CyberWire Daily - Turla returns. Moscow interested in Mexican elections? FakeBank mobile Trojan hits Russian banks. Phishing the Olympics. Patch Tuesday. Bad flashlights, nice doggie.
Episode Date: January 10, 2018In today's podcast, we hear that Turla's back, with a depressingly nifty man-in-the-middle campaign. The US thinks it sees Russia trying to influence Mexico's national elections. Russian banks are hi...t with a new mobile Trojan. Iran continues its Internet crackdown, and conducts more domestic surveillance and hacking. Winter Olympics-themed cyberattacks rely on well-crafted social engineering. Patch Tuesday addressed Spectre, Meltdown, Flash, and an Office zero-day. Yossi Oren from BGU on vulnerabilities in mobile device replacement touchscreens. Stay away from flashlight apps. (And take a look at your dog-walker's app, too, while you're at it.) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Turla's back with the depressingly nifty man in the middle campaign.
The U.S. thinks it sees Russia trying to influence Mexico's national elections.
Russian banks are hit with a new mobile Trojan.
Iran continues its Internet crackdown and conducts more domestic surveillance and hacking.
Winter Olympics-themed cyberattacks rely on well-crafted social engineering.
Patch Tuesday addressed Spectre, Meltdown, Flash, and an Office Zero day.
And stay away from those flashlight apps.
Take a look at your dog walkers app too while you're at it.
I'm Dave Bittner with your CyberWire summary for Wednesday, January 10th, 2018.
Remember Terla, the tail-clutching urabura of cyberspace? It's back, or more accurately, it's returned to notice, since Turla never really left.
The cyber espionage group, one of the organs of Russian intelligence,
is active for the most part against the near abroad,
that is against former Soviet republics and also against former Warsaw Pact countries.
Turla has also ventured further afield to spy on other targets,
typically consulates, embassies, and other diplomatic missions.
This time it's returned with more sophisticated and elusive exploits.
Turla has been observed using a flash installer to infect targets.
The downloads appear to come from legitimate Adobe domains and IP addresses.
In fact, they do not.
It's a man-in-the-middle attack.
ESET, which has just released a report on Turla's latest activities,
said they've found the threat group to be using a web app
hosted on Google Apps Script as their command and control for malware
dropped by a bogus Flash installer.
ESET, it's positive that the threat group hasn't compromised Adobe's servers.
Instead, they switch files in transit during the Flash Player installation
process and install a backdoor that ESET is calling Mosquito.
How Turla is substituting its malicious code remains a mystery, but ESET's report outlines
four possibilities. They might be using a local man-in-the-middle attack, relying on
a machine in the victim's network they've already compromised
or they might be using a compromised gateway they might be using bgp hijacking or finally they might
be executing a man in the middle attack at the isp level eset speculates that the likeliest of those
would be exploitation of a compromised gateway as noted turla's usual targets are diplomatic ones. Its typical interests
are thought to involve political intelligence. There have been companies affected by Turla,
but ESET regards these as being of incidental or at most secondary interest to Turla's masters.
There's other news of Russian operations in cyberspace, but these involve allegations of influence operations in Latin America.
The U.S. has accused Russia of undertaking a large information campaign
aimed at influencing Mexico's 2018 national elections.
National Security Advisor H.R. McMaster said there were already signs
that Moscow has begun a coordinated attempt to nudge opinion in the direction of
Lopez Obrador, leftist former mayor of Mexico City, who's running on an anti-corruption platform.
Kremlin news outlets RT and Sputnik have given Obrador noticeably positive coverage,
but of course positive coverage is no crime, and neither the U.S. administration nor Mexico's
foreign ministry have provided comment
on or amplification of McMaster's observation. Propaganda is nothing new, nor are attempts to
influence elections. Russian targets have also been victims of hacking. In this case, it's a
fresh wave of cybercrime. A new mobile banking trojan, FakeBank, has appeared in Russia.
A new mobile banking trojan, FakeBank, has appeared in Russia.
The criminals behind it are afflicting customers of ShareBank, Littobank and VTB24.
FakeBank is distinguished by its sophisticated use of multiple layers of obfuscation.
Iran's internet crackdown continues.
It's not just the blocking and censorship of the filternet, but online control extends to active surveillance and offensive cyber operations against Iranian citizens.
These extended to phishing campaigns, again domestically focused.
The Islamic Revolutionary Guard Corps, that branch of the armed services specifically charged with the mission of protecting the Islamic character of the state,
with the mission of protecting the Islamic character of the state,
is reported to have successfully intruded into individuals' online communications and made arrests on the basis of the content found in their systems.
Much un-Islamic content is illegal under Iranian law,
hence the name Halal Internet,
that was initially used to describe the country's autarkic corner of cyberspace
when the regime began to fence it off in 2011
during the administration of former President Mahmoud Ahmadinejad. autarkic corner of cyberspace when the regime began to fence it off in 2011
during the administration of former President Mahmoud Ahmadinejad.
Ahmadinejad himself, out of office for several years, is now under house arrest,
charged with fomenting dissent.
The still unattributed cyber offensive targeting South Korean companies
during the run-up to the PyeongChang Winter Olympics
appears to depend upon effective timing and compelling fish bait,
that is, on good social engineering as opposed to technically sweet hacking.
Patch Tuesday saw Microsoft fix 56 security issues.
Redmond addressed not only Spectre and Meltdown,
but also a zero-day in the Office Equation Editor.
The general round of patching for Spectre and Meltdown has continued,
with most major vendors taking some steps to offer mitigations.
Microsoft has pulled the fixes it offered for AMD chips.
Those appeared to brick machines, so AMD remediations remain a work in progress.
