Dark Caracal APT steals out of Lebanon — Research Saturday

Researchers from Lookout and the EFF have discovered an APT group operating out of Lebanon they've named Dark Caracal. The group is running a global espionage campaign, targeting journalists, military personnel, activists, lawyers, medical professionals and educational institutions. 

Mike Murray is VP of Security Intelligence at Lookout, and he's our guide through their research.


Dave Bittner: [00:00:02] Hello everyone and welcome to the CyberWire's research Saturday, presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now a moment to tell you about our sponsor the Hewlett Foundation Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at hewlett.org/cyber.

Mike Murray: [00:01:02] Two years ago the Electronic Frontier Foundation presented at Black Hat, about an operation that they called Operation Manul.

Dave Bittner: [00:01:09] That's Mike Murray. He's the V.P. of security intelligence at Lookout. The day he's discussing research from Lookout and the EFF about the recent discovery of Dark Caracal, a mobile advanced persistent threat actor conducting a global espionage campaign.

Mike Murray: [00:01:25] Operation Manul at the time was believed to be the Kazakstan government, and we still believe it was the Kazakstan government. But at that at the time as the Kazakhstan government, working with a lower-end cyber security actor. And so, one of our leaders on my team was reading the report, and the report mentioned that they believed that there was an Android component, a mobile malware component, to the attacks, but that they didn't have any evidence of it. And Lookout has a huge data set around what is mobile. We have over 50 million apps in our app database. So he looked at it and thought, well if anyone's going to find the Android component, it's us. And he went looking and found it. And what we originally started out with, was a blog entry that simply just stated, hey we went and found the mobile component of this, here's the mobile component and we we reached out to EFF and we all agreed that we would work together to put out a couple of blog entries and just say hey look we found this. And as we started to investigate, things stopped making sense. So, you know you had this report that was all about Kazakstan and about this actor in India that was doing this work. And that information that we started to see started to be inconsistent with the narrative that we thought we were looking at. We were in some ways very lucky because the attacker had made some errors that left some significant parts of their infrastructure with information public that they probably didn't want to see, or didn't want us to see.

Mike Murray: [00:03:04] We found, for example, they had left the logs of everyone who was connecting to the server, and connecting to the system, either compromised, people you know people's devices who were uploading data to the server, as well as the administrative logins, who was actually looking into the system and we started to look at it, and it had nothing to do with Kazakstan. And so we started to, we started to pull on the threads as one does an investigation, and more and more it started to point to a much more globally active actor, and an actor who was doing very nation state level things across a much wider swath than just what had originally been reported.

Mike Murray: [00:03:48] And at a point in the investigation, we got a lead on an e-mail address that was used in many other campaigns. The e-mail address is referred to in our report and we shorthand the e-mail address to OP13, but OP13 turned out that people had been seeing OP13 over the years, many many years. It had been attributed to potentially looking like the Russians, it had been attributed to various other actors. We started this really pull on the threads to figure out what was behind this. And eventually realized that all of the connections from the server, and all of the information, and and ultimately we were lucky again that some of the data on the server appeared to be the attackers testing her own software. And when they were testing it, it very clearly went back to this one building in Beirut. And so suddenly, nobody ever thought of Beirut and Lebanon as having any sort of cyber capability. So that was a huge surprise and we obviously chased it down further and eventually wrote this massive report, sort of detailing all of the activity that they were doing globally. And what we were seeing, and what information was available on the infrastructure that we had access to, and information about infrastructure that we didn't have access to or we knew about and really just put all the pieces together, but it took many many months.

Mike Murray: [00:05:21] This happened. The original activity of going and finding the pieces of Android malware that the EFF had alluded to, happened in May. And obviously didn't see our report until February, where there was a lot of pieces to this.

Dave Bittner: [00:05:39] Well let's pull some more of those threads. I mean take us through it. You get the revelation that things are happening in Beirut. And you I suppose want to sort of nail down that piece of information, verify, make sure that what you suspect is actually so. Take it from there, what happens next?

