CyberWire Daily - Variant 4 and other chipset vulnerabilities. Confucius and Patchwork. Turla goes two-stage. Misconfigured not-for-profit bucket. ZTE's fraying lifeline. Facebook and the EU. Brain Food.
Episode Date: May 23, 2018In today's podcast we hear a bit more on Variant 4—we may see more like it. Mitigations are under preparation. The Confucius threat group modifies its approach to targets. Turla adopts a two-stage ...infection technique. A misconfigured AWS S3 bucket exposes a California not-for-profit's clients. ZTE's lifeline may not be so strong after all: the US Administration wants significant concessions and the US Congress seems to want none of it at all. Facebook's EU testimony gets tepid reviews. And a botnet is pushing smart pills and diet supplements—not that any of you will be tempted. Daniel Prince from Lancaster University on risk management and uncertainty. Guest is Sung Cho from SEWORKS on research they did on the security of fitness apps.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Variant 4, we may see more like it.
Mitigations are under preparation.
The Confucius Threat Group modifies its approach to targets.
Terla adopts a two-stage infection technique.
A misconfigured AWS S3 bucket exposes a California not-for-profit's clients.
ZTE's lifeline may not be so strong after all.
Facebook's EU testimony gets tepid reviews.
And a botnet is pushing smart pills and diet supplements.
Not that any of you would be tempted.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 23, 2018.
The speculative execution vulnerabilities at the heart of Spectre, Meltdown, and the recently disclosed Variant 4 represent, observers say, issues at the foundation of most current chipsets.
Many expect other flaws to emerge soon.
the kind Variant 4 would allow is, analysts say, difficult to execute, which is probably why Microsoft rated the risk associated with Variant 4 as low. But such vulnerabilities are also
difficult to address. Various mitigations and fixes are expected over the next few weeks.
Trend Micro offers an update on the Confucius threat group. It's still spying on South Asian targets, mostly Pakistani,
but it's moved its infection vector from romance sites to adult content serving Android apps,
and again, romance scams.
In an extended sense, perhaps, this isn't too much of a thematic shift.
Romance scams have a long, sad history in ordinary crime as they do in espionage,
but Trend Micro thinks using them for the installation of spyware is a relatively novel move.
There's no consensus, by the way, about the actors behind Confucius,
but Trend Micro sees a connection to the Patchwork group.
There's a good bit of code-sharing.
The Confucius downloader has an interesting self-deletion function
that appears to configure it to targets from a list of allowed countries.
Trend Micro's report says that most South and Southeast Asia countries,
including Mongolia, are on the allowed list.
Most of the Middle East and Africa are on the allowed list.
In Europe, only Ukraine is allowed,
and in the Americas, Confucius is interested only
in Trinidad and Tobago. No country in Oceania is on the allowed list. Make of this what you will,
but of such thin circumstance, attribution is often woven.
According to ESET, operators of the Terla Trojan package have moved away from the custom backdoors they've hitherto used in their Mosquito campaign.
They're now using the open-source pen-testing frameworks of Metasploit as their initial backdoor.
Turla is widely regarded as run by Russian intelligence services.
It's been tracked for some time.
Symantec gives it a discovery date of January 13, 2014, and it's been involved in a number of espionage campaigns since then.
It's used both in spear phishing emails and watering hole attacks to install its exploits in victim systems.
Authorities in the UK have been particularly on the alert for Terla. The National Center for Cybersecurity has warned that Terla is using tools,
Neuron and Nautilus, that primarily target mail servers and web servers.
The goal is to establish and maintain persistent access for intelligence collection.
On the strength of ESET's recent findings,
the security company sums up by advising incident responders
to look for the
two-stage infection process. The first stage is an open-source pen testing project, and the second
stage is installation of the custom mosquito backdoor. UpGuard says it has located another
misconfigured AWS S3 bucket. This one belongs to Los Angeles County 211, an LA-based not-for-profit whose
business is providing information and referrals for health and human services in the county.
Among the 3.2 million personally identifiable files exposed are logs and notes on suicide
distress and domestic abuse calls, which makes the data exposure unusually troubling.
and domestic abuse calls, which makes the data exposure unusually troubling.
