CyberWire Daily - Warnings of Outlook exploitation, with a possible Iranian connection. GPS jamming in the Eastern Med. Satellite vulnerabilities. 505 errors. TA505’s new tactics. Content moderation updates.
Episode Date: July 3, 2019US Cyber Command warns that an Outlook vulnerability is being actively exploited in the wild. Other sources see a connection with Iran. GPS signals are being jammed near Tel Aviv, and Russian electron...ic activity in Syria is suspected as the cause. A look at the consequences of satellite cyber vulnerabilities. The TA505 gang changes some of its tactics. Yesterday’s brief Internet outages are traced to a Cloudflare glitch. Facebook and YouTube continue to grapple with content moderation. Mike Benjamin from CenturyLink on Emotet’s C2 behavior. Guest is Avital Grushcovski from Source Defense on the risk posed by third party web site tools. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_03.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
U.S. Cyber Command warns that an Outlook vulnerability is being actively exploited in the wild.
Other sources see a connection with Iran.
GPS signals are being jammed near Tel Aviv,
and Russian electronic activity in Syria is suspected as the cause.
A look at the consequences of satellite cyber vulnerabilities.
The TA-505 gang changes some of its tactics.
Yesterday's brief Internet outages are traced to a Cloudflare glitch, and Facebook and YouTube continue to grapple with content moderation.
From the CyberWire studios at DataTribe, I'm Dave Bittner
with your CyberWire summary for Wednesday, July 3rd, 2019.
Yesterday afternoon, U.S. Cyber Command issued a warning that CVE-2017-11774,
a Microsoft Office Outlook security bypass vulnerability publicly identified in 2017,
is being actively exploited in the wild. Users who haven't yet patched for this bug are urged to do
so. Cyber Command posted samples to VirusTotal,
and researchers at Chronicle have connected the activity to Iran's APT-33 and Shamoon-2.
Brandon Levine, head of applied intelligence at Chronicle, contacted us through a representative
to explain. He said, quote, manipulation of exploited web servers. Each tool has a slightly different purpose,
but there is a clear capability on the part of the attacker to interact with servers they may have compromised. If the observation of CVE-2017-11774 holds true, this sheds some new
light on how the Shamoon attackers were able to compromise their targets. It was highly speculated
that spearfishes were involved, but not a lot of information around
the initial vectors was published, end quote. Chronicle says it's confirmed that Shamoon 2
and APT 33 exploited this particular vulnerability in 2018, but since the vulnerability is available
and reliable, it's prudent to patch. Airline pilots say they've experienced weeks of GPS disruption around Tel Aviv.
The International Federation of Airline Pilots Associations reported the disruptions last week,
and they've since been confirmed by other sources.
C4ISRnet reports that Russian jamming is suspected.
Israel doesn't appear to be the target,
but is instead collateral damage from Russian electronic warfare in neighboring Syria.
Think tank Chatham House has published a study of NATO space-based strategic systems' vulnerability to cyber attack.
NATO itself owns no satellites, but rather uses space assets contributed by its member states,
which inevitably complicates the cybersecurity task.
Chatham House sees the problem fundamentally as one of trust.
If the Atlantic Alliance comes to lose confidence in what its overhead surveillance systems are telling it,
that would inevitably lead to misperception, mistrust of attribution, and faulty crisis decision-making.
The TA-505 gang is back in the news. mistrust of attribution, and faulty crisis decision-making.
The TA-505 gang is back in the news.
Proofpoint researchers have determined that TA-505,
the cybercriminal group responsible for the Lockheed ransomware and the Drydex banking Trojan,
is using a new downloader the researchers are calling Andromut.
The downloader exhibits code similarities to the venerable Andromeda malware family.
Andromut is being used to download
the flawed AIME remote access Trojan
in at least two separate campaigns.
The first campaign is targeting South Korean users,
while the second is aimed at Singapore,
the UAE, and the US.
Both campaigns use malicious Microsoft Office files
as their infection vector,
and they both seem to be focused on the banking industry.
It's a fact of life these days that the websites we visit are likely full of a variety of third-party
trackers, gathering information on who we are and what we do. These trackers can be an irresistible vector for malicious actors to make their way
into your system. Avital Khrushkovsky is co-founder of security firm SourceDefense.
The use of third parties has always been common in websites. They're mainly used to create a
personalized user experience on the one hand, or to try and monetize off your website, on the other hand, to increase interaction,
to measure your users' behavior, analytics tools, and so on, even chat services.