Mike Murray: [00:05:58] I'll take it from the inside for a second. First of all, a lot of conversations about, really, Beirut, Lebanon? That can't be possible. So, because of our own doubt, because we all really had a whole lot of doubt about this, we we spent a lot of time fact checking and trying to understand what we were seeing. And even to the point that we were lucky that some people that were related to us had been visiting Beirut and we actually had them check out certain wireless networks.

Mike Murray: [00:06:34] And so actually let me back up for a second.

Dave Bittner: [00:06:38] Yeah.

Mike Murray: [00:06:38] One of the big keys to understanding what the building was, was in those test devices. What we believed to be test devices. And the way we figured out that they were test devices is, for example, imagine you know you're a malware author testing your malware. You're not going to test it on your own phone, you're going to test it on some burner phone that has three contacts and four fake e-mails in it. And you see if you can steal that. Well, that doesn't look like anyone's real phone. Right and we found a bunch of things that looked like that, and all of these phones were connected to this one wireless network.

Mike Murray: [00:07:11] And so we started out by doing open source intelligence on the various, there are various sites that you can say, you know show me the places that this wireless network exists in the world. And we have screenshots of that in the report, where the open source intelligence says this wireless network is, and then like I said, there was, we lucked out in that some people were sort of transiting the country that was were friends of ours, and said, "hey, can you just walk by this and see if there's, see if you see this wireless network for real?" And obviously the wireless network was there, and it turned out that there was no way that that wireless network was not in this one building. And the building literally says on the top of the building that it belongs to a Lebanese General Security Directorate. Basically ,the GDGS is the acronym. I don't remember what it exactly stands for, but it is basically the the Lebanese version of sort of in, U.S. terms it would be like the FBI, the CIA, and customs all in one building. These guys do Border Patrol and all these other things.

Mike Murray: [00:08:18] Now, we never, we cannot attribute. And we were very careful in our attribution, because we don't know who inside that building was doing this. This might be freelancers who just happen to work for the government. They might have leased office space. We don't know exactly who the people are. And so, we're being very careful in what we say because we can't prove it was actually the Lebanese government. We're we're 100 percent sure that the people who are doing this were in that building. So, you know draw further conclusions as you will.

Dave Bittner: [00:08:50] So, I mean take from there, you determine that that's where things are going on, and you're taking a closer look at this, so what exactly does this software set out to do?

Mike Murray: [00:09:02] The software sets out to steal people's information. And so let me let me back up for a second, just just on a more philosophical point. Five years ago, you would have seen groups like this dabble in cyber espionage because breaking into a bunch of people's desktops you can steal information, but it's not really a great espionage tool. If I want to chase bad guys, say I want to do, I'm going to pick the nice case, I'm going pick the case that everybody's happy with. Say I want to do counterterrorism right, and I want to track down terrorists. Breaking into their laptops, it tells me a little bit about their operations, and I probably can read their e-mail, etc. etc..

Mike Murray: [00:09:42] Breaking into their phones, when the phone has a extremely accurate camera, an extremely accurate microphone, a GPS that can geolocate you anywhere in the world. Breaking into phones gives you such a rich picture of people's lives, that seeing these folks break into thousands of phones globally, and steal information you know sort of indiscriminately. And I have to say we don't know what they did with that information. You know, that's far outside my, or any of my team's pay grade. Our job is to figure out, you know, that the attackers are doing it, and work to protect the industry, and protect our customers, and protect the people around us, from this kind of malicious behavior.

Mike Murray: [00:10:27] But seeing that kind of widespread espionage activity, where you have information about exactly where your targets are at any given time, you know the nation states have largely moved to this capability. I don't know of any major nation state at this point who doesn't have a capability for this purpose, right? If I'm, if I am any sort of well-meaning government, if I want to track down drug traffickers or terrorists etc., this capability is fantastic as long as it's used appropriately.

Mike Murray: [00:11:03] Now of course, what we also see is it being used illicitly. I'm sure that some of the people who were attacked by this were were used in appropriate ways. But we've seen around the world, and not specifically in Dark Caracal, because we didn't we didn't dig too deeply into who the victims were. Again, beyond our pay grade, and frankly there was just so much information, it was really hard to do. We had we had over half a million text messages. It's just really hard to have, you know, to have people on my team sit and try and read through a half million text messages, especially given the region of the world, how many of them more in Arabic, or you know other languages, or even dialects Arabic, that the people don't understand over here, right?

