CyberWire Daily - Threats and vulnerabilities, old and new, include Emotet and Mirai. CISA advises of DDS vulnerabilities. Arrest in a revenge porn case.
Episode Date: November 16, 2021Older threats, including Emotet and Mirai, are out and about, and an old vulnerability, Rowhammer, gets a fresh proof-of-concept. A new banking Trojan threatens Europe. Intel works on vulnerabilities.... CISA advises awareness of recently reported DDS vulnerabilities. Joe Carrigan explains how spearphishers are using customer complaints as bait. Rick Howard epaks with Carlos Vega from Devo on Supply Chain issues. And an arrest is made in a Maryland revenge porn case. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/220 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Older threats are out and about,
and an old vulnerability gets a fresh proof of concept.
A new banking trojan threatens Europe.
Intel works on vulnerabilities.
CISA advises awareness of recently reported DDS vulnerabilities.
Joe Kerrigan explains how spearfishers are using customer complaints as bait.
Rick Howard speaks with Carlos Vega from Devo on supply chain issues.
And an arrest is made in a Maryland case of revenge porn.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner your CyberWire summary for Tuesday, November 16th, 2021.
A few older threats and vulnerabilities are resurfacing this week. Researchers have begun
seeing signs that Emotet,
a botnet widely used to distribute spam
that carried other payloads, has resurfaced.
The other payloads included Quackbot and Trickbot,
which in turn were used to deliver initial access
for ransomware infestations with Rayak, Conti,
Proloc, Egregor, and other strains.
Recall that Europol had effectively disrupted Emotet's infrastructure back in January
and arranged for general uninstallation.
That uninstallation was led by German authorities of the malware in April.
Leaping Computer reports that TrickBot has recently been observed
dropping an Emotet loader into infected devices.
German security firm G-Data blogged that on Sunday it detected a DLL that appeared to be Emotet.
It subsequently confirmed the identification.
The record, which has been in touch with researchers at CryptoLamus,
who've been tracking the reappearance of Emotet,
writes that the comeback appears to be in its early stages.
Emotet isn't yet actively sending out spam, and it appears the operators may be trying to quietly re-establish
their infrastructure. The CryptoLamus researchers said, it doesn't seem too large at this time,
and we are not seeing active distribution yet. But the malware's reappearance will be worth keeping an eye on.
The Mirai botnet, venerable by botnet standards, is also back. Cloudflare says that last week it
blocked a DDoS attack from 15,000 IoT bots and unpatched GitLab instances running Mirai.
The attack peaked at almost 2 terabytes per second.
It was a brief attack, lasting just about a minute, but impressive in its volume,
even if it fell short of setting a record. DDoS attacks appear to be regaining some
popularity among criminal organizations who use them to disrupt businesses they're targeting for
extortion. They can also serve as a form of noisy misdirection to cover other, more serious attacks.
The bad guy's way of saying, look, there's nothing up my sleeve.
There's also a fresh RoHammer proof of concept out and about.
Researchers at the ComSec Computer Security Group published an account of a new approach
to exploiting this familiar vulnerability.
Group published an account of a new approach to exploiting this familiar vulnerability.
Quote, it is possible to trigger row hammer bit flips on all DRAM devices today despite deployed mitigations on commodity off-the-shelf systems with little effort. This result has a
significant impact on the system's security as DRAM devices in the wild cannot easily be fixed.
End quote. Newer DRAM modules, DDR5 devices,
are thought to be more resistant to exploitation than earlier and still widely used modules,
but it's not clear that they're immune. There's no evidence that this exploit is being used in
the wild, but there's also no clear mitigation readily available, and it would seem that Rowhammer in general requires further
work. There are also some new threats and vulnerabilities. An Android banking Trojan
researchers at Cleafy are calling Sharkbot is affecting banking customers in Europe.
According to the record, Sharkbot appears to be in a relatively early stage of development,
but it's enjoying some success by using automatic transfer systems to bypass protections
normally provided by multi-factor authentication.
As is the case with many other Android trojans,
SharkBot covets access to the Android Accessibility Service,
a perfectly legitimate feature that's intended to automate certain interactions
in ways that make it easier for physically impaired users to work with their devices.
The Trojan uses the features of accessibility service to mimic scream taps and perform malicious tasks,
such as granting itself admin rights, showing fake login screens on the user's device,
collecting keystrokes, intercepting and hiding
two-factor SMS messages, and accessing mobile banking and cryptocurrency apps to transfer funds.
