Today we discuss some exploits running loose in the wild. GSA's 18F unit cleans up its Slack implementation and shares its lessons learned from a potential breach. Older Android devices are susceptible to an Accessibility exploit. A million-device clickfraud botnet drains advertising budgets. A new cyber espionage campaign prefers quality to quantity. SWIFT gets security advices. Cyber tensions rise between the US and China. Dale Drew from Level 3 shares the perspective of a backbone provider, and Yong-Gon Chon wonder if company's don't overreact to breaches.
Dave Bittner: [00:00:03:12] That patched Flash zero-day is being distributed in the wild. GSA cuts itself some slack. Many Android devices are reported vulnerable to click jacking. Advertising budgets are being drained by a big click fraud botnet. A new furtive cyber espionage tool, Furtim, is observed in the wild. Swift gets some advice. Apple patches some wildey used products. Cyber tensions rise between the US and Chine and GCHQ joins Twitter.
Dave Bittner: [00:00:33:01] This CyberWire podcast is brought to you by Recorded Future, the real-time threat intelligence company whose patented web intelligence engine continuously analyses the entire web, to give information security analysts unmatched insight into emerging threats. Sign up for free daily threat intel updates at recordedfuture.com/intel.
Dave Bittner: [00:00:56:24] I'm Dave Bittner in Baltimore, with your CyberWire summary for Tuesday, May 17th, 2016.
Dave Bittner: [00:01:03:11] The recently patched Flash zero-day is being actively exploited in the wild. If you’re still using Flash, do patch it. FireEye warns that the common vectors are maliciously crafted Microsoft Office files delivered as email attachments. As much as most places might hate to admit it, email in general and Outlook in particular probably remain the most widely-used business collaboration tools, but even good alternatives carry their own risks if they’re not properly configured. Witness, for example, the GSA. The US General Services Administration, like many other organizations, is a Slack user. The staff in GSA’s 18F unit, an office that functions effectively as an IT consultancy for Federal agencies, is required by internal policy to use Slack for sharing files: images, documents, spreadsheets, pdfs, the typical contents of business collaboration. To share data from GSA Google Drive in Slack, 18F uses the standard OAuth 2.0 for authorization and authentication but, according to the GSA Inspector General, there were issues with how 18F configured Slack. On March 4th, an 18F supervisor noticed that their use of OAuth 2.0 permitted full access to more than 100 GSA Google Drives. This opened the possibility that the documents could have been automatically exposed to public view. 18F disabled the option, removing Google Drive integration from their Slack instance. 18F’s account of the incident is worth a look, particularly by other enterprises that use Slack. Visit the blog at 18f.gsa.gov for the story.
Dave Bittner: [00:02:40:03] Skycure is warning that older Android devices, which is to say, most Android devices, are vulnerable to clickjacking through exploitation of Android’s Accessibility Services and the ability the system provides to draw over other apps. Privilege escalation up to control over a device is possible. Skycure recommends updating to the latest version of Android and, as always, downloading apps only from an authorized source.
Dave Bittner: [00:03:04:15] Click fraud, not to be confused with clickjacking, is also in the news. Bitdefender notes that a very large botnet has herded in around a million devices, and that it’s successfully burning through advertising dollars by using the Redirector.Paco Trojan to generate bogus clicks.
Dave Bittner: [00:03:21:23] EnSilo analyzes “Furtim,” malware being described as “stealthy” and “paranoid.” Now circulating in the wild, Furtim was discovered by a researcher who goes by the handle “@hFireFox.” enSilo finds that Furtim is noteworthy for the large number of checks it makes for anti-virus measures installed on its targets, some 400, ranging from commodity security products to some fairly esoteric protective tools. Its servers also send the malicious code only once, thereby limiting opportunities for reverse-engineering. Furtim’s purpose appears to be espionage.
Dave Bittner: [00:03:59:07] As SWIFT users react to last week’s attempt on a Vietnamese bank, (foiled, the bank says), observers continue to look at the funds transfer system and conclude that its security procedures need an overhaul. Imagine your company suffers a breach and it's a big one, messy and public, how should you react from a technical and public relations point of view? Yong-Gon Chon is CEO of a company called Cyber Risk Management and he says that many organizations, when faced with this sort of situation, overreact.
Yong-Gon Chon: [00:04:29:05] It has really manifested in the sociology of feeling vulnerable and exposed and so if you consider the American response to 9/11, that response occurred in such a way where it manifested itself with the creation of the Transportation Security Administration, as well as wide-ranging enhancements to laws to protect US citizens. If you look at that parallel in the digital arena, organizations get breached, they overreact to show whether it's invest for confidence, customer employee confidence, that they're now taking it seriously and are now investing a substantial portion of their budgets where, if they took a more balanced approach and a more proactive approach throughout the life cycle, the impact associated with the damages may not have been as critical.
Dave Bittner: [00:05:26:22] So while it's important to not overreact, you do need to get in front of the situation, according to Chon, effective communications are a key part of that.
Yong-Gon Chon: [00:05:34:18] There's crisis management marketing that lots of organizations need to do, to restore investor confidence, mitigate losses associated with share value, if they're a publicly traded firm, restoring employee confidence and, ultimately, demonstrating that they are in control of their business.
Dave Bittner: [00:05:58:11] Chon emphasizes the importance of companies keeping an eye on the big picture, from a high level.
