CyberWire Daily - The StingRays that were n DC. Old-school file formats and attack code. Ransomware becomes spyware. Joker apps ejected from the Play store. Multifaceted deterrence. Advice on BEC.
Episode Date: September 12, 2019DC StingRays alleged to be Israeli devices. North Korea is slipping malware past defenses by putting it into old, obscure file formats. Ryuk ransomware gets some spyware functionality. Google has purg...ed Joker-infested apps from the Play store. The US Defense Department explains its “multifaceted” approach to cyber deterrence. The FBI warns that business email compromise is on the upswing, and offers some advice on staying safe. Awais Rashid from Bristol University with warnings on accepting default settings on mobile devices. Guest is Bill Conner from SonicWall on side channel attacks. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/September/CyberWire_2019_09_12.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
DC stingrays are alleged to be Israeli devices.
North Korea is slipping past malware defenses
by putting it into old, obscure file formats.
Ryuk Ransomware gets some spyware functionality.
Google has purged Joker-infested apps from the Play Store.
The U.S. Defense Department explains its multifaceted approach to cyber deterrence.
And the FBI warns that business email compromise is on the upswing and offers some advice on staying safe.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 12, 2019.
Politico says that three former senior officials with knowledge of the matter have told the publication that the U.S. government has concluded that stingray cell monitoring devices found in Washington, D.C. were probably placed by Israeli operators.
Stingrays, which have been used by various law enforcement organizations, are more formally known as International Mobile Subscriber Identity Catchers, IMSI catchers.
They can be used to intercept calls and monitor data use.
Official U.S. response to the story has been muted.
Politico dutifully reports the official Israeli denials of involvement.
Researchers at the security firm Prevalion have disclosed to Cyberscoop that North Korean hackers are turning to more obscure file formats like Kodak flash picks in the hope that these will slide past antivirus screens.
Prevalian's report calls the campaign Autumn Aperture.
They view it as a move in the faltering nuclear talks the DPRK is conducting with the United States and its allies.
is conducting with the United States and its allies.
Prevalian says, We hypothesize that these documents sent via a socially engineered email
would have likely been anticipated by the intended victims,
thus increasing the threat actor's chance of success.
They offer examples of some of the documents being used in the campaign,
Trojanized Speaker's Notes for a Nuclear Deterrence Summit presentation,
a similarly Trojanized report on North Korean ballistic missile submarine capabilities,
and a document impersonating a U.S. Department of the Treasury renewal notice for a sanctions
license.
The researchers associate the campaign with a Kim-Suki or smokescreen threat group, in
turn associated with Pyongyang.
They note that autumn aperture is part of a trend in which malicious code is hidden in image files.
There seems to be a convergence between spyware and ransomware,
as some ransomware may be acquiring information-stealing functionality.
Bleeping Computer reports that Malware Hunter team has found that a strain of the widely used
Raiuk ransomware appears to be exfiltrating files of interest to an FTP site.
The malware is particularly interested in military, intelligence, and law enforcement data.
Back in 2017, the Spectre and Meltdown side-channel attacks gained notoriety
for their ability to exploit vulnerabilities in modern CPUs,
to break down the isolation between programs running in the OS
or between different applications running on the same processor.
Since then, mitigations have been developed as well as methods for detection.
SonicWall is one of the companies who've been researching
and providing mitigations to these types of side-channel attacks, and we checked in with Bill Connor, president and CEO at SonicWall, for an update.
It's very sophisticated. It actually goes right at the architecture of how memory and processing
works. And basically, by side channel, what it's talking about is the malware comes in and it uses the cache of the
processing and it's a time sequence. So it takes those 256 bits, if you will, and turns them all
off. And it looks to see which ones go to cache because if it goes to cache, guess what? It's
repeatable one or zero. And that's how they decode what's happening
on that chip. So whether it's encrypted or not, it doesn't matter. And so that becomes the real,
real focus of a side channel attack. So that is why it will be one of those big moments if and
when they take a shot at that either a critical infrastructure
or certain types of information now to be clear have you seen any uh cases of people using these
attacks out there in the wild really important we have not seen it weaponized yet, Dave. That's the important part.
