CyberWire Daily - Stone Panda update. A new strain of Mirai. Bogus cryptocurrency apps are trending in Google Play. Mr. Assange is charged under the Espionage Act. Info ops. Law firms as phishbait.
Episode Date: May 24, 2019Stone Panda is distributing the Quasar RAT. A new strain of Mirai is out. Bitcoin prices are up, and so is the incidence of malicious cryptocurrency apps in Google Play. The US charges Wikileaks’ Ju...lain Assagne with seventeen new counts under the Espionage Act. UK political parties are said to have poor security. Huawei’s charm offensive. Russia points with sad alarm to NATO cyber deterrence policy. Bogus law firm emails prove effective phishbait. Joe Carrigan from JHU ISI on recent research from Google on the effectiveness of basic security hygiene. Guest is Nate Lesser from Cypient Black on “entangled enterprise risk.” For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_24.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Stone Panda is distributing the Quasar Rat.
A new strain of Mirai is out.
Bitcoin prices are up, and so is the incidence of malicious cryptocurrency apps in Google Play.
The U.S. charges WikiLeaks Julian Assange with 17 new counts under the Espionage Act.
U.K. political parties are said to have poor security.
Huawei's on a charm offensive.
Russia points with sad alarm to NATO's cyber deterrence policy.
And bogus law firm emails prove effective fish bait.
From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for
Friday, May 24, 2019. There was more news late this week on APT10, also known as Stone Panda,
and Silo found the group to be unusually active in April.
The samples the company inspected came from the Philippines,
which is in keeping with the APT's long-standing interest in Southeast Asia.
APT10 was distributing a version of the Quasar remote-access Trojan,
modified to incorporate the ShareSploit password stealer.
The recent campaign also made use of the PlugX machine scouting tool.
Trend Micro has discovered a new variant of Mirai,
backdoor.linux.mirai.vwipt, circulating in the wild.
The IoT botnet's new variant repurposes 13 exploits,
involving everything from remote code execution to authentication bypass.
The assemblage seems opportunistic, but it's no less risky for all that.
Trend Micro's advice is both familiar and sound.
Patch and update vulnerable systems.
There's a rise in malicious crypto apps, wallets, and other items cropping
up in Google Play. ESET notices that this increase is significantly correlated with
Bitcoin price spikes, so criminals continue to do what they always do, follow the money.
The U.S. yesterday charged WikiLeaks founder Julian Assange with Espionage Act violations related to activities in 2009 and 2010.
The indictment supersedes the one filed last month.
Mr. Assange is currently serving a 50-week sentence in a British prison.
Both the U.S. and Sweden are seeking his extradition.
The latest charges arouse concerns about press freedom, in Wired, for example,
but the Justice Department counters that what Wikileaks was up to had nothing to do with journalism.
For what it's worth, Amnesty International has said that it does not regard Mr. Assange as a prisoner of conscience.
The case will be interesting on many levels, but of course Mr. Assange will need to be extradited
before any precedent-setting proceedings can begin.
His tenure in Her Majesty's Prison Belmarsh won't be up until late this coming summer,
and there's considerable sentiment in Parliament for sending him back to face justice in Sweden.
Each of the U.S. charges under the Espionage Act carries a possible sentence of 10 years.
If he were convicted on all the charges
listed in the superseding indictment, and if they were imposed consecutively, he would face a
sentence of 175 years. We heard about Security Scorecard's study of political parties'
cybersecurity earlier this week. Another study is out, and this one focused on the United Kingdom.
A study from security firm Red Sift finds all 22 major British political parties have deplorable cybersecurity.
The Liberal Democrats, Labour, the Scottish National Party, the Socialists, and the Animal Welfare Party
have all at least implemented DMARC, which puts them ahead of the Tories, UKIP, and Brexiteers.
But on the whole, it's not a pretty sight.
Under increasing pressure as the U.S. blacklist extends its reach to international customers,
Huawei takes its charm counteroffensive to Vice.
Vice did a nice job with the under-attended press junket, polite but palpably skeptical.
The presentation is interesting if only because it illustrates the ways in which China continues to fumble with information operations.
Imagine the slicker packaging a Russian operation would have wrapped around the messaging,
and you'll see the contrast.