If you're thinking of downloading a flashlight app for your Android phone, don't.
Too many of them are malicious, and it's not worth the risk.
Get a cheap LED light for your physical keychain instead.
And finally, if you're the kind of person who engages a dog-walking service,
which strikes us in this BYO dog shop as a little like sending your kids off to boarding school,
maybe even a military boarding school,
as a little like sending your kids off to boarding school,
maybe even a military boarding school,
be advised that there are reports in the Wall Street Journal that WAG, the Uber of the dog-walking gig economy,
may have accidentally exposed more than 50 customers' addresses
and, worse yet, codes to the lockboxes in which they left their keys.
WAG says it's notified effective customers
and taken steps to better secure the data.
It's worth noting that this is a report of an exposure and not an actual theft of information,
so it's not known if any bad actors obtained and used the lockbox codes.
So, grrrr.
But if security's now better at WAG, then good dog, good boy, good doggy, who's a good boy?
Good dog, good boy, good doggy.
Who's a good boy?
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility
is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Dr. Yossi Oren. He's a senior lecturer at the Department of Software and Information Systems Engineering at Ben-Gurion University. He's also a member
of BGU's Cybersecurity Research Center. Yossi, welcome back. You all did some interesting
research about replacement touchscreens on phones and how that could be a vulnerability.
Yes.
So I just want to give credit to my excellent students, Omer Schwarz and Amir Cohen, and Dr. Asaf Shabtai, who was my collaborator on this.
We have our phones with us.
We take them everywhere and request them with everything.
Of course, the companies who make these phones, it could be Google or Apple or Samsung and so on,
they really do a lot of hard work protecting our phones from all sorts of attacks.
So they check the software very carefully and they have app stores and all sorts of
protections. And they also check all sorts of hardware, which is coming into their phone very
carefully. Obviously, they don't build all the phone themselves, they buy components from all
sorts of vendors but they're very careful about stuff that goes into our
phone so they are secure. But in our lab we started thinking what happens if we
drop our phone or we dunk it in the toilet or whatever unfortunate thing
happens to our phone and we don't go to the repair store, the official Apple
store or so on, We just go to the
corner shop and get our phone repaired there for cheap. So what kind of risks are we exposing
ourselves when we do this thing? We actually found out that there's something called an attack
envelope or a threat boundary when you talk about security. And you think about things outside this
boundary as very, very dangerous.
For example, if somebody sends you an attachment by email,
it's going to be very, very risky.
So you have to check all sorts of things about it.
But there are things inside this trust boundary
which you trust without asking anything.
And we found out that the hardware
which you replace on your phone,
for example, a replacement touchscreen,
is actually inside the trust boundary of the phone.
And the phone trusts everything this component does blindly without doing any sort of checking.
So we called our attack, we made an attack, we called it shattered trust. So shattered because
you shatter your screen, and trust is because you abuse this trust boundary. And we started
thinking of what sort of damage can you do if your phone is completely protected
and you have antivirus and everything is up to date,
but the phone screen hardware is malicious.
We have very, very short videos on YouTube,
about 30 seconds, showing all sorts of very, very
crafty stuff you can do if your touchscreen is corrupted.
For example, if I'm only controlling your touchscreen, I can
wake up the phone in the middle of the night, take a picture of whatever is going on outside the phone,
and then make an instant message or an email and send this picture to the adversary, to the enemy.
And obviously, the phone doesn't have to turn on the screen when this is happening. It could be
completely in the dark. Another thing you can do, for example,
is wait for the user to type in a URL and then very, very quickly replace this URL
with a phishing URL.
So you're trying to log into your bank,
so you type in mybank.com
and you're very sure that this is the right address.
But I can very, very quickly replace this URL
with a malicious URL
and then I can get all your credentials replace this URL with a malicious URL,
and then I can get all your credentials from the bank.
And it's going to happen so quickly that you won't notice.
And another thing I can do, which is actually more advanced,
is we can do something which is called the buffer overflow.
So we can take the data which is coming from the touchscreen into the smartphone,
and we can send this data in a corrupted way, which actually causes the phone
to execute code instead of processing these touches. And then we can actually do whatever
we want on the phone. We can disable all of the protections you have on the phone,
and then we can actually completely pwn it, as it's said.
Yeah. And so is this a matter of perhaps the hardware manufacturers need to,
you know, disallow third-party screens to protect against this sort of thing?
So this is kind of a legal policy issue.
There is a big battle in the U.S. called the right to repair.
Right.
And the question is, when I buy a phone, am I also legally entitled to have the tools and the parts and the manuals so I can repair the phone myself?
It could be a phone.
It could be a car.
It could be a tractor.
It could be a phone, it could be a car, it could be a tractor, it could be a plane and so on.
And my personal opinion is that it's very, very much
the fact that you have the right to repair
and you should have the right to repair.
So I don't want to make a world
where you're not allowed to buy your own repair components
and repair your phone yourselves.
But what I would like,
and this is something we're working on right now,
is to have the phone be better protected against these attacks.
So if you, for example, get a third-party replacement for your phone and you buy it off Amazon or off eBay,
you could be a journalist on a mission in a country and you want to repair your own camera when it breaks and so on.
I want you to be sure that if the replacement hardware you get is questionable, it won't be able to damage your phone.
So we're actually taking technology from the firewall world and we're bringing it into the phone.
We're shrinking it in size.
And we want to build something we call a peripheral firewall, which is doing the same thing as the firewall does on the network, only inside the phone.
Now, it's interesting stuff.
And I think an area people don't often think about.
Dr. Yossi Oren, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a
default-deny approach can keep your company safe and compliant.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm
Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com. That's ai.domo.com.