For now, Sharkbot's able to interact with 22 banks based in the UK and Italy and with five
cryptocurrency applications, but it's reasonable to expect the criminal operators to open their net wider.
Intel has released firmware updates for a privilege escalation vulnerability in some processors' BIOS.
Intel is also addressing, according to Ars Technica,
an issue that could allow an attacker with physical access to backdoor some chips.
Positive Technologies outlines the bug's implications. The issue comes down to a debugging function with excessive privileges. Positive Technologies' Mark Ermolov
wrote in the company's blog, quote, one example of a real threat is lost or stolen laptops that
contain confidential information in encrypted form. Using this vulnerability, an attacker can extract the encryption key
and gain access to information within the laptop.
The bug can also be exploited in targeted attacks across the supply chain.
For example, an employee of an Intel processor-based device supplier
could, in theory, extract the Intel CSME firmware key
and deploy spyware that security software would not detect.
This vulnerability is also dangerous because it facilitates the extraction of the root encryption key
used in Intel PTT, that's Platform Trust Technology, and Intel EPID, Enhanced Privacy ID technologies,
in systems for protecting digital content from illegal copying.
For example, a number of Amazon e-book models use Intel EPID-based protection for digital rights management.
Using this vulnerability, an intruder might extract the root EPID key from a device, an e-book,
and then, having compromised Intel EPID technology,
and then, having compromised Intel EPID technology, download electronic materials from providers in file form, copy and distribute them.
Again, exploitation would require physical access to the targeted devices, but that access would need only be brief, a matter of minutes, not hours.
CISA warns that vulnerabilities affecting distributed data service standards are being reported. The agency's advisory says,
CISA is aware of a public report detailing vulnerabilities found in multiple open-source and proprietary object management group data distribution service implementations.
This advisory addresses a vulnerability that originates within
and affects the implementation of the DDS standard. In addition, this advisory addresses
other vulnerabilities found within the DDS implementation. CISA is issuing this advisory
to provide early notice of the reported vulnerabilities and identify baseline
mitigations for reducing risks to these
and other cybersecurity attacks, end quote. There's no known exploitation of these vulnerabilities in
the wild, but CISA recommends applying the patches and mitigations the affected vendors are making
available. Those vendors include Eclipse, Eprosima, Gurum Networks, Object Computing, Real-Time Innovations,
and Twin Oaks Computing. If you're a customer, check in with them for specifics.
And finally, an arrest has been made in the seamy DIY world of revenge porn,
in which alienated affection leads a disappointed once-and-future suitor to distribute, non-consensually, saucy
photos of an inamorata online. In this case, a small-town mayor in Maryland, the Honorable
Andrew Bradshaw, Republican of Cambridge—and we stress that's Cambridge, Maryland, and not
Cambridge, Massachusetts, still less Cambridge, England—has been arrested and charged under
Maryland law with some 50 counts
of distributing revenge porn, the Dorchester Star reports. And that's Dorchester, Maryland,
not Dorchester, Massachusetts, still less Dorchester, England. His honor, of course,
enjoys the presumption of innocence until such time as he's convicted, should, of course,
he be convicted of what he's allegedly done.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's Vanta.com slash cyber for a
thousand dollars off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals
to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks,
and connected lives.
Because when executives
are compromised at home,
your company is at risk.
In fact,
over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
The supply chain is in a lot of headlines these days, both in the real world and cyberspace.
Our own Rick Howard checked in with Carlos Vega from Devo for his insights on the supply chain.
A few weeks ago, I had the great pleasure to talk to a longtime friend of mine and an old army buddy.
My name is JC Vega. I've been in cybersecurity for over 20 years and in security for over 30 years. And I recently took over the CISO job at Devo,
the cloud-based SIEM. And we got to talking about why we both thought that the way the
network defender community currently defends cyber supply chains is broken. First of all, we got to expect the anomalies and we have to be
prepared to respond when we do detect something. We say that in cyber, the adversary is moving at
machine speed and we have to be able to coordinate and react at machine speed. And there's some truth
to that, but there's another aspect of it, and that is developing those trust relationships
in the environment itself. That means the dependencies that you have with your suppliers
or even partners, you have to be able to engage them to either inform, persuade, or influence them to adjust their posture to meet your security requirements.
You're saying that the way we fix this is we make our suppliers get better at security than we are?
