podcast

The CyberWire Daily Podcast

In today's podcast we hear about a malicious app that will save your battery, but it will also install a backdoor, steal information, and click on a bunch of ads. A sophisticated and patient botnet, Mylobot, is observed in the wild, but it's not yet clear what it's up to. Cryptojackers exploit a known (and patched) Drupal vulnerability. Vectra finds tunnels. Google adds security metadata to Android apps. Cisco patches. The EU's proposed copyright regulations attract little love. Congress pursues ZTE and Huawei. And Tesla sues a former employee. Ryan LaSalle from Accenture, on the opening of their new Cyber Fusion Center. Guest is Ned Miller from McAfee on their “Winning the Game” report on the gamification of security training.

Transcript

Dave Bittner: [00:00:04:02] A malicious app will save your battery, but it will also install a backdoor, steal information, and click on a bunch of ads. A sophisticated and patient botnet, is observed in the wild, but it's not yet clear what it's up to. Cryptojackers exploit a known Drupal vulnerability. Vectra finds tunnels. Google adds security metadata to Android apps. Cisco patches. The EU's proposed copyright regulations attract little love. Congress pursues ZTE and Huawei. And Tesla sues a former employee.

Dave Bittner: [00:00:41:16] Now a moment to tell you about our sponsor, ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk, and mitigate harm to your organization. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows.

Dave Bittner: [00:01:10:09] Want to learn more? Check out their newest paper, entitled "More is not more - busting the myth that more threat intel feeds lead to better security." It's a common misconception that a large quantity of threat intelligence feeds leads to more effective security. Unfortunately, threat feed overindulgence can lead to confusion, disorganization, and inaccurate threat reports. Instead of adding more threat intel feeds, you should incorporate the feeds that provide the most value to your company's security operations. Find the paper, or to register for a free ThreatConnect account, visit ThreatConnect.com/cyberwire, and we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:02:00:09] Major funding for The CyberWire podcast is provided by Cylance. From The CyberWire studios at DataTribe, I'm Dave Bittner, with your CyberWire summary for Thursday, June 21st, 2018.

Dave Bittner: [00:02:13:00] There are several warnings today of new threats.

Dave Bittner: [00:02:16:02] RiskIQ this morning warned of information-stealing ad-clicking malware that's being offered via warning pop-ups on Samsung Android devices. The malicious app represents itself as a battery saver, and indeed it does perform as advertised. Its unadvertised performance with clicks, theft, and a backdoor is what's objectionable here. The pop-up contains a link that takes the unwary to the more often than not safe Google Play. There they are invited to install an app that will "cleanup" your Samsung. It's possible, thinks RiskIQ, that the app was originally developed as a legitimate battery saver, with the ad-clicking and other undesirable stuff added later. As they say on their blog, "We aren't sure but we're keeping an eye on this developer at least!"

Dave Bittner: [00:03:07:03] Another warning comes from Deep Instinct, which described Mylobot on its blog. Mylobot, which one of the researchers named in honor of a pet dog, is a new and sophisticated botnet currently active in the wild. It's not clear what Mylobot's controllers are after, and it's also unclear how the malware is delivered, but by all appearances it's not in the least an amateur performance. Among Mylobot's features are methods of evading sandboxes and debuggers, and of reflective execution of .exe files directly from memory.

Dave Bittner: [00:03:41:07] Mylobot is also patient, remaining quiescent for two weeks after installation before it calls its command-and-control servers. It also removes competing malware from the systems it infects. Researchers say it bears some similarity to Locky ransomware, but it isn't just a Locky variant. Mylobot can establish complete control over victim devices, delivering whatever payloads its unknown masters may wish to install. So, Mylo, good dog, but bad bot. Bad.

Dave Bittner: [00:04:14:23] Cryptocurrency mining remains with us. Trend Micro has observed a series of attacks that exploit CVE-2018-7602, a vulnerability in the Drupal content management system. The attacks Trend Micro is seeing are installing bots whose purpose is to mine Monero cryptocurrency. Happily, this is one instance in which patching fixes the problem. An updated Drupal core closes out the vulnerability the criminal miners are exploiting.