Mike Murray: [00:11:48] We weren't going to analyze who the targets were, but the point being these targets were compromised in a level that they could be followed around, their, you know, their phone calls could be recorded and were recorded. You know all of their personal information was stolen, their pictures were stolen, like this is an incredibly deep compromise of these people's lives. And because of that, you start to see a real shift. Where five years ago, if you were going to have this capability, you had to be a top level of nation state. Now you see even the minor nation states moving towards this capability, because it's so valuable to you from a from an espionage perspective.

Dave Bittner: [00:12:30] Now are they getting these components off-the-shelf, or are they custom developing? What's the spread? Your analysis of the software, what are you seeing here? 

Mike Murray: [00:12:41] A little of both. So what we really saw was a lot of these tools are variants of things that have been out in the world, malware on on the desktop for example. One of the pieces of malware that they seem to use a lot is known as Bandook. Bandook's been available on the black market for a long time. What was particularly interesting about what we saw with their use of Bandook, was the version of Bandook that they had, didn't correspond to the version that's available publicly. They had the super-premium-upgrade, so to speak, with functionality that didn't exist in the one that you could go buy on the dark web.

Mike Murray: [00:13:21] The Android malware however seems to be largely custom-developed. We hadn't seen it before in that exact form. I think there's no malware author in the world that doesn't, or no software developer in the world that doesn't borrow code from places, right?

Dave Bittner: [00:13:37] Sure.

Mike Murray: [00:13:38] I've never met a software developer who din't go to Stack Overflow at some point and cut and paste a piece of code.

Dave Bittner: [00:13:44] Yeah.

Mike Murray: [00:13:44] So that stuff exists. And so, you know, not exactly off-the-shelf, but traditionally sort of the way that everybody else does it. But that malware was relatively unique, as was the other piece of, what we believed to be in early development malware that we called CrossRAT. It appears to be almost, in fact the version number on the first version of CrossRAT that we got was 0.1. We saw that as sort of next generation capabilities that they're just evolving into. It looks like they're trying to get away from the traditional Bandook malware because so many vendors know what it is.

Dave Bittner: [00:14:19] Yeah, before we dig into some of the details of CrossRAT, can you give us an idea of the breadth of operating systems that they're able to hit?

Mike Murray: [00:14:28] Yeah, so we saw pretty much everything on the desktop, so Windows, Linux, Mac OS. We also saw Android. Now what's interesting, people always ask me Well what about iOS? And I think iOS is largely an issue of demographics.

Mike Murray: [00:14:45] And so, if you think about the region of the world they're operating in, what many of their targets would be, Lebanon. You know for internal purposes as well as neighboring Syria, Iraq, etc., those aren't places where people are buying a thousand dollar iPhone X very often, right? And so if I'm an attacker, I always explain attackers to people in terms of security software, in terms of just normal software business. If you're a software developer and you know 95% of your customers are running Android, why would you spend all the time to build an iOS version? And so, I think if you were to see that region become extremely, you know heavy in iOS, you'd see them evolve and iOS capability. But what we saw was so prolific, you know if you're getting all the information on most of your targets, why would you invest in building another version?

Dave Bittner: [00:15:41] Take me through the timeline here, because one of the things that struck me about your research is how far back this campaign goes.

Mike Murray: [00:15:48] Absolutely. And this is why, this is actually why we named it Caracal. The EFF folks love cats and so do we. So like Manul is a version, is a type of cat, the Caracal is also a type of cat, but one of the things when we were looking into  names was that the Caracal, it's a cat that has often been seen and been mistaken for other types of cats. And that's what we saw here, is that these folks have been active for quite a long time.

Mike Murray: [00:16:20] The infrastructure has been up for many years. There have been attacks reported against that infrastructure for many years. Even the Manul was two years ago, right? And and even with that Manul work, where it was attributed to somebody else, we saw that people knew that this was happening but they didn't understand the context of what they were looking at.