Certainly the researchers are increasingly showing how it can be used.
Even knowing that, it's going to be, my view, our view is it will be a country state that has the expertise and resources to weaponize this exploit vector.
The problem is it will happen.
If you think about when Meltdown Spectre came in, they came in in January of 18.
So we're a year and a half of public available data.
Clearly, China had it before that because it was Intel,
and they were working in China
on their manufacturing and their architectures to do that.
But it will happen at some point.
The target will probably be public private cloud data centers, virtualized data centers in a targeted company that could be a carrier provider or a high net target to a country state to disrupt.
And so why the emphasis on artificial intelligence and machine learning?
What does that bring to the table?
Yeah, really important question.
Machine learning, deep learning in our case is really important because think about it. Just this year, and we'll release in a couple of weeks, the first half statistics, but last year we had over 10 billion malware attacks.
Think of 5 billion if you just take half of a year, 5 billion attacks.
You have to find a way to process that very quickly and very effectively.
And those things are recombining, as I said, in malware cocktails.
People can't process that fast.
Now, all machine learning is not equal.
For those that are listening that understand deep learning and machine learning,
it's about the amount of data you got.
We got lots of that since we've been doing it for over 20 years.
And we've just been doing it on network security. The other thing besides lots of data to improve your algorithms you need is focus
so you don't have as many false positives.
As these guys recombine malware into different data structures, you need to really use not file
based, but artifact based machine learning. And just like we talked about this, these were never
seen before. But in weeks or months, we're able to characterize the artifacts of all these attacks that they're attacking on the processor or side channel.
Even on traditional technology, forget side channel for a moment, this real-time deep memory inspection is a new mousetrap to catch some robo-mouses that are powering through traditional security techniques.
And what was powering it in Q1 was Russia.
And it was a financial spam.
So that's why this becomes important.
Because once you find a new attack factor,
how you weaponize it and what you weaponize it with
becomes kind of a choice of a country or a bad guy.
That's Bill Connor from SonicWall.
Google has now purged 24 apps infected with the Joker Trojan from the Play Store.
The Joker was discovered in the apps by researchers at the security firm CSIS Security Group.
They describe the Trojan as both a spy that collects data and as software that
subscribes you to unwanted premium subscription services. It does so silently, and you may not
notice what's going on until the bill arrives, or actually when you realize that you've paid the
bill. CSIS offers some good general advice. Pay close attention to the permissions apps ask for and be stingy in granting them.
U.S. federal agencies are working out roles and responsibilities in cyberspace during the course
of war games. Breaking Defense describes the exercises as bringing together organizations
from the Departments of Defense and Homeland Security. The U.S. Defense Department has also
offered Congress a look at some of its
current thinking on cyber deterrence. Deterrence is commonly thought of as involving the credible
threat of retaliation, but the department calls its approach to deterrence multifaceted,
with denial playing a significant part. An adversary can be deterred if they became
convinced that their attacks would be futile. So sure, enemy state, maybe cyber command will go medieval on your networks if you, say,
fiddle with an election, but on the other hand, it might be the case that you won't be able to
accomplish what you'd hoped to do with your attack, so it might be better if you just forgot the whole thing.
In the wake of the arrests made internationally in Operation Rewired,
the U.S. FBI reiterates warnings that business email compromise attacks remain a persistent danger.
Much of the advice the Bureau is distributing is a matter of generally applicable cyber hygiene,
things like keeping your systems patched and up to date.
Some of them are good advice for any form of social engineering,
like ensure the URLs and
emails is associated with the business it claims to be from, or be alert to hyperlinks that may
contain misspellings of the actual domain name. And of course, refrain from supplying login
credentials or PII in response to any emails. Business email compromise is at its core a form
of social engineering,
and wise organizations take measures to harden themselves against online con jobs.
