In today's podcast we hear about Yingmob's HummingBad Android malware, what it's up to and where it might be headed. We also learn about Eleanor, a Mac OS-X backdoor masquerading as a document conversion app, and we hear about the shifting form of the pseudo-DarkLeech ransomware campaign. The ThinkPwn zero-day may have a wider scope than originally thought. Observers wonder whether ISIS may be overplaying its bloody hand, and, of course, we find out what the FBI concluded in its investigation of former Secretary of State Clinton's emails. Joe Carrigan, from the Johns Hopkins University Information Security Institute, reminds us to take care when setting up a new router.
Dave Bittner: [00:00:02:17] HummingBad grows into an Android pandemic. Eleanor and pseudo-DarkLeech are also circulating in cyber-criminal circuits. The ThinkPwn zero-day has a wider scope than previously thought. Industry notes. Responses to ISIS attacks, inspiration, and command-and-control. The FBI closes its investigation into the former Secretary of State's emails: no indictments, but some harsh words for State and its former leader.
Dave Bittner: [00:00:32:19] Time to take a moment and tell you about our sponsor, E8 Security. They're putting your data together with E8's analytics for security that can handle the unknown unknowns. Consider what might warn you off to malware on your system. Listening, a running program's on a rare or never seen before open port is one of them. It's easy to say that but could you say what counted as rare or never seen before? Or would that information jump out at you as you reviewed logs if you had time to review your logs, and by the time the logs reached you the news would be old?
Dave Bittner: [00:01:00:18] But E8's analytical tools recognize and flag that threat at once, enabling you to detect, hunt and respond. Get the free white paper at E8security.com/dhr and get started. E8 Security, your trusted partner. We thank E8 for sponsoring the CyberWire.
Dave Bittner: [00:01:25:19] I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday July 6th, 2016.
Dave Bittner: [00:01:31:02] Many security types are mulling the significance of “HummingBad,” an ad fraud campaign that’s believed to have infected some eighty-five million Android devices worldwide. The infestation amounts to something of a pandemic in the Android population. According to researchers at Check Point, HummingBad is a criminal operation that’s bringing in some $300,000 a month for the Chinese “Yingmob.”
Dave Bittner: [00:01:53:02] According to Check Point, HummingBad has been installed by drive-by download. Adult sites were also common infection vectors. Once exposed, HummingBad first deploys a rootkit able to exploit several vulnerabilities. Should the rootkit fail to establish access, HummingBad delivers a fake system update notification which often succeeds in duping victims into granting the attackers system-level permissions.
Dave Bittner: [00:02:16:05] Fortune and others characterize Yingmob as an “ad firm,” which seems right, if not particularly exculpatory. While HummingBad at present seems to be sticking to its clickfraud last, observers worry that the malware could easily be turned to other uses. Infected devices could easily be herded into a botnet, for example, and the surveillance potential of Yingmob’s product has surely not escaped the usual array of state and non-state actors. Many conclude that Yingmob would welcome fresh market opportunities.
Dave Bittner: [00:02:45:20] Bitdefender reports having found a new strain of Mac malware. They’re calling it “Eleanor,” and say it’s downloaded under the guise of a bogus document conversion app, “EasyDoc Converter,” which the unwary download. Needless to say, EasyDoc Converter doesn’t convert docs or do much of anything else beyond opening a backdoor in infected OS 10 devices.
Dave Bittner: [00:03:06:17] Eleanor checks its potential victim for Little Snitch (a Mac OS 10 application firewall) and also for previous Eleanor infections. If it finds neither, infection proceeds, installing a Tor hidden service, a PHP Web Service, and a Pastebin agent. Bitdefender doesn’t say what the malware’s purpose is, but it could easily be used for data theft or spamming. Bitdefender does note that EasyDoc Converter isn’t an app that Apple’s signed, so, as always, download outside the App Store only with extreme caution.
Dave Bittner: [00:03:36:24] The ThinkPwn zero-day, which poses a controversial but non-negligible risk, has been found to have a wider scope than first believed. Originally held to affect UEFI drivers in laptops, mostly Lenovo but also HP, it’s now been found in the firmware of motherboards sold by Gigabyte. There’s no fix out, yet, although security analysts seem to think Lenovo may be, or should be, working on one.
Dave Bittner: [00:04:01:05] Pseudo-Darkleech, the campaign Sucuri discovered in March 2015, continues morphing to evade detection. SANS says the ransomware campaign has eliminated large blocks of telltale code and shifted the exploit kit it uses from Angler to Neutrino. Angler, as we’ve seen, has essentially disappeared from the crimeware tool box. Researchers are keeping an eye out for its potential return in some revenant form.
Dave Bittner: [00:04:25:07] These retail threats are the sort of thing any ordinary user might be concerned about. We’ve often heard about the importance of backing up your data to protect yourself against the most serious consequences of a ransomware attack. Today we hear about another way of protecting yourself or your business—what should you consider when choosing and setting up a router. The Johns Hopkins University’s Joe Carrigan shared some advice with us and we'll hear from him after the break.
Dave Bittner: [00:04:48:15] In industry news, Symantec’s stock price enjoyed a strong June surge, driven principally by investor optimism over its $4.65 billion acquisition of Blue Coat. Shares rose by more than 18 percent.
