CyberWire Daily - TrickBot’s new tricks. Poisoning the ad supply chain. Clouds get schooled. Novel phishing tackle, but stale bait. Cyberwar powers. Election interference. FaceApp fears. Bad macro suspect arrested.
Episode Date: July 18, 2019TrickBot gets some new tricks, and they’re being called Trickbooster. Poisoning the advertising supply chain. Hessian schools will shy away from American cloud services. A novel phishing campaign is... technically savvy but gives itself away with broken English phishbait. Congress would like to see Presidential cyberwar instructions. Microsoft warns of foreign attacks on elections. FaceApp looks suspicious. And a suspect is collared in a malicious macro case. Jonathan Katz from UMD on random number issues in YubiKeys. Carole Theriault speaks with Michael Madon from MimeCast on email imposter scams. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_18.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
TrickBot gets some new tricks.
Poisoning the advertising supply chain.
Hessian schools will shy away from American cloud services.
A novel phishing campaign is technically savvy but gives itself away with broken English fish bait.
Congress would like to see presidential cyber war instructions.
Microsoft warns of foreign attacks on elections.
FaceApp looks suspicious.
And a suspect is collared in a malicious macro case.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 18th, 2019.
Deep Instinct sees a new capability in TrickBot, email credential harvesting.
They're tracking TrickBooster, a new module that's able to infect email accounts,
use them to send spam, and then delete the spam from the sent email box. There's potential in such an approach for what Barracuda calls, in a new report, lateral phishing. This technique
uses hijacked accounts to send malicious spams to its victims, counting on their familiarity
with the apparent sender to induce them to open the email.
Researchers at Confiant have found that a Hong Kong actor is trafficking in malvertising
that effectively poisons the online advertising supply chain.
The actor, Fiber Ads or ClickFollow, is engaged in familiar kinds of ad fraud.
Their activity also poses a risk of directing victims to landing pages
that infect visitors with malware or at least unwanted programs.
German schools, at least in the land of Hessen,
the central German state where Frankfurt and Darmstadt are located,
will no longer use cloud offerings from Microsoft, Google and Apple.
There are two issues here, data sovereignty and data privacy.
If the data were stored in a properly bounded German cloud, that would be acceptable.
But storing them in a European cloud that's in principle accessible to U.S. authorities won't fly.
Data privacy is problematic because of the difficulty, perhaps the effective impossibility,
of determining what data exactly the services collect.
Consenting to collection is no solution because, Hessian authorities point out,
it's impossible to give real consent when you can't tell what's being collected.
Naked Security and others report this as a German policy,
but it's worth noting that this is so far a matter for Hessen.
Darmstadt's writ doesn't run in Stuttgart or Munich any more than, for example, the states of Texas and New York
would necessarily feel compelled to knuckle under to a California rule,
or, heaven forfend, even a Pennsylvanian policy.
But it does seem likely that the Hessian decision
will prove a bellwether for policy in the Federal Republic as a whole.
Mimecast recently published their third State of Email Security report.
Our own Carol Terrio spoke with Mimecast's Michael Mader about the report and some of the specific attacks they're tracking.
Michael, thank you so much for coming on the show. Really appreciate the time.
So, Michael, talk to me about imperson coming on the show. Really appreciate the time. So, Michael,
talk to me about impersonation attacks. What exactly is that?
Yeah, so it's an impersonation attack is an attack where you get, for example, an email
from your boss that says, Hey, Michael, it's Lucy. As you know, I'm on traveling this week.
I really need to close this deal.
I'm speaking to a client and I need you to send
the account information to me so I can close this deal
with the client ASAP.
Typically comes in the form of an email
that's literally impersonating someone you know.
Typically it's someone in a boss, it could be a colleague,
it could be someone in finance, but it's an attack that asks you at the end of the day to provide
some sort of information that will open your company or you up to attack. Now, this also can
be, for example, through phone, right? It could be through
a text. It doesn't just have to be through email, but email is the most common form of impersonation
attack. Right. And so you guys have just put out a report called State of Email Security. This is
your third report of this kind. And you have findings saying they're on the rise? You know, we looked at more than a thousand global IT decision makers. And so the report
is really comprehensive. And yeah, the attacks are on the rise. At the same time, confidence
in defenses is falling, right? So for example, I think roughly 60% of the respondents believe
it's likely or inevitable that they'll suffer a
negative business impact from an email-borne attack.
And 54% saw phishing attacks increase.
And then 67%, I think close to 70, saw impersonation fraud increases, right?
