CyberWire Daily - Shamoon update. Sabre discloses possible breach to SEC. Mobile device and VPN threats and vulnerabilities. Information operations and cyberespionage.
Episode Date: May 3, 2017In today's podcast we hear that Shamoon's Trojan servant seems to have got a new comms channel. Sabre discloses possible breach: hospitality and travel sectors affected. Some more things to worry abou...t: ultrasonic beaconing, SIM card fraud, VPN privilege escalation, and another bad app in the PlayStore. (But you can fix all these.) Governments look to social media restrictions to control hate speech and fake news. (Social media providers look to human curation and the blockchain for help.) Level 3's Dale Drew describes the evolution they're seeing in botnets. Tripwire's Craig Young shares his research on hacking smart TVs. Cyberespionage and influence updates, from Washington to Seoul. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindel sectors are affected. Some more things to worry about.
Ultrasonic beaconing, SIM card fraud, VPN privilege escalation, and another bad app in the Play Store.
But you can fix all these.
Governments look to social media restrictions to control hate speech and fake news.
Social media providers look to human curation and the blockchain for help.
Plus, cyber espionage and influence updates from Washington to Seoul.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Wednesday, May 3, 2017.
There's some follow-up this week on the Shamoon campaign, the destructive malware attack whose
successive waves have hit Saudi enterprises since 2012, most recently in late 2016.
The campaign is generally believed to have been run by Saudi Arabia's regional rival Iran.
The specific threat actor is called Greenbug.
Researchers at Arbor Networks have been looking at Greenbug's tradecraft. In early phases of its attacks, Greenbug installs a remote-access Trojan,
a rat called Isumdor, to harvest credentials from its targets.
Controllers have established bidirectional communications with their rat
using HTTP-based channels.
But that's now changed.
Greenbug now cloaks its command and control chatter in DNS text record queries and responses,
a stealthier and more evasive method of communication.
Sabre, the Texas-based travel and hospitality company, disclosed a possible breach in its
10Q report filed yesterday with the U.S. Securities and Exchange Commission.
The report, which covers the quarter ending March 31, 2017, said that Sabre was investigating possible unauthorized access to payment systems.
The investigation, which Krebs on Security says Sabre has entrusted to FireEye's Mandiant unit, concerns potential exposure of personally identifiable and paycard information.
card information. Saber Sensus is used by some 32,000 properties, which themselves must now deal with the possibility of a major third-party breach. The third party in this case would be
Saber. The Vault 7 documents released by WikiLeaks included a hack of Samsung TVs,
codenamed Weeping Angel, which reportedly turned the smart TV into a listening device.
Craig Young is a principal security researcher at Tripwire,
and he shares his own research into smart TV vulnerabilities.
In research that I conducted late in 2015, just looking at a small selection of smart TVs,
three brands, which I'm not going to name because we're still going through the
disclosure process with these companies. But basically I found that on one of the TVs within
just a few minutes, I was able to get a root shell through some local access things. So like
another issue where if somebody had a remote control, they could punch in some commands and
take control over the TV. Or if they had access to a USB port on the powered up TV, they could punch in some commands and take control over the TV, or if they had access to a USB port on the powered-up TV,
they could plug that in,
and it would simulate the remote control commands
to get code execution on the TV.
Another problem that I found on a separate model of television
was actually that the services involved
with doing control from your phone to the television,
like, for example, if you want to send up YouTube or Netflix to the TV,
there was a misimplementation within that such that you could actually force the television
to load any arbitrary web page.
And directly this has some implications of if this television is within some sense area like a conference room and somebody's giving a presentation, you could certainly cause some embarrassment by flashing up some inappropriate content on the screen at the wrong time.
But the risks are actually a lot more severe than that.
The web browser technologies that are implemented into smart TVs, they do not get updated very often.
And you might get an update once a year.
It might not include security fixes.
then have a pretty good chance of being able to get it to run arbitrary code and take over controls of that TV,
whether it has a camera on it or a microphone on the remote for being able to do voice-activated commands.
And this is quite a serious problem because it's not just limited to that case where I have my phone or my laptop and I'm on the same network as your TV and I can directly
talk to the TV and tell it to do bad things. But also because of the nature of these technologies,
it's possible that a malicious website that you browse to while on the same network as that
television can relay commands over to the television and take control over it. That is
a real world possibility of a completely remote television smart TV hack.
That's Craig Young from Tripwire.
Research presented at the IEEE European Symposium on Security and Privacy
found that ultrasonic beaconing, a marketing tool with privacy implications,
is becoming increasingly common in Android applications. Some 234 current apps use it. Many of those apps
are quite mainstream, used to track users and their habits, but the potential for
abuse raised eyebrows at the IEEE symposium. Users are typically quite
unaware that this functionality is part of the package they installed. So
restrict apps access to your device's microphone
if you don't want to be tracked.
