CyberWire Daily - Spearphishing utility companies. Bellingcat as gadfly, and target. Facebook takes down more coordinated inauthenticity. Card skimming. Tech regulation. Random acts of cruelty.
Episode Date: August 2, 2019LookBack malware used in spearphishing campaigns against US utilities. Phishing Bellingcat. Facebook takes down two campaigns of coordinated inauthenticity that had been active in the Middle East and ...North Africa. The growing problem of online card skimming. The FTC’s investigation of Facebook centers on acquisitions. The Fed visits Amazon. And followers of a YouTube streamer treat the homeless as punchlines in a big practical joke. Prof. Awais Rashid from University of Bristol on the ability to “smell” security issues in software. Guest is Matt Howard from Sonotype on their State of the Software Supply Chain report. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Look-back malware has been used in spear phishing campaigns against U.S. utilities.
Phishing Bellingcat?
Facebook takes down two campaigns of coordinated inauthenticity
that had been active in the Middle East and North Africa,
the growing problem of online card skimming,
the FTC's investigation of Facebook's centers on acquisitions,
the Fed's visit Amazon,
and followers of a YouTube streamer treat the homeless
as punchlines in a big practical joke.
Homeless as punchlines in a big practical joke.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, August 2, 2019.
A new strain of malware has appeared in a phishing campaign directed at U.S. utilities.
Between July 19 and 25, Proofpoint identified spear phishing emails that hit at least three U.S. companies in the utilities sector. The fish bait lay in the
apparent origin of the emails. They arrived from what Proofpoint thinks is probably an
attacker-controlled domain, ncease.com. The domain appears designed to be mistaken for one owned by
the U.S. National Council of Examiners for Engineering and Surveying.
The fishhook was an attached Microsoft Word document,
weaponized with malicious macros to install a malware package Proofpoint calls Lookback.
Lookback is a remote-access Trojan accompanied by a command-and-control proxy mechanism.
The researchers believe there's enough evidence pointing to a nation-state
as the actor behind Lookback, but the trail quickly grows cold.
The overlaps with earlier campaigns strongly suggest a state-sponsored campaign,
but it's insufficient to suggest which state might be responsible.
The closest analogs to the Lookback campaign were earlier attacks against Japanese targets,
in which China's APT-10 was suspected, but again, there's not enough evidence for proof point to
offer attribution. Bellingcat, the investigative journalist who for some time acted as a gadfly
to the Russian government, was itself recently the subject of some phishing attacks. RiskIQ has
taken a look at that recent phishing campaign,
and they conclude that it was indeed closely focused on a small number of investigative
journalists who've proven annoying gadflies to the Russian government. The campaign made
adroit use of protonmail infrastructure, which lent it more plausibility than its phishing
attempts might otherwise have enjoyed. The journalists being phished seem for the most part to have spit the hook,
but the incident serves as an instructive cautionary tale.
Researchers at ThreatConnect analyzed one of the phishing emails
and linked 11 domains to the threat actor behind the campaign.
All of these domains spoof ProtonMail, and some of them haven't been hosted yet.
All of these domains spoof ProtonMail, and some of them haven't been hosted yet. The researchers say the unused domains are potentially being held for use in further campaigns.
Both ProtonMail and ThreatConnect note that Bellingcat has been targeted by Russian APTs in the past,
and that the domain registrars and resellers used in this campaign have previously been utilized by FancyBear.
Russia isn't the only government Bellingcat scrutinizes.
The investigative site's reports yesterday led Facebook to take down pages, groups,
and accounts in both Facebook and Instagram for coordinated inauthenticity
organized by the Kingdom of Saudi Arabia.
Facebook says it took down a total of 217 Facebook accounts,
144 Facebook pages, 5 Facebook groups and 31 Instagram accounts.
The focus of the information operation was on the Middle East and North Africa.
The operators posed as locals and also ran some pages that represented themselves as local news organizations.
Facebook also took down accounts originating in Egypt and the United Arab Emirates. This second campaign was, in Facebook's judgment, distinct and unrelated
to the Saudi effort, but it too represented coordinated inauthenticity. Like the Saudi
campaign, this one also had a regional focus. The operators used compromised and bogus accounts to
pose as local news organizations.
Facebook determined that the activity was connected to two marketing firms with similar names,
New Waves in Egypt and New Wave in the Emirates.
In both cases, the pushing of a government line was fairly obvious,
although the effort run from Egypt and the Emirates seems to have shown more sophistication and plausibility than the one operated by Riyadh. Online card skimming seems to be a growing problem. Two major industry groups,
the PCI Security Standards Council and the retail and hospitality ISAC, have warned of the rapidly
developing threat of online pay card skimming. Magecart is the best-known umbrella term for the
criminal campaigns that
employ this tactic, which has been on the rise since its appearance in 2015. The most common
infection vector for the JavaScript sniffers that do the stealing are third-party applications that
are widely used by merchants. These typically include advertising scripts, live chat functions,
and customer rating features. Troy Leach, the PCI Council's CTO,
advises attention to security detail and a commitment to using best practices. He said,
By any measure, online card skimming is a big issue.
