CyberWire Daily - Winnti Umbrella covers multiple threat actors. DPRK off-shores cyber ops. ZooPark is in its fourth generation. GPON router bugs exploited in the wild. Russian Twitterbots. Block the EU?
Episode Date: May 7, 2018In today's podcast we hear that Chinese intelligence services have been seen beneath the Winnti Umbrella. North Korea's off-shoring of cyber operations. ZooPark Android spyware is now in its fourth... generation, and still active in the Middle East and North Africa. Vulnerabilities in Dasan GPON routers are exploited in the wild. Russian Twitterbots are suspected of tweeting death threats in the UK. David Dufour from Webroot on anti-malware testing procedures. And how do you solve a problem like GDPR? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Chinese intelligence services are seen beneath the WinNTI umbrella.
North Korea is offshoring cyber operations.
Zoo Park Android spyware is now in its fourth generation
and still active in the Middle East and North Africa,
vulnerabilities in Dasan GPON routers are exploited in the wild,
Russian Twitter bots are suspected of tweeting death threats in the UK,
and how do you solve a problem like GDPR?
you solve a problem like GDPR? From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 7th, 2018. ProtectWise's threat research shop, 401TRG,
has identified a common actor behind a number of disparate threat groups that have been active since at least 2009, and perhaps as early as 2007.
ProtectWise concludes the group, WinNTI Umbrella,
is run by the Chinese State Intelligence Apparatus.
The groups that fall under the umbrella include EAD, Barium, Wicked Panda,
GREF, PassCV, Axiom, and WinNTI.
Security firms have tracked these groups for years.
ProtectWise argues that they're a single operation.
Researchers base attribution on common infrastructure,
overlapping tactics, techniques, and procedures,
and above all, operational security lapses that reveal attackers' locations.
The operation's initial targets are gaming studios and tech companies, where they seek
to steal code-signing certificates.
There's some collateral criminal bycatch, but the ultimate target appears to be political
intelligence.
Tibetan, Uyghur, and other domestic dissidents or groups of suspect loyalty have long been prime collection
targets of Beijing's surveillance apparatus. Recorded Futures report last week that North
Korean elites are changing their online behavior. Also notes that North Korean espionage services
stage much of their cyber operations through other countries. Readily accessible gaming services, bit torrent, and video streaming make a country attractive.
So does hosting North Korean diplomatic and cultural missions.
There's a chain of North Korean state-owned restaurants abroad, for example, that appears
to afford operators with good staging opportunities.
These would appear to account for the strange and surprising list of countries that
seem to have become presumably unwitting launch points for Pyongyang's cyberattacks. India,
Malaysia, New Zealand, Nepal, Kenya, Mozambique, Indonesia, and China. The typical goal of the
attacks is theft or fraud, with overseas operators returning their take as a kind of government-directed remittance.
Defectors say they might, individually, earn around $100,000 a year,
with $80,000 of it returned to the Kim regime's accounts.
Kaspersky warns of ZOOPARK, now in its fourth generation,
an Android malware campaign active mostly in the Middle East and North Africa since 2015.
One of its vectors is Telegram, the secure chat app.
Telegram has for some time been in disfavor with the more repressive regimes in Eurasia,
Russia and Iran prominently among them,
and this will no doubt lend some urgency and a color of law enforcement legitimacy to their efforts to block the chat app.
Consistent with their usual practice, Kaspersky doesn't speculate about attribution,
but their report does note that surveillance tools are popular among regional governments.
Vulnerabilities in Dassan Gigabit Passive Optical Networks, or GPON, routers,
disclosed last week are now under active exploitation by botnet herders.
Researchers at NetLab, a division of cybersecurity vendor Kihu360,
think over a million routers are vulnerable. Mexico, Kazakhstan, and Vietnam appear most
affected. ISPs in those countries are thought to have built much of their infrastructure on top of South Korean manufacturer Dasan's devices.
Amid continuing concerns that the U.S. and China
are increasingly engaged in a security-themed trade conflict,
ZTE is appealing the U.S. sanctions levied against it
to the U.S. Commerce Department.
Russian Twitter bots are again in the news,
this time in the U.K.,
where police are investigating what appears to be a wave of Russian bot-driven tweets of death threats and other unpleasantness.
In this case, the occasion appears to be the internal Labour Party dissatisfaction with party leader Jeremy Corbyn.
Corbyn has in recent weeks faced criticism of perceived softness with respect to Russian activities,
like the Salisbury nerve agent attack,
and of alleged blindness with respect to anti-Semitism on the part of some of his associates.
He's also been criticized for Labour's disappointing performance in recent local elections,
where Labour was widely expected to romp.
In any case, the troll farm seemed to have been up and at him,
although in this case, as elsewhere, it's worth remembering that information operations are difficult to assess.
Finally, concerned about GDPR? Well, who isn't nowadays, with full implementation less than three weeks away?