We don't make them get better independently of our system. We complement one another. And the idea is that if you look at
the different terms, defense in depth, collective defense, zero trust, if you find weakness in one
of your partners, you may have to invest in them to help them bring up their standard
so that they can comply with your security requirements. And that's an investment.
I'm not against that idea, but let me play devil's advocate here. SolarWinds,
that's a significant company. What would you suppose you would help them do?
They have competitors. And sometimes it's going to be the market that is going to drive the
standard. Sometimes it's going to be regulation that drives a standard. And sometimes it's going to be the market that is going to drive the standard. Sometimes it's going to be regulation that drives a standard.
And sometimes it's going to be your risk acceptance.
So it's not necessarily just saying I'm beholden to one product or one service.
The idea is you have choices out there and you can choose to accept that risk or you can choose to do something else.
That part I totally agree.
You know, why would you allow anything from the SolarWinds administration box to touch anything else in your environment?
To me, that's a zero-trust strategy, not a technology.
I'm not talking about a zero-trust strategy.
I'm talking about identity management or two-factor authentication. I'm not going to allow
anything coming from the SolarWinds admin box to reach out and authorize tokens from my exchange
environment in the cloud. That's a no-brainer. When we first got into this, root was the god key. If you had root access to something,
you can control everything. And the idea of looking at these systems, what type of permissions,
why would this system need root access to operate in your environment? And so you have to see what
permissions do they have? Do they need that permission? Do they really need that permission? And if they do, then how do you mitigate that risk? How do you reduce your exposure to them? How do you keep them outside of your precious assets so that they cannot cause a material harm to your original idea. If you have some piece of software that demands that they have root privileges in your network, that's where you can leverage them and say, listen, I'm not going to buy you guys because you got an obvious problem with your security. I'll go to your competitor.
make that process or that tool provide the functions to your system.
If you're tied to that system and that tool,
then I have to change and adapt my environment given the risk that I have with those tools or processes that I have there.
I can't control everything, but I should control,
maintain control of the things that I do have complete responsibility for.
That was JC Vega, the CISO at Devo.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatL are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
sensitive data and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Joe, I don't know how to say this,
and I hate to air things publicly like this,
but I've got some bad news. We've had
some complaints. Specifically, we've had complaints about you and your appearances on our show.
I have put them, I've gathered them together, and I've emailed them to you. You'll find a PDF file in your email.
So I just need you to click through on that PDF file to read some of these complaints.
And I'll open that right away, Dave.
And of course, I am just kidding, Joe.
Everyone loves you and you get lots of great reviews.
Oh, do I?
Good.
I'm glad to hear that. But what I have done is I've led us into this.
I've cleverly led us into this story from the folks over at Naked Security by Sophos,
written by the great Paul Ducklin.
And this is about a scam that's taking advantage of people's emotions in kind of a unique way.
What's going on here, Joe?
So what Paul is talking about here is kind of like what you just said.
It's an attack targeting more junior members of a support team or some customer-facing team.
They have a great formula in here that says guilt plus fear equals haste, right?
Which is what they're trying to do.
What these malicious actors are trying to get you to do is to click through the link without thinking about it.
Okay.
They're trying to make you feel guilty and to scare you to do that. And there's a great example that Paul received here.
Apparently, people call him Duck. The email reads, Duck, call me back. And it says, Duck,
I'm on my way into the office. Why didn't you tell me about this customer complaint in PDF
on you? Call me back right now. And then it has a link to the report, to the customer
complaint report. Now, one of the things that Paul talks about in this is that while this is
technically a spear phishing attack because they have targeted him and other people in his
organization directly, it's very easy to automate this process with a spreadsheet of contact
information and with a list of email addresses that has
the contact information associated with it. Because frequently when you send out an email,
it has your first and your last name. Right. One of the things that always sets me off is when it
says Joseph in my email, because nobody addresses me as Joseph. They all address me as Joe. Right.
Right. So whoever signed me up for the PR newswire, maybe you go into that database and change it to Joe and I can more quickly delete your emails. So Paul talks about how easy it is to put put together well. Like they went to
a Google
branded webpage that was hosted on
Microsoft services.
And of course that doesn't jibe in people's
minds and maybe that sets people off.
But they're hoping that
you're upset
that you don't notice this.
Then at one point in time,
you are asked to download a file,
and it says, you know,
it's even got a picture here that says,
preview of the report is ready to open.
It didn't work.
Try downloading again.