Dave Bittner: [00:05:02:04] In the UK, startup Darktrace picked up $64 million in its latest funding round. The investors were led by KKR. Existing investor Summit Partners and new investors TenEleven Ventures and SoftBank also participated. The funding puts Darktrace almost halfway to unicorn status.
Dave Bittner: [00:05:21:23] Turning to conflict, law, and politics, many observers think ISIS’s end-of-Ramadan wave of massacres may have gone too far. States opposing the self-proclaimed Caliphate, notably France, are revising their intelligence approaches to counter-terrorism. But it remains unknown whether murder displayed online is losing its appeal to the Caliphate’s core demographic of the disaffected in search of transcendence. While ISIS-controlled territory continues to shrink, the group has shown no decrease in its ability to inspire lone wolves, and the recent round of attacks has led many analysts to conclude that ISIS has shown a new ability and propensity to directly control and coordinate terrorist cells.
Dave Bittner: [00:06:01:16] In the US, the FBI yesterday declined to recommend indictment of former Secretary of State Clinton for mishandling classified information. FBI Director Comey said, in an unusual public statement, that former Secretary Clinton and her associates did indeed mishandle such, and that foreign intelligence services probably gained access to her private emails. But, the Director said, other elements that would normally warrant prosecution were lacking.
Dave Bittner: [00:06:26:15] Comey said, "In looking back at our investigations into mishandling or removal of classified information, we cannot find a case that would support bringing criminal charges on these facts. All the cases prosecuted involved some combination of clearly intentional and willful mishandling of classified information, or vast quantities of materials exposed in such a way as to support an inference of intentional misconduct, or indications of disloyalty to the United States, or efforts to obstruct justice. We do not see those things here.”
Dave Bittner: [00:06:59:01] Beyond the decision not to recommend indictment, the Director’s statement hardly constituted a letter of recommendation, citing as it did “extreme carelessness” in handling classified information.
Dave Bittner: [00:07:09:04] The FBI also had some starchy words for the State Department, finding State’s security culture a lot more loosey-goosey than the culture prevailing elsewhere in the Federal Government. Given that the Federal Government includes, for example, OPM…well. We note in fairness that the State Department publicly dissented from that assessment in its own statements.
Dave Bittner: [00:07:33:23] This CyberWire podcast is made possible by the generous support of Cylance, offering revolutionary cybersecurity products and services that proactively prevent rather than reactively detect, the execution of advanced persistent threats and malware. Learn more at cylance.com.
Dave Bittner: [00:07:56:24] And joining me once again is Joe Carrigan from the Johns Hopkins University Information Security Institute. Joe, we're talking about setting up a new wifi router in our house. What are some of the basic security steps that we need to take to make sure that that router is secure as it needs to be?
Joe Carrigan: [00:08:13:04] First thing you need to do is when you connect to this route you go into the web interface and you change the admin password from the default. That is of paramount importance, because it's very well known what these admin usernames and passwords are, and if someone can get on your network and you haven't changed that, they can do whatever they want to your router.
Dave Bittner: [00:08:33:21] It's remarkable how many people don't do that and usually it's admin password or the user name and default password right?
Joe Carrigan: [00:08:40:13] Right, yes, and it's very common. There's a lot of times where things are just, even not necessarily routers, but say IP cameras that just have outward facing IP addresses that have the default username and password on them.
Dave Bittner: [00:08:57:19] So there's some other settings you should go in there and check. You got to make sure your encryption's turned on?
Joe Carrigan: [00:09:02:09] Correct. You've got to make sure that your WiFi encryption's turned on and set to something better than WEP. That's already been cracked and I think there are tools that can do it in 45 seconds depending on your processor speed and how much time and bandwidth you have. Also I'd change the password to access the network, make sure the password to access the network is not the same as the one that's printed on the outside of the router.
Dave Bittner: [00:09:24:16] Right, particularly from your cable provider, they appear on there.
Joe Carrigan: [00:09:28:10] Correct. Right. Like I have a Verizon router, and the wifi password for the default settings is printed on the outside of that router.
Dave Bittner: [00:09:36:23] Also, what about controlling inbound traffic? That's something you want to check out too?
Joe Carrigan: [00:09:41:10] Right, yes exactly. You want to keep that turned off. You want to make sure that there's no way for somebody to access the web interface to manage that router from the outside. Most of the routers I've seen in setting up these routers for myself and my family, it's disabled by default. You can't access the management interface from the outside. But you can enable that, and I would recommend you don't enable that, because you really don't need to manage your home wifi network from work.
Dave Bittner: [00:10:15:17] Right. Some of these things are basic, but it's remarkable how often people don't think of them. They overlook them or they're just in a hurry and don't bother to change them. So it's a good reminder.
Joe Carrigan: [00:10:27:18] Yes. Take the time to make it right.
Dave Bittner: [00:10:28:24] Alright. Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:10:31:18] Thank you, my pleasure.
Dave Bittner: [00:10:34:14] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors, who make the CyberWire possible. If you'd like to place your product, service, or solution in front of people who'll want it, you'll find few better places to do that than the CyberWire. Visit thecyberwire.com/sponsors and find out how to sponsor our podcast or Daily News Brief.
Dave Bittner: [00:10:55:03] The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. I'm Dave Bittner. Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
DETECT. HUNT. RESPOND. Your data + security analytics will help you prevent your next security incident. Find out how. E8 Security.
Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Our technology is deployed on over 4 million endpoints and protects hundreds of enterprise clients worldwide including Fortune 100 organizations and government institutions.