,
looking at a shelf full of routers. They know they need a new router or they want to buy a
security cam or something like that. And it doesn't seem like security is put on the
box as a differentiating factor very often.
No, it is not.
It's all the features that come with it, all the cool things it can do.
And it seems like, I don't know, are we heading into an era where security can be a feature
that people want?
Well, hopefully, because as you said, the consumer is not really demanding the security
built into the product.
They're just going out and buying the cool features.
And the cheap one.
And the cheap one, exactly.
So I think two things need to happen.
One, consumers need to step up and say, I don't want a product that's not as secure, and I'm willing to pay more for a product that is.
Because I understand that has a cost associated with it.
Right.
And the other thing is that these companies need to just step up and say,
we need to produce a more secure product.
Yeah, and I guess if they don't, then that's when folks like the FTC step in and get their attention.
Yeah, but the FTC is never going to penalize a foreign company,
produces a bunch of insecure products, and then closes.
It's never going to happen that way.
Well, I suppose it's good news that change will happen here.
Yeah, and other companies are hopefully taking notice of this.
They don't want the government coming in and telling them,
you're going to do this, you're just going to say,
you know what, we're going to go ahead and take this proactive step now, I hope.
Because look what happened to D-Link.
We don't want that to happen to us.
You do not want that to happen.
Yeah.
All right, Joe Kerrigan, thanks for joining us. It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out
our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.