And when you download it,
it actually downloads an AppX bundle,
which is a Microsoft bundle
that is essentially executable.
You can think of it as an installation program that
doesn't bother the user with architecture concerns. Okay. Okay. And what that means is when a user
downloads a program, they have to know what their architecture is. Am I on 32-bit or am I on 64-bit?
Am I on an x86 or am I on an ARM processor? right well those questions are not readily answerable by the
vast majority of computer users they have to go think about that in fact i i don't even i mean i
know what i have on mine but on this chromebook i don't know what the architecture is right right
um i have to look it up so the solution to that is they build these apx bundles that will run on
just about any windows platform that you have it. So it's got the compiled code for everything, or maybe it can put the right machine instructions in there.
Right. But when you start running it, you get an application that looks like it's been
trusted by Microsoft. It's been signed with a certificate. But the certificate is from an
accounting firm in Southwest England, if you
actually look at the information about it. But it still says it's Adobe on the install screen.
And one of the capabilities, or actually the only capability it wants, is all system resources.
Oh, just that.
Right.
Okay.
So what happens here when you install this is it immediately calls out to an IP verification service, which Paul notes that's really not necessary.
Because as soon as this machine connects to command and control servers, they'll have the IP address, the public-facing IP address.
Okay.
But they're double-checking that.
And then it gathers up what might seem like innocuous information.
information. It gathers up all the statistics about your machine, like what your architecture is, how much RAM you have, how much free hard drive space you have, and sends that to command
and control. This is a bizarre backdoor install, which is malware that is capable of downloading
more malware. So you think of it as a kit, right? So if I'm a bad guy, I go out and I get a bunch
of these machines infected
with this bizarre backdoor.
And now I have control over them.
They're all reporting back to me on some regular basis.
Now I have an army of bots ready to do whatever I want.
And all I have to do is either buy or write
or develop or something the functionality I want
and distribute it to these bots and they'll do it.
It could be anything.
It could be crypto mining. It could be be anything. It could be crypto mining.
It could be ransomware.
It could be password cracking.
Yeah.
It could be whatever I want it to be.
But the real clever part of this,
you know,
besides what's going on technically
is the hook itself.
The hook itself is...
The emotional part.
Right.
We got away from that
because we're on the Cyber Wire podcast,
not on Hacking Humans,
but this is the kind of stuff we talk about in Hacking Humans. They're looking to fire off your amygdala, right, to short circuit your thinking and to induce cognitive narrowing so that you don't think about the things that are setting off red flags about the situation. All you think about is your job security. They're attacking you very low on Maslow's hierarchy of needs here.
Right. You're in trouble at work. Right. Yeah. How am I going to feed my family if this happens?
Yeah. So Sophos has some advice, or I should say Paul put some advice in here. It's stop,
think, connect. It's the, you know, don't act. Yeah. Don't act right away.
Just stop and think about it.
One piece of advice he has for companies
is really good.
Always use official channels
for communicating with your staff.
But he says, establish a policy
of what that looks like.
If you have people that are customer facing,
they're going to get customer complaints.
It's going to happen.
So address that with these people
as soon as, on day one,
as part of their onboarding.
When you get a customer complaint,
here is what will happen, right?
This is how this process works.
Everybody who works in customer service
gets customer complaints, right?
So don't be alarmed.
Don't be worried about it.
If you have five or six of these a year,
no big deal or whatever your risk tolerance is, you know.
Yeah.
And here's how the process works.
That way, when they see this email come in,
they're already equipped to know,
okay, this might be fraudulent.
Yeah.
Because this isn't what the process is
that they told me it would be.
Right.
Other things he says is set up an easy-to-remember contact point for security reports.
Have a spam at whatever your address is or security or whatever.
If you're not letting exe files come through your firewall, don't let these other application
bundles come through.
And there's a whole list of them that are available.
Get familiar with what they are.
And don't be seduced by on-screen security promises like the verified signature. Paul theorizes that this accounting
firm's signing keys were probably stolen in another breach and then used to sign this back
door as a trusted application. Yeah. Yeah. All right. Well, it's an interesting story. I would say that social engineering hook is pretty compelling.
Right.
And our thanks to the folks over at Naked Security by Sophos and Paul Ducklin for putting this out there.
It's a great find, Paul.
Yeah. Joe Kerrigan, thanks for joining us.
My pleasure. Thank you. Thanks for listening. We'll see you back here tomorrow.
Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.