Yong-Gon Chon: [00:06:03:05] An organization needs to take a holistic approach in looking at their financial data and looking at their financial operating processes, taking a look at their technology and then also looking at the operational elements as well and it's ultimately about facilitating that cyber aware culture; are you running the right kinds of drills around spearphishing attacks, for instance? Are you still running penetration tests, are you running breach readiness assessments? If I had to press 911 today because of a suspected data breach, who do I call? What processes do I need to invoke? What do I do in a case of a crisis?
Dave Bittner: [00:06:43:06] That's Yong-Gon Chon from Cyber Risk Management. We'll hear more from him in our upcoming special edition covering cyber value at risk.
Dave Bittner: [00:06:51:22] In patch news, Apple has issued updates for OS X 10.11.5, iTunes 12.4, and iOS 9.3.2. This round of patches aims at improving both security and usability.
Dave Bittner: [00:07:06:12] And Sino-American tensions tighten with the release of a US Department of Defense assessment that shows an increasingly assertive Chinese presence in both cyberspace and the South China Sea. US lawmakers and policymakers debate the appropriateness, and likely effectiveness, of retaliation in kind. That’s retaliation in cyberspace, no one is proposing that America construct artificial islands on any continental shelf. As far as we know.
Dave Bittner: [00:07:34:11] Investors await Cisco’s guidance, expected later this week. Barron’s suggests that the company may disappoint, which would further disturb cyber stock prices. Venture capital for security startups remains available, however, both Avanan and Illusive announce new rounds of funding.
Dave Bittner: [00:07:51:00] Finally, we’re pleased to welcome a new voice to Twitter. GCHQ, Britain's intelligence and security organization, is now tweeting, a little bit, with the handle @GCHQ. One of the first tweets directed toward Cheltenham came from Langley, the CIA issued a chipper “hello world.” So, hello, GCHQ, and thanks for listening. We hope you're listening, anyway.
Dave Bittner: [00:08:19:18] Today's podcast is made possible by Clear Jobs.net, find rewarding IT engineering opportunities in Maryland, tackling complex security challenges in the defense arena, join G2, a growing company where creativity, curiosity and playfulness lead to innovative problem solving. Learn more at the CyberWire.com/clearjobs.
Dave Bittner: [00:08:47:05] And joining me once again, is Dale Drew, he's the chief security officer at Level 3 Communications. Dale, Level 3 is a backbone provider and that gives you a particular vantage point on the rest of the internet, I was wondering, for our listeners, describe to me what is the role of a backbone provider in relation to the overall topography of the internet?
Dale Drew: [00:09:07:03] Well, if you think about a backbone provider like Level 3, we're like a post office, people will take their data, put it in an envelope, address that envelope with a “to” and a “from,” and hand it off to their carrier, or in our case the router, and we analyze that “to” and the” from,” and we route it to the appropriate location based on zip code, and then based on address and then based on name. We take a significant number of those envelopes a day and for most carriers, whether those envelopes contain legitimate data, whether they contain malware or whether they contain spam, we are just the carrier of that data.
Dave Bittner: [00:09:49:16] But at the same time, you're constantly looking at the data, you're analyzing the data and what kinds of things are you seeing in that stream of data?
Dale Drew: [00:09:57:00] Well, so we don't analyze the actual content of the payload itself, we do all of our analysis based on the “to” and the “from,” and then the relationships that those to's and those from's have. We know, for example, some zip codes send more spam than other zip codes, we know that some zip codes are responsible for more malware than other zip codes and we pay more attention to those neighborhoods than we do other neighborhoods. So, for example, within our backbone, we collect 52 billion events a day and we identify 1.3 billion security events a day. That's about 300 command and control botnets a second, that's about 2,000 phishing attacks a second, it's about 3,000 malware attacks every second and it's about 10,000 scans a second. So, the amount of visibility we have is pretty enormous, but also the amount of bad activity is significant and rising.
Dave Bittner: [00:10:51:02] If you aren't looking at the actual contents of the data, does that mean you're collaborating with the people who are?
Dale Drew: [00:10:57:02] Absolutely, we're collecting data from a wide variety of IP reputational databases that are analyzing things like malware attacks and phishing attacks and scanning attacks. We also collect this data ourselves, so we have a honey-pot infrastructure where we're collecting that data and then we also have the algorithms that will analyze that data, look for bad activity. Now what we do is when we receive IT reputational information, our honey-pot information or the alga-rhythm data, we'll analyze who's being attacked and then reference that IP address across the entire network. If we know a bad guy is attacking a particular customer, we'll watch that bad guy to see who else they're attacking and then build algorithms for watching that behavior. What we detected is that a lot of the bad guys have very particular behavior, they do things in a very particular way, which allows us to categorize, not only the actor themselves, meaning the organized crime or the nation state, but even individuals within those organizations. So we know when a particular person is attacking an industry because that particular actor has very specific habits when they're breaking into systems.
Dave Bittner: [00:12:06:13] Alright, fascinating stuff. Dale Drew, thanks for joining us.
Dave Bittner: [00:12:13:03] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. If you'd like to place your products, service of solution in front of people who want it, you'll find few better places to do that than the CyberWire. Visit thecyberwire.com/sponsors to find out how to sponsor our podcast or daily news brief. The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. I'm Dave Bittner. Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Get trending information on hackers, exploits, and vulnerabilities every day for FREE with the Recorded Future Cyber Daily. Sign up now.