Security firm Malwarebytes says it blocked some 65,000 attempts in July alone,
which suggests the magnitude of the problem.
The U.S. Federal Trade Commission's recently opened antitrust investigation of Facebook
is, for now, concentrating on the social network's acquisitions.
The Wall Street Journal says that investigators are interested in seeing
whether Facebook's acquisition of potentially disruptive smaller rivals
formed part of a deliberate strategy to neutralize competitors.
An FTC look at Facebook is probably overdetermined
by the company's run of controversial news.
But a recently revealed inspection of Amazon's Virginia facility by the Federal Reserve
probably signals a deeper trend toward closer regulation or at least scrutiny of tech companies
offering essential services to the financial sector.
The visit took place in April, but it now seems prescient,
given this week's breach disclosure from Capital One.
And finally, a repellent bit of YouTube trolling is sending the homeless to a non-existent shelter
on Reseda Boulevard in the Los Angeles neighborhood of Tarzana.
The deeply unfunny gag is apparently the work of fans of a YouTuber known as Ice Poseidon,
real name Paul Danino, 24 years of age.
Members of the Purple Army, as Mr. Danino's followers are known,
are urging homeless people looking for shelter to find it at Ice Poseidon's expensive rental,
described in press reports as a mansion.
There was no shelter there except for Mr. Danino,
who's believed to have paid as much as $25,000 in rent a month before vacating the property this spring.
He could probably afford it.
A profile of the YouTuber in The New Yorker
puts his monthly income at around $60,000.
Ice Poseidon sort of got the joke,
but now says it's no longer funny.
The Los Angeles Daily News quotes him as saying,
You've got some sad, pathetic people on the internet
that literally just don't care about people. At some point, I realized it's not a joke anymore. Maybe the first
time it was. Now it's not funny. It's dumb. Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Professor Awais Rashid.
He's a professor of cybersecurity at University of Bristol.
Awais, it's great to have you back.
You sent over a somewhat provocative topic that you wanted to discuss today,
and it's can you smell security issues
in software that has my attention what are we getting at here so cold smells
are well-known phenomenon in in software but more from a software maintenance
perspective so this was a term that was coined by Martin Fowler and one example
of that is the you know the shotgun surgery code spell so for instance if
you want to make some changes and if you have to make a single chain and you have to make a lot of
little changes in a lot of different places then effectively you're doing a kind of shotgun surgery
which means that your code is not very well modularized so to speak and recently ourselves
and other researchers as well, particularly at North
Carolina State University, have been looking at as to, is there an equivalent of the code smell,
but more like a security smell? And there are interesting findings that you can actually see
by looking at the code in itself, that there are symptoms of where there might be, for example,
poor security practices. So I mentioned there is work that has gone on at North Carolina State
University, and they have looked at particularly code scripts that are used to deploy various
pieces of software. And there are particular smells that you see there in the sense
of that there are admin privileges by default or hard-coded secrets, empty passwords, and
things like that. And the reverse side of that is that we have ourselves been looking at whether
the challenges that developers face, do they indicate that there are some kind of usability smells
into how hard it is for them to use security and cryptographic APIs.
And again, what we've found is that there are particular types of usability smells that indicate that
it's not easy for developers to use the kind of security functionalities that the various APIs provide.
the kind of security functionalities that the various APIs provide.
Now, when we're using this notion of smell, obviously, metaphorically here,
is there a certain amount of intuition that's implied?
I think it's more than intuition in the sense that a smell does not necessarily mean that it is an actual vulnerability, but it indicates that there might be a weakness here.
There could be good reasons why people may have done something that particular manner,
and that may also not necessarily mean that it leads to vulnerability. But it actually tells you
that something might be wrong here, and that requires some attention and looking into,
and you might want to consider whether the security configurations in the code at that
point are right. So it's an indicator that leads you to further investigation. Absolutely and it also
helps developers for example reflect as they're looking at their code or reviewing their own code
or other people's code but also it helps for example those people who develop APIs or libraries
to consider as to whether they are
making them more or less usable for other developers who will be using them.
All right. Well, Professor Awais Rashid, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
Open-source software governance and DevOps automation firm Sonotype recently published the fifth edition of their State of the Software Supply Chain report.
It highlights best practices and what they label exemplary open source software projects and development teams.
Matt Howard is chief marketing officer at Sonotype.
Well, first of all, the supply of open source continues to explode exponentially.
You're talking about a vast number of open source libraries that are available.
And this massive supply is being met with continued exponential growth and demand from
development organizations around the world. You know, one and two person development shops all
the way up to, you know, Fortune 50 two person development shops all the way up to,
you know, Fortune 50 kind of development shops. The world of software, as we know it, is largely
being driven by supply of open source and the developers' demand for open source reflects that.