But some of the FBI's advice is more specific to the risk of business email compromise,
like use secondary channels or two-factor authentication to verify requests for changes in account information.
And this one is really important. So for heaven's sake,
don't wire a million dollars to some account just because you got an email from your CEO telling you
to do so. And CEOs don't do things that will accustom your people to responding to your
bizarre whims. Maybe an email asking someone to go by your house to check on your pet iguana seems
very far away from an email directing finance to send a quarter million to a vendor no one's ever heard of.
But remember, a journey of a thousand miles begins with a single step.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Professor Awais Rashid.
He's a professor of cybersecurity at University of Bristol.
Awais, it's great to have you back. We wanted to chat today about default features that come
from manufacturers of devices and some of the cautions that folks should have when it comes to
that. Absolutely. So, you know, we've all bought that new mobile phone and new electronic device
and are keen to use and enjoy the features of this new device.
But you have to go through this setup phase where you have to basically enable or disable some settings as you're starting up your new device.
And the natural tendency of a lot of people is to, you know, just skip, skip, skip,
and then move on so that they can actually start utilizing their new device. But implicitly in there, there are a number of features that manufacturers provide that
can potentially collect data on the users or encourage users potentially to participate
in particular services that the manufacturers provide.
And recent work that we have done actually shows that users have actually not a very
good understanding of what these default features are and how they may capture
data about the user. Is this on the manufacturers of the devices to revisit these sorts of things?
Should there be nag screens that come on to remind folks to take a look at it?
There is a lot of focus around third-party apps. So let's take mobile phones as an example.
There has been a lot of work recently done on making users more aware as to what permissions
those apps are requesting. This used to be a common feature on Apple's iOS and
Android now has a similar mechanism where it can show you what are the
permissions the app is requesting and whether you are willing to give them or
not. This is called dynamic permission setting and so on.
But manufacturer-provided features are a little bit different from that.
And this is where the examples that I'm thinking of here are things like location services,
which come as part of the operating system or the device that you get, or smart assistants
like Siri and the Google Smart Assistant, as well as other things like Siri and the Google smart assistant assistant, as well as other things
like you know, whereby the photo apps that come as default with the phone from the manufacturer
will actually tag your location with the photo and users actually often see them as part
of the part of the phone rather than as an application that comes from the manufacturer
that is built into the phone.
And as a result, they are much more likely to ignore the previous implications
of actually leaving some of these features enabled that they may not need in the first instance.
There is perhaps some need for manufacturers to make users more aware
that these applications actually collect their data in particular ways and utilize that data.
It seems to me like there's also a balance here between the ease of use and the amount
of granularity that the providers give to the user.
Yes, and there is always that balance because if you make things too complicated for users
to configure, then again, you know, the risk is that they would actually go on to ignoring
those settings in the first instance.
But equally, users often do not really see them as features that collect their data.
So the awareness about applications tends to be there compared to what the manufacturers provide.
And of course, from a manufacturer perspective, they do want people to use Siri and the Google Assistant and so on and so forth.
They do want people to sign into cloud services and so on.
But implicit within that is the user then giving up data and information to the manufacturer,
which users are not always fully aware that that's what's happening.
Yeah, it seems like there's a lot of different forces that are sort of in tension with each other when it comes to these things.
sort of intention with each other when it comes to these things?
Yeah.
And the key here is that, of course, you know, sharing drives this kind of data-based economy in which we live.
The question we have to ask is, and there's not a simple answer here as to how, to what
extent users are really empowered to decide what they share and what they don't share.
And to what extent, you know, there is this sort of tendency that is perhaps encouraged by the design of the various products and services for users to just
quickly skip the setting that would get them to use the feature, because ultimately, nobody wants
to spend loads and loads of time configuring a lot of different settings. And in many cases,
users don't really have a full understanding of what those settings mean.
Well, Professor Awais Rashid, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. For today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.