China has done much better with more traditional service tradecraft,
like funding think tanks and sending students to universities in target countries,
although the gaffe has been blown on most of those approaches as well.
But here again we see the paradox of information operations.
Both China and the U.S. excel at selling things to mass markets,
but they have trouble selling narratives more complicated and insinuating
than the parable of the ring around the collar.
China's marketing successes, you may object,
are based on the fact that they sell affordable but reasonably reliable commodities,
and that's true.
But again, contrast Russia, whose only successful foray into consumer markets
has been the Kalashnikov battle rifle.
They don't make noodles or soft drinks for export,
but Moscow can get people to lap up the bogus news stories.
Speaking of Russian narratives, Moscow has taken note of NATO Secretary-General Stoltenberg's
London remarks, pointing out with somber alarm and Sputnik to the Secretary-General's obvious
point that a response to a cyber attack need not itself be just another cyber counterattack.
Anyone who's paid attention to NATO's strategic thinking for the past seven decades
isn't surprised by the Secretary General's remarks.
Most retaliation, even proportionate retaliation, isn't retaliation in kind.
There's no law of armed conflict that says you have to respond to an attack by an armored division
with a counterattack by your own armored division.
But Sputnik manages to insinuate that NATO would be inclined to shoot down an airliner
or even use a small nuclear weapon in response to a fishing incident.
The use of language in the Sputnik article is worth remarking.
The publications allude to the incident, as they put it, in which two former Russian nationals,
the Skripals,
were poisoned in the UK. Britain says the GRU did it, but Sputnik points out that Russia has
refuted such accusations. Refuted isn't synonymous with denied, which of course is what Moscow
actually did. And finally, emails that appear to carry threats of litigation are proving effective
fish bait, Krebs on Security reports.
A phishing template that misrepresents its emails as coming from a law firm is being sold in dark web markets.
You can pick your firm from among Pullman & Associates, Weissman & Associates, Steinberg & Associates, Schwartz & Associates, or Quartermain & Associates.
Schwartz & Associates, or Quartermain & Associates.
The text of the email template warns the recipient that they are being charged by the city and that if they don't reply in seven days, we will be forced to step forward with this action.
The usage is predictably wayward.
No law firm is likely to use the salutation,
Hi, for example, but it might be scary enough to spook the unwary and the naive to click.
So just say, I write back at you, and delete the message unclicked.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, Thank you. And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host on the Hacking Humans podcast.
Joe, it's great to have you back.
It's good to be back, Dave.
We are going to cover a recent posting from the Google Security blog.
This is new research, how effective is basic account hygiene at preventing hijacking?
Right.
This is right up our alley, the kind of thing we would talk about over on Hacking Humans.
It's one of my favorite things.
There's a lot of interesting data in this report.
There is, and it's a very concise report as well. So it's a quick read, data in this report. There is.
And it's a very concise report as well.
So it's a quick read and it's very good.
But they talk about different kinds of protective processes you can do for multi-factor authentication and for secondary knowledge-based challenges.
Okay.
They talk about six specifics here.
One is an on-device prompt, right?
This is where you have a phone and it says,
did you just log into your Google account? And you say, yes, it was me. No, it wasn't.
Right. Okay. Another one is an SMS code.
Text message.
A text message code.
Yep.
A security key, like a YubiKey or the Google Titan.
Right.
Using a secondary email address and a phone number.
Yeah.
That's another one, like having access to a phone number. And finally, the last sign-in location,
knowing the location of your last sign-in.
Oh, okay.
Yep, yep.
What's remarkable is that all of these,
with the exception of your secondary email address,
are 100% effective in this study of stopping automated attacks.
But what I also think is interesting is that SMS codes,
which I frequently describe as the least secure form of two-factor authentication,
because it can be socially engineered, right?
You can be talked into giving up the code.
And it can also be hacked by somebody cloning your SIM card.
Right.
That will stop 100% of the automated attacks as well.
Right.
So a bot is running through these username and password pairs.
It sees, enter the code we just sent you by the SMS.
It is just going to skip to the next, stop the attack and go on to the next one in the list.
Yeah.
It's not going to make an effort because that actually requires some human effort to get in there.