What we're definitely seeing, and I've seen that throughout the course of basically 15 years of a career in third parties,
that the use is increasing drastically from year to year. The other interesting trend is that if 10 years ago,
you would never see what I will call a security-oriented organization
using these third parties, for example, banks or credit card companies,
even online stores, even e-commerce stores,
they hardly used any third parties at all.
Today, even on the biggest banks and the most secure websites, you'll find anywhere between 12 and 25 third parties, even on the page where you log into the system, and even past login, which is definitely a major change in the past five years or so.
So where do the security issues come into play then?
There's a very common misconception about third-party JavaScript.
More in the security area, less for R&D people.
R&D people know this very well.
The origin of JavaScript has no effect over the level of access that JavaScript has to the page.
When you integrate these tools, you need to understand that when you place an analytics tool on the page,
then that tool is only going to be triggered
once the page is loaded in the browser.
This means that this tool is triggering
after all of the security layers
your website has placed have been concluded.
The computer has already communicated
to your website server.
It's passed through your WAF, SSL, firewall, and whatnot.
But right now, on the browser, it's calling the remote server,
completely outside of your security parameter.
And that remote server is going to load JavaScript to your page.
And that JavaScript can do everything, your JavaScript.
This means that the third-party JavaScript can change the content of the page.
It can display messages to users.
You know, it does that regularly.
It can take the to users. You know, it does that regularly. It can take the
user to different pages. It can even record our keystrokes while we type in username, password,
credit card information. But if you look at these companies, and I'm not saying these companies are,
you know, misbehaving, but if you consider, for example, a bank, A bank has a fairly large security budget. A marketing company, on the other
hand, does not. It might be easier hacking marketing or an analytics tool or a chat service
than hacking a bank. But once you've hacked those, you've actually hacked the entirety of their
users. Instead of spending your time hacking a bank, going through a big effort, you can hack a marketing tool that works with banks and hack 20 banks with less effort, which will be obviously much more lucrative.
That's Avital Grushkovsky from SourceDefense.
Cloudflare experienced another widespread outage yesterday morning, U.S. Eastern Time.
widespread outage yesterday morning, U.S. Eastern Time. Cloudflare's CEO Matthew Prince tweeted that a massive spike in CPU usage caused primary and backup systems to fall over, and that the issue
has since been remediated. The company traced the 502 errors to a bad software deployment,
which they pulled in order to restore service to normal. The problem lasted about half an hour.
They pulled in order to restore service to normal.
The problem lasted about half an hour.
Riviera Beach, Florida, will pay extortionists $600,000 to recover files encrypted in a May ransomware attack.
Local news station WPTV notes that this comes on top of the $1 million
already allocated for remediation.
Facebook shut down dozens of accounts that had been spreading malware via malicious links
since 2014, according to ThreatPost.
A report by Checkpoint this week showed that the accounts were targeting people in Libya
by impersonating Libyan figures and news pages.
Checkpoint researchers tracked the operation back to a single person who had been sharing
the results of the malware campaign on a personal Facebook page, which included Libyan government documents, emails,
phone numbers, and photos of high-ranking Libyan officials' passports. It's not clear who the
attacker is, whether they were acting alone, or what their end goal was. The activity doesn't
appear to support any particular political actor, but the researchers say the attacker's actions
do seem to be motivated by political events.
Facebook, which has recently been concerned
to display its determination to moderate extremist content,
has also come under criticism for being asleep at the switch
with respect to medical information.
The social network is moving to minimize
the spread of misleading health information,
such as potentially risky miracle cures and pages pushing weight loss pills.
Facebook is tweaking its newsfeed algorithms to reduce the reach of pages, but it doesn't affect misleading information spread by personal accounts.
TechCrunch points out that some multilevel marketing companies already require their workforce to promote their products on personal profiles in order to bypass such changes,
and multi-level marketing campaigns are familiar sales channels for various alternative remedies, quack nostrums, implausible panaceas, and so on.
Unfortunately, as often happens when platforms try to scale and automate content moderation,
Facebook is sweeping up a lot of good along with the bad and the ugly. Vice reports that Facebook is also screening out
sites devoted to warning users of bad batches of drugs, or that offer materials to test for
the presence of fentanyls and other dangerous contaminants in street opioids. The algorithms
aren't crazy, and despite what Vice might say, the situation isn't quite
like the 1990s attempt to clean up the internet that mistook breast cancer research for impermissible
adult content. But surely it's another instance of the moderation missing significant and not
particularly subtle distinctions. YouTube is going through a similar problem. The platform
has decided to restrict instructional hacking and phishing videos.