So in addition to sort of supply and demand dynamics, we're basically seeing a world where post-Equifax and more recently,
you know, some fairly high profile breaches along the lines of EventStream, we're seeing
that organizations, commercial organizations in particular, are becoming, I think, more
aware of the need to govern the quality of the open source libraries that they're utilizing
to build their mission-critical software. You mentioned earlier the word exemplary, and that's a word that comes
up a lot throughout this report. Can you describe to us, I mean, what are some of the things that
you see from dev teams and projects that you label exemplary? Yeah, I mean, just to put this
into context, just so we're clear about what we
looked at, I mean, we are at Sonotype, we're the curators of the Maven Central Repository,
which is the world's largest public repository for Java components. So as a result, we have the
ability to sort of do some pretty deep and rigorous research that no one else in the world
would have. We discovered, you know, some interesting and important things that I think are about to set
a new perspective in software development. Specifically, meantime to repair a vulnerability
is something that we all understand. So if you're in the world of software and you get a new zero-day
announcement from somebody like Apache, the question is, if you've got an application in
the wild in production, are you aware of whether or not that particular library is in your
application? Do you have a dependency? If so, is that dependency in the call flow? Is it potentially going to, you know, is it exploitable in the wild?
And if it is, how quickly could you, you know, find it and remediate it is really kind of
a question that I think all organizations post-Aquifax are kind of grappling with.
That's on the commercial consumption side of the equation.
If you look at, you know, the open source project side of it, all of these open source projects themselves have dependencies.
So these are, in many respects, there's these transitive dependencies.
So an open source project has dependencies within dependencies within dependencies.
It's kind of a Russian doll metaphor. And the question is, when there's a new vulnerability disclosed, do the open source projects themselves remediate those vulnerabilities?
And if so, how quickly do they do it?
So that's a question of hygiene with respect to vulnerability or dependency management.
So that's the idea that what's the mean time to remediate a vulnerability?
MTTR is one characteristic that we were particularly interested in studying.
What we found is pretty surprising that the mean time to remediate a vulnerability
across 36,000 open source projects that we studied is 326 days.
The median time is 180 days.
So essentially what that says is, on average, across 36,000 open source projects, when a new vulnerability is disclosed, that project will fix the vulnerability in its library within 326 days.
good or bad. I think as an industry, we're just now getting to a point where we understand what hygiene looks like for open source components and projects. And over time, we'll probably get
to a better position to judge whether it's good or bad. And ultimately, perhaps, you know, we'll
see organizations change consumption patterns and popularity will rise and fall based on the
quality or the hygiene that's being practiced by a particular project.
The other thing I want to touch on is the idea of mean time to update.
Dependency management in software development has been talked about for a long time.
And there's an old saying that the best engineering teams or really good engineering teams reserve time in their project schedule to do dependency management.
But the best engineering teams actually automate that process.
And so if you're really good, you're going to be constantly updating your dependencies
to either the most current version of the library or perhaps the next most current version
of the library.
And this idea of updating your dependencies constantly
is a really important and interesting hygiene characteristic that's exhibited by both
open source project teams as well as by commercial teams, commercial development teams.
And in this particular case, what we found is that the teams, the open source projects that
practice good MTTU, that's mean time to update, meaning they
themselves are constantly updating their own dependencies, almost by default, they practice
really good security hygiene with respect to remediation. The point is, if they're always
fresh in terms of their dependencies, they're going to be secure as well. And so stepping back
from the research, we realized that perhaps the more important characteristic
when looking at hygiene across open source projects
is mean time to update or the pace at which you do
dependency management versus mean time to remediate.
So what are the key take homes here
in terms of advice for folks who wanna be heading
in that direction of joining those
groups of exemplaries? Where are the good places for them to start? The take-home here is that
modern software development teams are really manufacturing software applications in a very
similar process to the way that Toyota manufactures cars. If you think about it, decades and decades ago, Toyota invented supply chain automation for how to build cars with physical parts.
And the world of software as we now know it is realizing that it's important to automate your software supply chain so that you can manufacture applications using digital parts called open source libraries. A long time ago,
Edwards Denning was instrumental in helping companies like Toyota automate their supply
chains. And he essentially taught four principles. You want to source your parts from the
absolute best suppliers in the world. You want to source only the best parts from those suppliers.
You want to track and trace the location of all of those parts as they move through the software supply chain or the manufacturing process.
And ultimately, you want to have a bill of materials after the application or, using the analogy, the vehicle is put into production.
You want to have a bill of materials so that you can conduct an orderly and effective recall in the event that you're notified of a faulty part.
So the analogy is how quickly could an organization respond to the Apache disclosure with respect
to the struts vulnerability?
You know, some organizations responded very well if they had a grasp of their software
supply chain.
Other organizations
struggled, quite frankly, to respond. Looking at the analogy, think about Toyota and how quickly
and efficiently they were able to conduct an orderly and effective recall when they had the
Dakota airbag defect a few years ago. So in that view of the world, we're basically seeing very
clearly that not all those open source parts are created equal.
There is a real difference between high quality and lower quality.
And we also know that whether you're manufacturing physical goods or digital goods,
it's always a really good idea to source the best parts from the best suppliers, much like Deming taught Toyota decades ago.
That's Matt Howard from Sonotype.
We've been discussing their state of the software supply chain report.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Thank you.