Any enterprise that uses AWS would be well advised to look carefully at its configurations to ensure that their buckets haven't been inadvertently exposed to the Internet at large.
Recent news about vulnerabilities in mobile fitness apps
prompted security firm SEWorks to take a closer look at the top 10
fitness apps on the Google Play Store. Song Cho is VP of Growth and Strategy at SEWorks,
and she shares what they found. We found that they all have some sort of security issues,
and all of them have actually critical and medium degree of security vulnerabilities,
and we thought this was worth
addressing. And so what kind of vulnerabilities did you find? So the common things that we found
firstly was file input and output. And one thing that I want to note is that this may not be seen
as a critical vulnerability, depending on your internal app development environment.
However, this still is considered as one of the top critical vulnerabilities in the
overall mobile app world. And we found that many apps have these vulnerabilities.
Another thing is called intent. And intent is a coding framework that allows apps and components
to communicate with one another
by passing messages.
And this helps specify
between a procedure to call
and the arguments to use.
And this is basically
a communication system.
And this is another thing
that we consider
as critical vulnerability. And this is another thing that we consider as critical vulnerability.
And in addition to file input and output and intent, we also found URL schemes, which are
intents that allow applications to communicate with servers and web pages from inside an app.
web pages from inside an app. So one thing that we often encounter is a lot of developers find it quite safe once
they have the server side secure.
However, I would really like to highlight that even if your server is secure, your apps
are not as secure as your server.
Hackers still can compromise your apps and even ultimately the server too,
because apps are oftentimes used
as an entry point for hackers.
Now, you all make the point
of the importance of considering security
from the very beginnings of developing an app.
What are your recommendations here
for these app developers?
How could they have done a better job?
I would really like to recommend thinking about security from the designing phase,
from the architecture phase. Oftentimes, developers don't have enough time to think
about security when they develop apps because they either don't have enough expertise in security or
they don't have time or resources to invest in security.
However, at the end of the day, security will come
as the biggest problem in your app development or even after your app goes live.
So I would really recommend thinking
about security from the beginning of the development phase.
And, you know, once you're done developing,
there are also many other security solutions or softwares
that you can help adding and strengthening your security for your apps as well. So I would look
out for those as well. I would also like to mention the common vulnerabilities that we found
Common vulnerabilities that we found were insecure data storage, M2, and M8 code tempering, as well as M9 reverse engineering.
So I would also, based on this result, I would also like to address the importance of obfuscating and encrypting your source code to prevent reverse engineering and to protect many other hacking damages that can happen from that,
such as creating copycat apps, source code modification,
which could also lead to malware insertion or payment fraud as well.
That's Song Cho from SEWorks.
as well. That's Song Cho from SEWorks. The U.S. administration is squeezing ZTE for leadership changes and trade concessions. Congress, however, may buy none of it. Many members argue that ZTE
is a security risk. Recall that the Commerce Department's sanctions against ZTE are based
not on security concerns, but rather on ZTE's evasion of international sanctions against ZTE are based not on security concerns, but rather on ZTE's evasion of
international sanctions against trade with certain proscribed countries, notably, but not exclusively,
Iran. Facebook honcho Mark Zuckerberg's EU testimony yesterday has not been particularly
well-reviewed. Many observers, including politicians connected with the European Parliament,
felt that he was evasive and didn't really answer the questions they wanted answered.
That's not, it seems, entirely Mr. Zuckerberg's fault.
The format of the questioning had all the leaders of the various EU political groups
lay out several questions in advance,
and then Mr. Zuckerberg spoke to some of them over his 22-minute response.
Under such circumstances, you'd have to be more than flesh and blood to refrain from some picking and choosing.
He did apologize for Facebook's involvement with Cambridge Analytica
and for the presence of fake news on Facebook.
And he also gave a shout-out to GDPR.
But this ground is well tread, and the European parliamentarians wanted more.
In particular, they're interested in fostering competition among platforms,
and on that score, Mr. Zuckerberg offered mostly anodyne caution against ill-crafted regulation, stifling innovation.
Security firm Proofpoint has outlined the brain food botnet,
which is for the most part engaged in serving up dodgy nutritional products and regimes,
often falsely branded as big successes on the popular plutographic TV show Shark Tank.