Right.
It is 96% effective in bulk phishing attacks.
Right.
So 96% of the time it stops a bulk phishing attack,
but a targeted attack where somebody is trying to actively work with you, it still has a remarkably
high success rate of 76% of the time it prevents you from having your account taken over.
So how do these numbers compare to the percentages if someone doesn't have these
sorts of things enabled? Right. So if you don't have like a phone configured with either the on-device prompt or an SMS code
or a security key, then they fall back to other knowledge-based systems. And we've already talked
about how the secondary email addresses is the only one that falls victim to the automated attacks.
Right.
But just a simple phone number can be as effective as 25%, right? So 25% of the time you're protected by it. So 75%
of the time somebody gets in. And with your last sign-in location, that knowledge base falls down
to a 10% protection level. So 90% of the time the attackers are successful. Probably because they
know where you signed in last from just by guessing, by knowing where you're located.
So there really is, I'm surprised at the gap here that, maybe I shouldn't be,
but the gap here that if you have these things enabled,
it's a big difference between having them and not,
according to what Google's tracked here.
Now, what about having a physical security key?
Now, that stops 100% of all these attacks.
In their study, nobody with a physical security key
lost control of their account.
Not even people targeted with, like, spear phishing.
Right.
But I guess the point here is that if you're someone who feels as though you could be targeted,
or for the things that you care most about, your financial things, you know, stuff like that,
boy, a security key is the way to go.
A security key is the way to go.
I use one.
It's called a YubiKey, and Google supports it.
So I have it as the sign-in on my accounts, and it will ask me for the key, and I have
to have the physical key.
That's a minor inconvenience, but it keeps my account secure.
Yeah.
All right.
Well, it's an interesting report.
Highly recommended.
Again, it's called How Effective is Basic Account Hygiene at Preventing Hijacking?
And that's over on the Google Security blog.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
My guest today is Nate Lesser. He's CEO at Sypient Black, a company that's looking to improve the protection of high-value targets, their families, and their personal digital lives.
The challenge begins, according to Nate Lesser, with the fact that convenience often trumps security when it comes to segregating our personal and professional digital ecosystems, something he refers to as entangled enterprise risk.
We think of entanglement as this notion that comes really from the concept of quantum entanglement,
this idea of spooky action at a distance. The idea that an attacker's action in one domain,
in one place, can have an impact somewhere else, in some cases even without the direct technical connection between
those two spaces so the example that that we focus on is an attacker's compromise of the digital
personal life of a high value target can have an impact on the company that target works for
whether or not that attack then pivots to try and technically compromise the company, or even just through the notion of, we think of entanglement as the idea that the compromise of that individual might affect the risk posture or the business operations of a company because of a reputational risk or the loss of sales or impact to other employees.
So what are some of the specific risks here in terms of having separate parts of your business
life entangled this way? I think it's important to recognize that this entanglement exists,
whether or not we kind of recognize it. And it's often not a technical entanglement.
So as I mentioned before, we think of this risk and we kind of classify the entanglement risk in
two ways. We refer to them as pivot attacks, which is what you would naturally expect, right?
Somebody compromises my personal cell phone. Perhaps I also do, it's owned by me and managed
by me, but maybe I also have my work email on it, and that's not well segregated.
So they're able to compromise something about my professional environment, and we think of that as a pivot attack.
Or maybe they compromise my Apple Watch or any kind of smartwatch.
And when I go into the office, I've hooked that smartwatch up to our
corporate Wi-Fi, which maybe my company allows. And then they can use it to pivot as a, you know,
an IoT device that's now on the corporate network. They could use that device to try and pivot
into the enterprise network. So we think of that in type of entanglement as pivot attacks. And
when we refer to that, we're often thinking of things that
enterprise security team has some awareness of or the ability to understand and know,
the ability to enumerate those attack vectors and points of ingress, and really the ability
to do something about. The other type of entanglement, which we talk about as
endgame attacks, when an attacker exploits the second type of entanglement, it's usually the
compromise of the personal digital life of the executive or high value target, or even just an
employee at a company, is the endgame in and of itself. And there is no pivot into the enterprise.