Dave Bittner: [00:04:44:11] Vectra's long retrospective look at the Equifax breach has led it to conclude that attackers are interested in using hidden tunnels to get into otherwise well-protected networks. Financial services are particularly attractive targets. There appear to be more than twice as many hidden data-exfiltration tunnels per ten-thousand devices in financial services than all other industries combined.

Dave Bittner: [00:05:08:06] Google Play is adding security metadata to Android apps in the store, the better to secure offline distribution. Developer transparency has become increasingly important to the Android ecosystem. Knowing who made what, and what their track record is, can provide some useful indicators of trustworthiness.

Dave Bittner: [00:05:30:01] In other upgrade news, Cisco has patched two dozen issues with switches, next generation firewalls and security appliances. The company rates them either "critical" or at least "high severity," and the patches deserve the quick attention of Cisco users.

Dave Bittner: [00:05:47:09] Researchers at McAfee recently published a report titled, "Winning the Game." One of the areas it explores is how gamification can lead to better security outcomes. Ned Miller is Chief of Technology Strategy for McAfee's US public sector business unit.

Ned Miller: [00:06:03:15] Gamification is an organization's ability to exercise their cybersecurity team to ensure how they would behave if a real attack occurred. The gamification concept is often referred to in our industry as events like "capture the flag," or "hackathon" contests, and what we were surprised at in the report is that a number of organizations don't exercise their teams on a fairly regular basis - they don't have a scheduled cadence. The more successful organizations would typically run one or two exercises per year, in order to ensure that the teams react accordingly, and they can put some metrics in place to measure the overall performance should an attack occur.

Dave Bittner: [00:06:54:12] Now looking at the results of the report, what are some of the key takeaways for you? What are you recommendations for things that folks can implement to do a better job?

Ned Miller: [00:07:03:16] So there's a couple of things. One, in terms of automation, what we have found is the teams that are more sophisticated and have deployed automated capabilities to take care of some of the manual steps that are very time-consuming, and contribute to what we consider the dwell-time - from the time an attack is identified until it's actually resolved. The use of automation is something that all organizations have, or should be adopting, and we would encourage that pace to quicken as they go forward.

Ned Miller: [00:07:37:18] Another area would be, as we mentioned, the notion of gamification, is to exercise the teams at least once a year, and go through kind of like a war-game scenario to exercise the teams, in order to sharpen their skills, understand where the organizational weaknesses are, and then reinforce against those potential weaknesses that are identified. In terms of what we consider the "soft skills," or the job satisfaction area, is continuously explore the roles of individuals, and what their actual tasks are, and continue to evolve what their current tasks are, and provide them clear guidance towards other areas of interest that will continue to pique their interest, and maintain their loyalty to the organization, and grow professionally.

Ned Miller: [00:08:32:17] That's also where automation comes in place. If we can introduce automation that takes care of some of the more mundane tasks, the individuals that are there can be repurposed to take on some higher-order tasks that are typically more interesting and challenging.

Dave Bittner: [00:08:49:00] That's Ned Miller, from McAfee.

Dave Bittner: [00:08:53:03] The EU's controversial copyright regulation, which has advanced closer to becoming law - it's not there yet, but it's closer - still attracts little love from the tech industry and Internet users. It would block a great deal of the sort of sharing that's now become routine, including the popular sharing of low-grade memes. The regulations will now become matters of negotiation with member states' national authorities, and that won't be a swift process.

Dave Bittner: [00:09:22:12] In the US, Congress remains unwilling to follow the Administration in cutting ZTE some slack. Congress is also not interested in doing Huawei any favors, either. Google's cooperation with Huawei has drawn some attention on Capitol Hill. If you're unwilling, on what you suggest are principled grounds, to cooperating with the US Department of Defense on IT research, exactly why do you see no problem with working hand-in-hand with Huawei on projects of mutual benefit? Huawei is, in the prevailing Congressional view, a security risk, a reliable adjunct of the People's Liberation Army's cyber operators. How is that cooperation better than working with, say, the DoD's Silicon Valley technology scouts? Some members of Congress are clearly in a sauce-for-the-gander mood.

