CyberWire Daily - Shamoon and Greenbug. HummingWhale purged from Play Store. Apple patches across its product line. Leadership changes at CIA, GCHQ. Lloyds Bank incident update. Honor among thieves? Nope.
Episode Date: January 24, 2017In today's podcast, we discuss a report from Symantec that Shamoon may be connected to Greenbug. Google is purging HummingWhale malware from the Play Store. Apple issues a major set of patches across ...its product line. CIA has a new director; GCHQ's still looking for one. Yahoo!'s deal with Verizon will be delayed until April at least. Other industry M&A and venture funding news is more upbeat. Lloyds Bank is said to have been targeted with cyber extortion. Ben Gurion University's Yisroel Mirsky describes vulnerabilities with 3D printers. And there's no honor among thieves—if you don't believe us, ask the thieves. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Shamoon may be connected to Greenbug,
Google's purging humming whale malware from the Play Store,
Apple issues a major set of patches,
the CIA has a new director.
GCHQ still looking for one.
Yahoo's deal with Verizon is delayed until April, at least.
Other industry M&A and venture funding notes.
Lloyd's Bank targeted with cyber extortion.
And there's no honor among thieves.
If you don't believe us, just ask the thieves.
If you don't believe us, just ask the thieves.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Tuesday, January 25, 2017.
Researchers who've been tracking the re-emergence of Shamoon believe they may have discerned a connection between the group behind it and the threat actors known as Greenbug.
a connection between the group behind it and the threat actors known as Greenbug.
Greenbug's modus operandi has been to fish victims with the goal of installing a data-stealing remote-access Trojan, or RAT.
The one favored by Greenbug is Trojan.lsm-door.
It comes packaged, according to Symantec security researchers, with a set of ordinary credential-stealing
tools.
Greenbug's target set bears some similarities to Shamoon's,
Middle Eastern aerospace investment, government, and education organizations.
We'll continue to follow developments as research proceeds and is reported.
Security firm Checkpoint's disclosure to Google that a new Humming Bad variant
was investing the Google Play Store has prompted a purge of compromised
apps from that store. It's called Humming Whale because that's a bigger deal, the way the whale
is a bigger deal compared to a hummingbird, and probably to a humming bad, so get it?
At any rate, Humming Whale essentially serves a fake refer scam. It represents an advance in
stealth over its predecessors. It also relies on bogus reviews
and testimonials to goose its acceptance and its controllers' ill-gotten revenue.
Late yesterday afternoon, Apple released new versions of iOS and macOS Sierra
that close significant code execution vulnerabilities the operating systems share.
In addition to these major releases, Cupertino also released a set of significant patches for Safari,
iCloud for Windows, and WatchOS.
Users are being encouraged to update quickly.
The new U.S. Director of Central Intelligence,
former member of Congress Mike Pompeo,
has, as expected, received Senate confirmation.
There's still a high-level vacancy at British Signal Intelligence Service GCHQ,
which is looking for a new director in the wake of Robert Hannigan's resignation late last week.
In industry news, Yahoo says that it will delay Verizon's planned acquisition of Yahoo's core assets
until the second quarter of 2017.
The future of the deal, says Yahoo, still looks bright, but bright or not,
it won't happen before April of this year. The SEC has undertaken fresh investigations
of Yahoo's two major breaches. Elsewhere, IBM is buying the cybersecurity startup Agile 3
Solutions for an undisclosed sum. Landesk and Heat Software, having merged, will henceforth do business under their new name
of Ivanti. Microsoft Ventures backs Elusive Networks with the funding round that brings
the total the company's raised to somewhere north of $30 million. Elusive, based in Israel,
specializes in security through deception. And the quantum cybersecurity experts at Quintessence Labs
also get an infusion of cash, this from Westpac Group.
Westpac's investment raises its stake in Quintessence from roughly 11 to 16 percent.
The Lloyds Bank DDoS attack disclosed this week was accompanied by extortion attempts.
Bleeping Computer has been on the story, and they identify the attackers as simply Hacker 1 and Hacker 2.
has been on the story, and they identify the attackers as simply Hacker 1 and Hacker 2.