Mike Murray: [00:16:43] And that was to me, the most fascinating thing, is you could have an attacker that's this prolific. You know, doing politically motivated work, attacking targets globally. You know, whether for Kazakstan or for their own purposes, or for you know, for other targets. And these attacks are happening for years and years, and even the best minds in security are looking at it and thinking it's something else. It was very much a hiding in plain sight strategy and I think part of that, we even fell victim to this in our discussions. The idea that it could be coming out of Lebanon was sort of an easy thing to write off. You know, if I asked you about cyber powers, like two months ago, Lebanon would be a long way down your list, of people. Even if I said it's a Middle Eastern actor, you would probably say Israel, Iran, Saudi Arabia, you know, you'd go down a long way on that list before you got to Lebanon.

Dave Bittner: [00:17:43] Well, but to, I mean, that point, do you think that this indicates that Lebanon upped their game? And or, does it mean that there's more activity going on from some of these, what we would previously have described as lesser actors? Do you follow my line of questioning there?

Mike Murray: [00:18:02] Completely, and actually that that to me, so when people ask me what the real interesting point to this is, and there's so many little angles to this story, but for me especially when I talk to our enterprise customers, when I talk to, you know, CISOs at big banks, or you know anybody who's working globally, the most interesting thing to me is that it's no longer game where APT only comes from China and North Korea, the Five Eyes, and Russia. APT is becoming the provenance, because just like the Internet has made, has democratized so many other things, right? You know, I remember, I'm old enough to remember 20 years ago when building a website required a special set of skills. Now it requires I pop up WordPress or I go to Squarespace, and suddenly I have a website in ten minutes. The the same thing's happening for the bad guys. Same thing's happening in the cyber attacker world.

Mike Murray: [00:19:03] Ten years ago to have this kind of capability you had to put in, you know, millions, tens of millions, hundreds of millions of dollars like those large countries. Now, you can do it with a handful of computer science grads and a lot of cutting and pasting up of Stack Overflow, and you know, pulling in open source tools. What this really says is the landscape of attackers who can perform this level of espionage is in the middle of exploding, and especially because mobile is so useful. You know, if you think about the mobile platform as, like if I really wanted to compromise your life and follow you around, there's no better way than to track your cell phone.

Dave Bittner: [00:19:44] Sure.

Mike Murray: [00:19:44] I can literally listen to you at all times. I can, you probably, like you go into every meeting, you might close your laptop at a meeting, but you very rarely turn your cell phone off in a meeting. You know so, the opportunity for these nation states whow want to use this capability is expanding, at the same time that it's becoming easier and more scalable to implement.

Dave Bittner: [00:20:05] Now take us through the patterns of attacks here. How do people get infected and how targeted were the attacks?

Mike Murray: [00:20:12] Incredibly. So, the way that, I mean, across the board, the mobile kill chain, whereas on the traditional desktop, there's a million ways to get infected, right? You could go to the wrong website, you get phished, you know, someone attacks you directly, whether attacking your website etc. The mobile kill chain almost always looks the same. And that it starts with some sort of phishing message. We've seen a proliferation of text and other messaging-based phishing that leads the victim to click on a link, or go to a site which does one of two things. Just asks them to install an app, which is what Dark Caracal did. They literally had a page that was called Secure Android and had trojaned versions of all the communications apps you could think of. And so, you would get a message from me generally through Facebook. These guys use Facebook a lot. Generally through Facebook, you'd get a message from me that said "hey I just got an update to my WhatsApp that has extra security in it. Go to this site, grab it, and then we can talk." Extra secure, right? We can talk more securely. Of course, you would download that app, install it on your device and then I would have complete control of your device while you talk to me on WhatsApp.

Dave Bittner: [00:21:29] But to me, it still functions as WhatsApp, it's just been trojanized.

Mike Murray: [00:21:34] You bet it does, yeah. It's WhatsApp with a little bit of extra, and the extra is what you really don't want.

Dave Bittner: [00:21:41] Right.

Mike Murray: [00:21:41] So what's interesting is, it wasn't technically sophisticated. It relied on just simply people trusting the people that are sending the messages and falling for it, the way that so many other phishing type attacks work.