A researcher claims to have demonstrated
a privileged escalation vulnerability
in the demotically named VPN service HideMyAss.
But holy fundament, kids,
the service is thought unlikely to patch the flaw,
so CYA with care.
And be careful around SIM cards, those things you can change out when you upgrade your phone or move to another carrier.
Fraudulent SIM swaps are enabling criminals to take over a phone's identity and kill the phone you own.
Good security hygiene is your first defense, according to Naked Security.
Be alert for phishing and waterholing.
Don't use obvious security questions, and consider using a password manager.
Keep your on-access antivirus running and up-to-date,
and consider switching your two-factor authentication away from SMS to an authenticator app.
How do you know you've become a victim?
If your phone suddenly drops to emergency-only status, be very suspicious.
Another quick note, don't use the super free music player app from Google's Play Store.
It's malware. Concerns over fake news has spooked service providers and emboldened various national
authorities to seek ways of controlling it. China plans to establish its own state-vetted
Wikipedia alternative inside the Great Firewall. UK MPs want a new legal review of hate speech.
And Malaysia threatens WhatsApp admins with jail for spreading rumors.
Facebook plans to hire 3,000 analysts to review its users' content.
A startup called UserFeeds is working on a technical solution.
It thinks it can apply the blockchain to news discovery and social content. The future here
is murky, but some are disturbed that restrictions as opposed to counter-messaging seems to be,
as they say in social media, trending. Commenting on espionage in cyberspace,
security expert and entrepreneur Eugene Kaspersky observes that everyone hacks everyone.
U.S. intelligence community officials, including the directors of the FBI and NSA, are testifying about Russian influence operations before Congress this week.
And in Seoul, they're not in much doubt as to who hacked South Korea's military cyber command in 2016.
After nine months of investigation, prosecutors concluded that the evidence points north toward Pyongyang and the DPRK.
Some 26 individuals, including the cyber command head, are expected to face disciplinary action for failing to prevent or contain the incursion.
disciplinary action for failing to prevent or contain the incursion.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, Thank you. Security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me once again is Dale Drew. He's the Chief Security Officer at Level 3 Communications.
You know, we certainly see a lot of news about botnets, of course, the famous Mirai botnet and other ones that are growing and blooming.
But you wanted to make the point that you're seeing some evolution when it comes to botnets.
And quick evolution as well.
I mean, you know, we used to see evolution of botnets every, oh, I don't know, every couple of years or so.
And when I say evolution, I mean a very significant change in behavior,
sophistication, or capability.
And now between botnets like Bashlight,
and now there's a new botnet called Hajime.
Hajime.
Hajime.
Yeah.
That one tripped me up too.
I got corrected by someone I work with who happens to know Japanese. No, it's Hajime. Hajime. Hajime. Yeah. That one tripped me up, too. I got corrected by someone I work with who happens to know Japanese.
No, it's Hajime.
Hajime.
Excellent.
Well, I mean, that botnet represents what we think a pretty significant shift in botnet behavior and botnet capability.
I mean, not only is it extremely sophisticated in its code, this botnet has got assembly language built into it as an example.
It's also peer-to-peer. So it's changing the sort of dynamics about how a botnet operates,
where botnets, for the most part, are operating where you have a sort of command and control
infrastructure managing a set of nodes or robot nodes, botnets, and having it do their bidding.
In these new botnets, they're using BitTorrent as the sort of communication protocol
where every node is now a botnet node and every node is a command and control infrastructure.
So it's very, very difficult to be able to sort of cut the head
off of a botnet these days when that botnet is now sort of a flat peer-to-peer network.
And what are you seeing in terms of the amount of traffic that these botnets are generating?
You know, we've seen studies that show about 29% of all internet traffic is bad botnet traffic.
There was a report that showed about half of all internet traffic
is either a good botnet or a bad botnet,
meaning some sort of automated system
that is either inventorying the internet,
reaching out to end users,
doing machine-to-machine sort of communication.
But about 30% of all internet traffic is bad botnet traffic.
We're also seeing the cost of botnets
get a lot more routine-based, meaning that pricing of botnet, you can rent a 65,000-node botnet for
around $6,000 a month. We've also seen it as low as $5 an hour, where someone can rent 50,000 nodes for about $5 an hour. So these new trends and being
able to commoditize the botnet environment are putting significant motivation in the ability
to make them much more sophisticated and much more difficult to take down. All right, Dale Drew, Thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Thank you. Black Cloak. Learn more at blackcloak.io And that's the Cyber Wire. We are proudly
produced in Maryland by our talented team
of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.