Taking a good look at your data? Purging all that unnecessary stuff, making good and sure that Google and
Facebook haven't quietly offloaded their liability onto you behind a dense smokescreen of terms
of service and end-user license agreements, lawyering up, done all you can to avoid being
hit by one of those 20 million pound fines, that's 24 million dollars in Yankee greenbacks,
chum, or a fine of 4% of your company's annual worldwide revenue,
if that happens to be greater than £20 million. Are you good to go with the 72-hour deadline for
revealing breaches? Hired yourself that data protection officer you've been meaning to get
around to? Or is this maybe all too much for you? Thinking of going off the grid entirely?
Probably not, but a number of companies are saying so long, farewell,
auf Wiedersehen, goodbye to European businesses.
Steelroot, the Boston-based cybersecurity company,
early Saturday tweeted out, quote,
We were blocking before GDPR.
We have no customers outside of the U.S.
Minimizes scans and junk traffic to our site.
Minimizing EU collection is a nice benefit to us, obviously not a self-contained GDPR strategy.
But maybe you're not ready or able to do the same.
If you're not, here's an alternative we read about in Bleeping Computer.
There's this product, GDPR Shield, whose makers say it will keep you out of trouble by blocking all traffic from the EU.
GDPR Shield is JavaScript you can embed in your website to keep any EU visitors out.
No data? No problem, or so the proprietors say.
But hold on, Nordamericanos. Maybe it won't shield you as much as you thought.
GDPR covers data about European citizens wherever they may be.
It wouldn't appear to lend itself to geofencing.
Consider this hypothetical.
A dodgy pre-Brexit English expatriate, let's say from Birmingham or Durham,
mooching around in Los Angeles and dividing his time between, let's say, UCLA
and various divy San Fernando Valley
snooker parlors, is seized with a powerful hunger and orders one sandwich, animal style,
from a nearby In-N-Out burger. To save time, he does so online. I mean, maybe he's still GDPR'd
up, even if he's on his phone from the corner of Pico and Alvarado, right?
Weird, huh? Anywho, 18 more days until GDPR. We're looking out for you.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is David DeFore.
He's the Senior Director of Engineering and Cybersecurity at WebRoot.
David, welcome back.
We wanted to touch today on anti-malware testing.
What can you share with us about that? Well, you know, I think everyone is aware.
You see publications always rating anti-malware software, how well it does in tests and things of that nature.
how well it does in tests and things of that nature.
And I think it's probably a good time to just highlight how that testing works,
how it's maybe not changed over the last 10 years or so,
and kind of just talk about the bigger things you need to be looking for in anti-malware solutions.
Yeah, well, take us through. What can you share?
Well, so back in the day, a lot of times the testing, the way it worked,
was you would go out, you would find malware.
If you're a tester, you would drop that malware on machines that were not connected to the Internet, but they had the latest updates of the anti-malware files.
And you would see how well it detected that malware on the machine.
So basically, install some malware on a machine, run the anti-malware, make sure it's up to date, and then see how well it detects.
And that's kind of how you rated it.
Frankly, we haven't moved too terribly far beyond that in this day and age.
You know, some folks in testing labs do try to spend time using some polymorphic malware, trying to see if they can elicit some behaviors, which that's good.
It's a better way of testing than just strictly looking at signatures. The problem is a lot of,
you know, next generation malware solutions, anti-malware solutions,
they're doing much more than just trying to detect a malware file.
Yeah. You know, I saw actually recently on Twitter, someone was making the point that we all sort of talk about, we refer to it as a traditional antivirus. And this person was
making the point that that's sort of a straw man at this point, that traditional antivirus
is not really a thing so much anymore. That is absolutely true. And so my point in all of this
is testing antivirus in the traditional way, probably isn't giving us the best understanding of the efficacy that we're seeing.
For example, there are solutions now that do the meat and potato,
scan for files, look for behaviors, things of that nature.
But before that, they're warning you about malicious websites
or they're scanning sites you may browse to or email to detect if you're trying to be phished.
So they do some things up front.
And in addition, after a piece of malware lands on a machine, not only is it trying to detect it, but let's say it misses that malware.
that malware, it might actually be looking for exploits that run in a machine to try to determine,
hey, is this piece of software exploiting my machine? So there's a lot going on before and after that traditional antivirus that we always think of.
And so what's your advice for folks who are shopping around? Is this a case where necessarily
more is better? Should I load up on different products to make sure that I have a belt and a pair of
suspenders?
That's a good question.
A belt and a pair of suspenders, as long as it's not slowing your computer down too much,
doesn't hurt.
But I guess what I would highly recommend is don't just look at test results that say
how fast something found a piece of malware,
or did it detect all the files that were loaded? What you want to do is look at something that has
more of a holistic approach that prevents things from getting on your machine, or looks at things
other than just malware by looking for those exploits and things like that. So I guess it's a great place to start making that determination.
Is this file good? Is it bad?
And look at those reviews.
But you want to take that step further to ensure that the solution you get
is preventing things from actually getting on your machine.
That's really the advice I can give.
All right. David DeFore, thanks for joining us. Thanks for having me, David. Cyber threats are evolving every second, and staying ahead is more
than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up for Cyber Wire Pro. It'll save you time and keep you
informed. Listen for us on your Alexa smart speaker too. The Cyber Wire podcast is proudly
produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.