And when we think of those types of attacks,
unfortunately, the thing that characterizes them the most
is that the enterprise security team has no awareness,
no purview, no mandate to do anything
about those types of attacks.
And that's where we've really left our executives,
high value targets, and all
of our employees out in the cold. Can you walk me through a specific example of that second
possibility? Sure. So an endgame attack might look like, and this is a real world example from
a forensic investigation, a CEO of a major auto manufacturer was in the midst of a really nasty labor dispute
and in the midst of sensitive negotiations to resolve that labor dispute. When his daughter
went out on a lunch date and protesters showed up at that lunch date, somebody decided to check
her phone for malicious tracking
software and discovered something.
So this is now, and unsurprisingly, because the protesters were protesting, her activity
at this lunch was really about the labor dispute.
Unsurprisingly, the CEO of this company was dismayed and it derailed their negotiations, costing the company quite a lot of money.
So we're now looking at, from a technical perspective, three steps removed.
It wasn't the company that was compromised.
It wasn't the CEO.
It was his daughter's phone.
And yet it cost the company, I think the number was millions of dollars.
Well, how do you come at that? When you have something that far removed, and I think it's reasonable to expect people would be sharing things like home Wi-Fi and so forth, where do you begin?
Well, I think that's exactly the right question.
And I like that you caveated it in that way, right? when we think about it, you already started to put in place the notion that it's not like we can just
take the set of security capabilities we have in the enterprise and apply them to our personal
lives. They would break everything. So how do we start to put in place security protections
that really provide holistic coverage for individuals' digital personal life,
for individuals' digital personal life, while simultaneously allowing our, we think of them as our protectees, the constituents that we're trying to serve, to interact with their digital
lives in the ways that they want to. We have some answers to that question, but I don't think we
have the only answers. But we do think it begins with enterprises recognizing this risk, and then
being willing to pay for protection for their, at least their executives and other high value
targets. So for big companies, those that are spending hundreds of millions of dollars a year
on their cybersecurity team, they've got all the expertise and all the capability in place that you could possibly want and imagine.
And yet they're not providing these kind of protections to their C-suite, to their board of directors.
And usually it's because their chief counsel will tell you, I don't want someone's home network logs to be inside the enterprise and be discoverable. And we can't possibly have those show up in some SEC filing
because we accidentally or intentionally released them
because we had to.
We need to have a bright line
between people's personal lives and the company.
And so we believe that the answer to this,
the long-term answer, the real solution,
is to have companies
provide cybersecurity for their executives and other high-value targets as a benefit
and to pay for it, but to have it provided just like your healthcare by a third party.
And the same way your doctor doesn't call up the company to tell them you're sick,
your cybersecurity provider
for your personal life wouldn't have any technical connection back into the
enterprise would not provide logs or incident information back to the company
and therefore preserve the privacy of the individuals that that company
protects when that bridge has to be crossed if something happens in the
executives personal life you know a family
member clicks on something they shouldn't what's the chain to alert the the business that we may
have an issue here right so it's a great question i you know the the answer and and we've struggled
with this quite a bit and i and i wouldn't i don't think we have the only answer yeah the answer we
give is that it there is no connection there.
If the executive wants to report back to their company, that's their business. But the same way
that your doctor is not going to call, your CEO might have a terminal illness. Nobody's calling
the company to tell them. Yeah. I mean, it's interesting. Again, it's just sort of a strain the metaphor, but I'm imagining, you know, the CEO at the end of the day, you know, walking into the boardroom
and taking the Mona Lisa off the wall, putting in the front seat of his car, driving home and
then hanging it on the wall above his fireplace and doing that every single day, you know, back
and forth between home and the office, right? He's got this incredibly valuable thing, but like you say, at the museum, it's properly protected, but at home,
not necessarily so much. That's exactly right. And so let's talk about what that,
going back to the notion of entanglement, what is the Mona Lisa? Well, it's not just a device that the enterprise has already locked down and protected.
The enterprise is doing a pretty good job of that. It's the information in the CEO's head.
It's the CEO's reputation itself. It's the safety of your CEO's children. It's your CEO's travel
patterns. Things that don't just exist with
inside the confines of enterprise assets. That's Nate Lesser. He is CEO at Cypient Black.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow.
Thank you.