Dave Bittner: [00:10:11:22] Congress is also asking the US Department of Education to look into fifty research partnerships between Huawei and various US universities. Some members of Congress, again, consider those relations a security risk.

Dave Bittner: [00:10:26:08] And, desiring to prevent a recurrence of security wrangling over ZTE, Kaspersky, and Huawei, a bill has been introduced into the Senate that would establish an inter-agency Federal Acquisition Supply Council that would be charged specifically with responsibility for developing cybersecurity supply chain criteria.

Dave Bittner: [00:10:45:16] According to stories in the Wall Street Journal and TechCrunch, Tesla Motors is suing a former employee for a million dollars, alleging he hacked them for trade secrets, which he subsequently gave competitors. Elon Musk did some email rumbling about the sabotage and hacking early this week, and the company filed a lawsuit yesterday in a Nevada court against Martin Tripp, who formerly worked at Tesla as a process technician. Tesla's suit alleges that Tripp "admitted to writing software that hacked Tesla’s manufacturing operating system, and to transferring several gigabytes of Tesla data to outside entities." The company says that Tripp was upset at being reassigned within the company (Musk says Tripp was sore about his failure to be promoted) and that Tripp did what they allege he did in retaliation for what he felt was ill-use.

Dave Bittner: [00:11:37:09] The Washington Post says that Tripp told them he didn't tamper with any internal systems. Instead, he said he was a whistleblower, alarmed and moved to speak by "some really scary things" he saw at Tesla Motors. Among those things were, according to Tripp, a high rate of raw-material waste and the installation of dangerous punctured batteries in some Tesla cars. The raw-material waste story found its way into Business Insider earlier this month, and Tripp acknowledged he was the source. Tripp also denied having hacked anything, saying, "I don't have the patience for coding."

Dave Bittner: [00:12:15:10] Musk's company is taking the founder's fears of sabotage seriously - physical security has been beefed up at Tesla's Gigafactory in Nevada.

Dave Bittner: [00:12:29:05] And now, a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect, and remediate. A single open platform approach, data loss prevention policies, and contextual policies get you started. They'll help you move on to protecting applications, access management, and encryption, and they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on a comprehensive approach to security across the digital workspace will take you through the details, and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security - thecyberwire.com/vmware, and we thank VMware for sponsoring our show.

Dave Bittner: [00:13:30:07] Yesterday, our partners at Accenture celebrated the opening of their newest Cyber Fusion Center - this one, in Alexandria, Virginia, just outside Washington DC. Virginia governor Ralph Northam was there for the ribbon-cutting, and to acknowledge Accenture's commitment to add a thousand new jobs to the region by 2020. The CyberFusion Center puts Accenture's threat intelligence, incident response, and adversary simulation under one roof.

Dave Bittner: [00:13:56:23] I stopped in for a tour of the new facility, which features impressive views of Washington, DC, glass-enclosed meeting and collaboration rooms, large displays on the walls monitoring cyber threats from around the world, and clusters of workstations for developers, researchers, and threat-hunters to do the things they do. At the grand opening, one of the demos highlighted the team's ability to infiltrate a client's industrial control systems, and alter the settings on a critical safety system.

CyberFusion Demonstrator: [00:14:24:09] So when the attacker does this, he's changing the parameter in the safety system, so now that the in-and-out cadence that you were hearing has stopped. We now get the tanks filling up with pressure just by changing that one parameter.

Dave Bittner: [00:14:35:15] For the demo, an overinflated balloon substituted for an exploding gas storage facility [BALLOON POPS] but the security implications were clear. I sat down with Ryan LaSalle, Managing Director and North American Lead at Accenture.

Dave Bittner: [00:14:51:08] I want to touch on the notion of proximity, from two different directions. First of all, proximity to the nation's capital. As you look out the windows here, you have a fabulous view, but you're looking at Washington DC - you're in the shadow of that city, and obviously we don't have to go into the importance of that. But why is it important to you, from a business development point of view, to be that close, to be that accessible?