So it's absolutely on the rise because these attacks, again, as I said, are getting increasingly
more sophisticated,
seemingly more sophisticated. Again, what I think what's really happening is these very sophisticated hackers are moving downstream to easier targets. Gotcha. Okay. And so are they
basically, is this called email spoofing? Is this another name for it? It can be. I mean,
it is technically, I mean, there's so many, you know,
we're about to have, so yes, it's spoofing an email, but it's, it's a specific type of spoofing.
It's a spoofing where you're pretending to be someone you're not. And then there's a huge,
these are very, very impactful. For example, if I sent you a spoofing email for, you know,
let's just say Amazon email, you might look at that and then just delete it. But if I sent you a spoofing email for, let's just say, Amazon email, you might
look at that and then just delete it.
But if I sent you an email and I'm a hacker and I sent an email from your boss saying,
hey, I need this and you're in finance, right?
And I said, I need this transaction to happen now, you need to send it to me.
Well, that's a very, very different type of spoofing attack.
So impersonation falls under spoofing because it's a type of spoof, that's a very, very different type of spoofing attack. So impersonation falls
under spoofing because it's a type of spoof, but it's very, very targeted. And 73% of impersonation
attacks have a direct loss. Gotcha. I mean, people are extremely vulnerable. And the reason is this,
they're just really busy. Like security is not what 99.9% of normal people think
about right what people are thinking about is doing their jobs getting up
going to work picking up their kids from daycare you know making sure they get
the memo to their boss and when they get a screaming email from someone they that
they think is really important they want to respond to it so these impersonation attacks are so so incredibly effective because they
really get at the psychological nerve of a person and the person wants to do good
and respond there's two ways to address this really really only two ways right
way number one is you need a good product to stop the vast majority of these impersonation attacks.
And that specifically has features within their product specifically for impersonation, right?
That's one.
And then two, you have to better train your employees so that they're more aware.
So that they know, right?
95% of all breaches involve human error, 95%.
So whatever most companies are doing today
in terms of awareness training, it's not working.
It's about engaging the employees,
why security is important, not just for their company,
but for their own jobs and their own personal lives.
Michael Madden, thank you so much for talking with us today.
This was Carol Theriault for the Cyber Wire.
CoFence warns that there's a novel phishing campaign in progress against a familiar group
of targets, American Express customers.
The phishing emails use a base HTML tag to split up the malicious URL into two pieces.
This technique may succeed in bypassing email gateway filtering services.
As is so often the case with phishing, user awareness can help the intended catch spit the hook.
The email is rife with the sort of clumsy English grammar and syntax that so often disfigure the criminal come on.
What are they after?
The usual. The crooks
want user credentials. The U.S. House Armed Services Committee has asked to see, quote,
all national security presidential memorandums related to Department of Defense operations in
cyberspace, quote. This sounds more sweeping than in fact it is. The document they're particularly
interested in seeing is National Security Presidential Memorandum 13,
a classified instruction generally believed to have loosened restrictions on offensive cyber operations.
Some such operations would constitute the kind of persistent engagement
U.S. Cyber Command tested last month in Exercise Cyberflag 2019.
last month in Exercise Cyberflag 2019.
Members of Congress say they've received briefings on the direction the Defense Department received in NSPM 13.
Some of them are content with that, but others want to see the document itself.
Microsoft says it's detected a lot of state-directed cyberattacks over the past year,
most of them originating from Russia, Iran, and North Korea.
Redmond hints darkly that much of the activity represents an assault on democratic process. USA Today sees the warning as a sales
pitch for election security tools. In fairness to Microsoft, they're already offering election
security tools to campaigns for free, and there's nothing necessarily cynical about promotions and
lost leaders. And besides, if you're selling a hammer,
you're going to point out the various nails sticking up in the customer's house.
NBC News' Frank Thorpe tweeted yesterday afternoon
that Senator Schumer, Democrat of New York,
has asked the U.S. Federal Trade Commission to open an investigation into FaceApp.
At issue is what the senator characterizes as FaceApp's requirement
that users give it full and irrevocable access to their images and associated data. He sees the
Russian-developed app as posing a threat to both privacy and national security. As usual, the devil
is in the details of the EULA. FaceApp's privacy policy gives the company the right to publish or use any content shared with its app,
including usernames and real names,
and to do so without providing further notice or compensating the users in any way.
That does indeed seem pretty open-ended.
And FaceApp stores the data it collects in Russia,
which is enough to give anyone the heebie-jeebies nowadays.