They'll remove the content and send the poster an email.
Three strikes and your channel will be taken down.
The policy has been poorly received by people working in information security.
Big tech is willing to de-platform, but it kicks back at liability,
as may be seen in industry's reaction to the UK's
advancing duty of care. Perhaps the issue is this. The major social media platforms would like to
have all the regulatory, legal, and reputational advantages of publishers and common carriers,
with none of their respective disadvantages. In fairness to social media, governments and
consumers sometimes seem to want the same thing,
although perhaps in reverse, all the disadvantages and none of the advantages.
ISIS online inspiration this week heavily features imagined attacks on New York and Washington during Independence Day,
according to multiple reports.
It's always difficult to assess the seriousness of such material,
but there's little room for serious doubt about their intention.
Do stay alert over the long weekend.
Speaking of the long weekend, we here at the Cyber Wire will be taking the next few days off to celebrate Independence Day, or as we like to call it, Amexit.
We'll be back on Monday, and remember, if you insist on demonstrating your patriotism by playing with dangerous explosives,
keep in mind that the fingers you lose may be the ones used to unlock your mobile device.
Be safe.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and
their families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Mike Benjamin.
He's Senior Director of Threat Research at CenturyLink's Black Lotus Labs.
Mike, it's great to have you back.
I wanted to touch base with you today and get an update on what you all are tracking there
with Emotet. First of all, give us an overview. For those who might not be familiar with Emotet,
what are we talking about here? Yeah, thanks, Dave. Emotet's a malware family that's been
around for a few years now. There's a number of teams that have been tracking it. And it started out primarily as a banking Trojan, but it's evolved into a pretty pervasive distribution channel for malicious
emails of all types. And one of the things that it does is deliver secondary payloads. We've seen
it deliver other malware families, such as TrickBot's been one of the more popular ones.
It's particularly interesting because it uses a
hierarchical command and control model. And so while not extremely rare, it calls back to a
first tier of C2s. These are the ones that if you were to sniff your network traffic, you would see
the malware talking to. And those devices simply proxy the connection back to a second tier.
Now for most malware defenders, that's a pretty
difficult thing to find. Thanks to our network data, we're able to track those pretty quickly.
And the actors have just recently evolved yet again and added another tier into that hierarchy.
And what they've done is they've started to use actual infected endpoints. So Windows computers running the malware as another proxy in that chain.
And so what another infected endpoint will do is it will call out actually to a what we're calling a bot C2.
The bot C2 will proxy it to that original tier one C2, which was typically a infected or I shouldn't say infected, a hacked Linux machine.
And then that will proxy it back to the final tier two.
And they're doing this to drive further difficulty in takedown, as well as finding that tier two C2.
Now, I guess this adds some complexity on their end.
I suppose it sounds like they're managing it.
Yeah, absolutely.
Sounds like they're managing it.
Yeah, absolutely.
And the folks behind Emotech, what you'll see is that they're very regimented in terms of how they update and how they shift behavior. On a very regular basis, they change the PowerShell obfuscation method they use.
So like many malware families today, they use a Microsoft Office document with a PowerShell execution out of it through a macro that will execute on the machine.
And so early on, many folks realized they could write host-level signatures for the PowerShell code.
Well, the actors realized, I'll just change that periodically.
And so they're very good at that.
They also change the RSA keys they use for their command and control mechanism about once a month.
And the WordPress sites that they hack in order to actually do the final
delivery of the malware change practically every day. Well, so given these factors about the folks
who are running this, I mean, what are your recommendations for people to protect themselves
against it? The interesting thing here about the bot C2, that now we have people that might be home
users, could be businesses actually participating in the structure
of the botnet. That's not very common. And so the way that they do that is they actually included
a module that uses UPnP to dynamically open an external port on the router within the environment.
So first recommendation, don't leave UPnP enabled. If you do, restrict it to the host that you
actually want to be using it.
But in terms of the actual infections, we're back to the blocking and tackling that many malware families have, which is Microsoft Office document dropping PowerShell. Don't enable macros,
don't click on them, and then monitor an environment to look for that chain of events.
Is Microsoft Office programs executing PowerShell? That's got to be a very rare thing
in most environments, if it should exist at all. All right. Well, thanks for the update,
of course. Mike Benjamin, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening.
We'll see you back here tomorrow. Thank you. to innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.