Ryan LaSalle: [00:15:15:24] So, first I think the future innovation and the research agenda of cyber defense is happening here. This corridor, really from Dulles Airport up to Baltimore, is the cyber innovation corridor. This is the place where it happens. It was important from a talent perspective that this is the place where those entrepreneurs, and the talent base, live. From a business development standpoint, certainly this market is rich with the Federal government and their need for cyber defense services, but also a pretty healthy commercial community, that is also looking at ways to defend themselves, whether they're hospitality organizations or banks, or Federal services organizations. There's a bustling economy inside the DC Beltway beyond just the Federal government.

Dave Bittner: [00:15:57:18] The other thing I want to touch on with proximity is the proximity that you've placed everyone within the space itself. It strikes me that that is a very deliberate part of what you've designed here. First of all, was it always that way? Were the teams always able to communicate this way, and if not, what are the benefits of having them here together?

Ryan LaSalle: [00:16:16:03] First I'll say, these teams have never been co-located before. Some teams came through organic growth, some through acquisitions over the last couple of years, and we've been stitching together that cycle of know, be, see and expel as we've been growing. This the first time the teams are all together in one place, and we work really closely with all the different teams to design a space that was accommodating to the kind of work they do, but we put the coffee and the snacks at the corners, so the teams have to go and bump into each other when they're getting caffeinated, so if you want to fuel up, that's where the innovation happens.

Ryan LaSalle: [00:16:52:15] We also put the biggest TVs there, so the other day, when Tunisia was playing England in the World Cup, and there was a cross-team of lots of different groups sitting together around the table - watching the game, coding away, doing analysis, or whatever they were doing - there were three different languages being spoken at that table. We could hear this collaboration happening in a way that you can't force. You've got to create the space, and then give them the room to innovate.

Dave Bittner: [00:17:16:17] This is a substantial investment; it makes for a great tour. What is the justification that Accenture has made for that investment? What is the bet that you're placing, that spending this kind of money is going to pay off for you and your customers?

Ryan LaSalle: [00:17:31:13] I think there are three main things that we think are really important. First, when our clients come to a space like this, they can look out and see all of DC, and so it's not like they're in an innocuous conference room somewhere - the experience can really awe them. The whole space is designed around a design they can approach, that gets people out of their comfort zone, and thinking about their problems and how to solve them more creatively. We geared this space around that, and that does feel higher-touch.

Ryan LaSalle: [00:18:00:13] The second one that's really important is, security is a war for talent, and getting the best people means that you need to make sure that they have the tools and environment that they need to innovate, create, and contribute, and so we think that investing in our people, in a space like this, is important because it gives them a place to come every day, that they're excited to show up and do their best. And I think also, as we look around at how we're growing in this space, the neighborhood that we're in, again, is right in the hub of security innovation, and so the proximity to the ecosystem around us, is really, really important. EndGame's up the road, DARPA's up the road. They're all right around us, and that's really critical, to be in the hub of the contact of the ecosystem.

Dave Bittner: [00:18:45:06] That's Ryan LaSalle, from Accenture.

Dave Bittner: [00:18:52:07] And that's The CyberWire. Thanks to all of our sponsors for making The CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor - we actually use their products to help protect our systems here at The CyberWire.

Dave Bittner: [00:19:11:18] And thanks to our supporting sponsor, VMware, creators of Workspace ONE intelligence. Learn more at VMware.com.

Dave Bittner: [00:19:20:10] The CyberWire podcast is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.

Supported by:
ThreatConnect

With ThreatConnect, security analysts can simultaneously coordinate with incident response, security operations and risk management teams while aggregating data from trusted communities. Your team will be better equipped to protect the organization from modern cyber threats, mitigate risk and address strategic business needs all thorough a single, robust platform. Start Using ThreatConnect Today for Free.

VMware
VMware

VMware is a global leader in cloud infrastructure and business mobility. Built on VMware's industry-leading virtualization technology, our solutions deliver a new model of IT that is fluid, instant and more secure. Learn more

Subscribe to the CyberWire
Subscribe to the CyberWire Podcast: RSS Stitcher Google Play Music Castbox
Follow the CyberWire