The Democratic National Committee has already warned its candidates not to use FaceApp, but it's a safe bet, people being the way they are,
that some have already used it. So here's an alternative. If you really feel a need to see
what you'd look like older or younger, or for that matter vegetable or mineral, get yourself a box of
Crayolas and a pad and do a few imaginative self-portraits. Crayons and pads are already for sale and cheap as back-to-school items, so act now.
And finally, we close with some good news.
The high-tech crime unit of the Dutch National Police have collared a suspect
in connection with the production and sale of malware.
If you've run across malicious macros in Word or Excel files built from Rubella, Citan or Dryad, you've seen some of his work.
The 20-year-old suspect is so far unnamed, but he's known to live in Utrecht.
So bravo to the high-tech crimes unit and bravo to industry partner McAfee that provided them with important help.
McAfee had been tracking the Rubella toolkit for some time,
and the company provided the Dutch National Police with important support. McAfee had been tracking the Rubella toolkit for some time,
and the company provided the Dutch National Police with important support during their investigation. So bravo McAfee, and to the Dutch National Police, good hunting.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
When it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io. Katz. He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center. Jonathan, it's great to have you back. I saw an interesting
security advisory come by from the folks who make the Yubico keys, which are used to help secure
devices. And they found themselves in a situation where I guess some of their random number
generation wasn't as random as they hoped it was. Give us some insights. What's going on here?
Well, as you know, it's critically important when using cryptography that the keys that you choose
and actually all the random values you use in the course of implementing cryptography have to be truly random.
And a lot of times in the real world, security vulnerabilities arise due to improper randomness in cryptographic protocols.
We've seen this before. We saw this a couple of years ago with a generation of RSA keys by
routers. And we're seeing basically a similar thing here again, where improper randomness is
being used at boot up time. And I guess essentially what's going on is that when the device is
initially booted up, there's some process that it goes through in order to try to generate randomness that's then used as part of a
cryptographic algorithm, and it wasn't doing it properly for whatever reason. And so the user was
essentially getting lower quality randomness than what they expected. And this would open up
the possibility of what? Well, let me take a simple example, which doesn't really apply to
the YubiKey, but it just
gives an idea of what's going on. Imagine that you're trying to generate, say, a random 128-bit
AES key, but 64 of those bits are not random for whatever reason. Let's even say that they're all
set to zero. So now what that's going to do is that's going to make the job of an attacker who's
trying to guess the key a lot easier, because rather than having to try to enumerate over a 128-bit key, which is 2 to the 128 possibilities, now they only have to enumerate
over a 64-bit key, which is 2 to the 64 different possibilities. And even though the difference
between 128 and 64 might sound small, it's in the exponent here. And so 2 to the 64 is astronomically
smaller than 2 to the 128,
and so it's a huge difference from the point of view of the attacker.
In the case of the YubiKey, they were actually looking at improper randomness for public key algorithms
rather than private key algorithms, but the basic idea is the same.
Yeah, you know, to take a little brief trip down memory lane,
since you and I are of a similar generation of having spent some time
back in the 8-bit computer days. I remember, you know, back in the days of Apple IIs and TRS-80s
that we talk about random number generation at power up. If you powered up your computer
and called for a random number, it would be the same every single time.
Well, the truth is it's not so easy to generate random numbers.
If you think about it, computers are ultimately
deterministic processes.
And so a computer on its own can't really
generate a random number.
And so what they need to do is ultimately
rely on some physical input in order to generate randomness.
Yeah.
You know, on a desktop computer, you
might use user mouse movements or keyboard typing speeds or things like that to generate random data.
But on a YubiKey, there's not that much that you can rely on.
And so I'm not even sure offhand what they're using to generate randomness.
But you can imagine that it might be quite difficult.
It might take some bit of time in order to generate true high-quality random data.
Yeah.
Yeah, back in the day, we used to press any key, and in between that, it was just internally generating random numbers, relying on the fact that not everyone would press any key at the same time.
Right.
For what it was worth, it worked.
Right. Well, you're not sure. I wouldn't count on it, to be honest.
You ruin everything, Jonathan. But you're talking about computers from 35 years ago.
Right, right.
It would not surprise me if they're vulnerable to the attacks of today.
All right.
Fair enough.
Fair enough.
All right.
Jonathan Katz, thanks for joining us.
Great.
Thanks again.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of
DataTribe, where they're co-building the next generation of cybersecurity teams and
technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick
Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter
Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.