The bots are sending people to pages that hawk supplements to help you diet and make you smarter.
All of you, of course, are smart enough and fit enough to need neither,
but you might pass this information on to friends who might be tempted.
We're always looking out for friends.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Daniel Prince.
He's a senior lecturer in cybersecurity at Lancaster University.
Daniel, welcome back. We wanted to touch today on risk management and uncertainty.
What do you have to share with us today? Well, thank you for having me back on. So,
I've been doing quite a lot of work looking at risk management, thinking about actually what
do we mean by risk. And when you start to look at some of the formal definitions,
by risk. And when you start to look at some of the formal definitions, risk is really looking at a system where we can know all the specific outputs and we can assign probabilities to those
possible outputs. The problem with, I'm finding with digital systems, is that the ability to be
able to enumerate all the possible outcomes, all the possible problems that that system has, is nearly impossible because of the complexities of the system.
And that leads us into really the concepts of uncertainty, where we know some of the
possible outcomes, but we just don't know all of the possible outcomes.
And therefore, it becomes much more complicated to have a quantitative-based
system to understand where all the probabilities of all the different outcomes happen. And so,
for me, this is really important when we start to talk about things like systemic risk
within systems. So systemic risk is this concept that there is an underlying big problem that could
actually change the way that people behave. But that assumes that one,
we can identify all the possible outcomes and assign probabilities, and two, that we know the
whole system. My point here at thinking is that we can't know all the possible outcomes, so we have
to start thinking about systemic uncertainty. And that leads you on to instead of doing really a
lot of planning, a lot of more thinking about how do we respond to incidents, which is one of the
reasons why when I'm teaching and thinking about risk management, I'm actually thinking more about
how do we prepare people to be able to respond effectively to the materialization of unintended or bad events within a particular
system, including the people and the technology. Now, do you find that people approach this in a
logical way? Do people come at it thinking that they can eliminate all risk? Do they have
unrealistic expectations? I think the unrealistic expectation starts with believing they can
know all the possible outcomes that a computer system could generate and that's uh in some ways
a little bit of a naive uh position to take and i think if you talk to a lot of technologists they
wouldn't take that position but a lot of other people who are not completely aware of the
complexities of computer systems uh do take that position and believe that you can know all
the outputs. But there is often, I find, a bit of a bias, an overconfidence bias within some
technical people within risk management, that they assume that they can know all the possible
outcomes and quantify them, and then they're dealt with. The reality is I think it's much more
important for a whole organization to be really prepared to face an incident and that's just not
the technical people but that's also all of the business people all across the whole organization
and thinking about how the organization really responds as a collective of
people to support the organization to deal with a specific threat. Yeah, it strikes me that it's
not unlike how we deal with ourselves, our human bodies and our frailties and our ability to get
sick. So you can do everything, you can wash your hands. You can not sneeze on your co-workers.
But still, people are going to get colds. People are going to get the flu. And as an organization,
you have to be prepared for that, that sometimes people aren't going to be able to show up for work.
Yeah, that's it. And it's one of the really interesting things about,
you know, in our day-to-day lives, we're quite happy with uncertainty, most of us.
We're quite happy to be able to deal with the unintended outcome,
the things we didn't think about.
We are capable of doing that.
And we accept that we have that in our daily lives.
But what's interesting when it comes to computer systems,
because it is technology and because it's engineered,
there is this kind of, well well why can't we know everything that's that the question that sort of comes out but if you take a
standard computer system you've got some hardware that we don't know what's in it um we you know
don't know where there's there's vulnerabilities so things like meltdown and spectra are key
examples of that then we put an operating system on top of that, which could have some problems. And then we install
a wide variety of applications
on top of that.
No one installation is
exactly the same as the other. So every single
system we have, and all the
systems that interconnect us, can be
considered as unique as every single
person on the planet.
When you start to think about
it like that, then it's, you know,
we really need to start to think about doing the best defense we can, but also be able to
respond as effectively as we can as well. All right, Daniel Prince, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire. Thank you. CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building
the next generation of cybersecurity
teams and technologies. Our amazing
CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben
Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Thanks for listening.
We'll see you back here tomorrow.
Thank you. AI and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.