The hackers frame their demand for ransom as a consultancy fee, and state their willingness,
in somewhat hesitant but threatening English, to reveal the vulnerabilities they discovered and restore service in exchange for £75,000 sterling, payable in Bitcoin.
Quote, we have identified severe security issues related to onlinebusiness.lloydsbank.co.uk
and onlines.lloydsbank.co.uk. As an effect, both these services will be put offline starting from
the 11th of January 2017 at 0.01 GMT until they are fixed, end quote. And they close with a promise
and a threat.
Lloyd says it's restored service.
There's no suggestion they did so by paying the consulting extortion. There are some good reasons to resist paying extortion that have little to do with the many other good reasons we're familiar with.
The direct financial loss, the unreliability of criminals, the possibility of escalating demands, and the folly of contributing to the growth of a criminal market.
This new reason is that the ransomware may itself be bogus, a bluff, a pure scam.
Citrix surveyed UK ransomware victims and concluded that nearly 40% of them
has sustained a ransomware attack that was pure social engineering,
with no data encrypted or otherwise held at risk.
So again, back up your files and hang tough.
And finally, since there's proverbially no honor among thieves,
thieves are themselves on guard against their own kind.
A new service has appeared in the hacker market
that claims to enable criminals to gauge the reliability of their co-conspirators.
Ripper.cc, which Motherboard characterizes as the Yelp for cybercrime.
Hoods are invited to share information on Rippers,
that is, criminals who fail to deliver the goods they promise.
Motherboard has a sample review.
We won't quote the review verbatim because we're a family show
and the language is more appropriate to an Army Barracks or a Quentin Tarantino movie,
but the reviewer begins as follows, quote,
This leer, we're pretty sure the reviewer means liar,
is a shame for our community.
Community spirit aside, what bothers this particular reviewer is that the person he did business with built him of $250 and wouldn't return emails.
So there's no justice, darn it.
But we're surprised that contributors to Ripper.cc would think that a bad thing.
contributors to Ripper.cc would think that a bad thing. life. You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, Thank you. questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, Thank you. ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Joining me once again is Israel Murski.
He's a researcher and project manager at the Cybersecurity Research Center at Ben-ion University. Israel, I know you wanted to share with us today some of the work you
all have been doing with 3D printers.
Yes. So, you know, as you know, 3D printing, or also known as additive manufacturing, is
a process where a layer on top of a layer of materials is placed to make some sort of
object or tool. So recently we've seen many companies use this technology for prototyping
to try and come up with a future product.
And the research firm Gartner predicts that soon 3D printers will be used
to make actual products and not just prototypes.
But like any computerized device, it can be hacked,
and hacking it can cause certain damages.
A team in our labs labs actually in cooperation with
the university of south alabama and singapore university of technology and design thought it
would be less likely than an attacker would go and try and infect the printer itself but rather try
and infect the 3d models and i'll give you an example what I mean. So instead of an attacker trying to infect Adobe Reader
and then have it be distributed to all the different clients,
they would rather infect the PDF itself
and have that perform the malicious activity
as it's read by Adobe Reader.
To demonstrate this kind of feasibility
and the potential damage of the attack,
what they did is they modified a 3D model file of a drone, and specifically for the propeller of the drone. And what they did is
they hid inside the propeller a kind of a cavity, kind of a gap of air. And they did it in a way so
that when you visually inspect it in the AutoCAD program and once it's printed, you don't see
anything wrong with the propeller. So the scenario looks something like this. Somebody at home or a company prints out a
propeller for their DJI drone. They replace the propeller. After a visual inspection, they see
nothing's wrong with it. They send up their drone up in the air, and about two minutes later, the
propeller snaps off, and the drone comes tumbling down. A thousand dollars worth of equipment hits the ground.
And we've done a demo of this attack as well.
We printed out the propeller with the cavity and we showed that after two minutes of flying,
which you can assume the drone is going to be way up high in the sky, it just snaps right off and falls to the ground.
So like any new technology, security needs to be considered
from every kind of angle. And perhaps some sort of trusted method of sharing 3D model files should
be proposed or considered. Interesting stuff. Israel Murski, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you.