Dave Bittner: [00:21:55] But again, in terms of them targeting people, does it seem like, were they taking more of a shotgun approach, or did they know who they wanted?

Mike Murray: [00:22:03] So we're not sure and that's the hardest thing. Like I've said it to many people, understanding that kind of stuff is really above our pay grade. And obviously, we share information with the appropriate authorities in various countries to make sure that people were remediating and people were were being protected.

Mike Murray: [00:22:24] But ultimately, I try to, we try and keep out of the attribution game. My team, and pretty much any security research team is not tooled to understand the nuances of who everyone in Lebanon is, and whether they're politically relevant, and why they were targeted. That's really a job for law enforcement agencies and the like. And so, we try to stay away. We certainly saw what appeared to be patterns in the data, but again didn't dig in because our focus was really on what does the software do, how is it getting on devices, and how can we stop that, and how can we inform the rest of the community on how to stop that as well. You know, that to me is our primary mission. There are people in the world whose job attribution is, and they're way better at it than we will ever be. I see a lot of security firms try and get into attribution, so often it's wrong.

Dave Bittner: [00:23:23] So let's talk about prevention and mitigation. If someone found themselves infected by this, would antivirus discover it?

Mike Murray: [00:23:35] Absolutely. So especially now, right? It wouldn't have, most products wouldn't have when it first came out, obviously, because they didn't know it existed. But these days, since we released the report, we believe that pretty much, you know, whether the CrossRAT or Bandook samples, or the Pallas samples, which is the mobile malware, you know, our customers have been protected against that for many many months.

Mike Murray: [00:23:59] The interesting thing is, you have to be in a place and a mindset where you know to install that software. And I think a lot of the times, targets of this kind of stuff, especially you know, dissidents, reporters, you know, political figures, etc., they're not generally the most tech-savvy people. So, making sure that they have the right controls on their devices is really, it's really paramount, but it's a message that we all have to get out.

Dave Bittner: [00:24:27] Is there a false sense of security on the mobile side?

Mike Murray: [00:24:30] Oh yeah, is there ever. We've all fallen into the belief. I think it's two pieces. First, we've fallen into the belief that because it's Apple and Google and there's such huge companies, that they'll protect us. Now I'm old enough to remember a time when people believed the same thing about Microsoft in the 90s, right?

Dave Bittner: [00:24:50] Oh come on Mike, Nobody ever believed that about Microsoft. (Laughter)

Mike Murray: [00:24:56] Oh, oh, no. Absolutely not. (laughter) When NT4 came out, people said "oh this is the most secure operating system we can run our business on."

Dave Bittner: [00:25:04] Right, right.

Mike Murray: [00:25:05] In you know, in say 1997, it was that belief.

Dave Bittner: [00:25:09] No, you're absolutely right. You're absolutely right, I'm being, I'm kidding, but you are absolutely correct.

Mike Murray: [00:25:15] Man we got disabused of that notion fast, didn't we?

Dave Bittner: [00:25:17] We did.

Mike Murray: [00:25:18] But what's amazing is, we all believe the same thing about Apple, and especially Apple. Apple's done a really great job of making people believe this, but also Android. And so there's that part, I think there's another part to it. I think so many of us established our relationship with the technology that is a cell phone, when it was basically like, depending on how old you are, it was a brick had to carry around, or it was like a Motorola Razr flip phone. And the idea that that could be compromised, to compromise your life was kind of, it was so far out there that nobody believed it.

Mike Murray: [00:25:51] And I think a lot of people still believe that their mobile device is simply nothing more than a thing that they get phone calls on, and take text messages on. And yet, the mobile device has now taken a central role in our digital world even up to and including that for almost everybody I know, the two-factor token for all of their enterprise access is now on that device. And so, we've put ourselves in this world where we think of it as a Motorola Razr flip phone, but it literally has the keys to everything, and has the computing power of a Cray-3 supercomputer. And, I actually, that's an actually specific benchmark. The iPhone 7 is actually the equivalent of the Cray-3 supercomputer.

Dave Bittner: [00:26:31] Wow.

Mike Murray: [00:26:31] In terms of processing power and memory access. Whenever I tell somebody that, they're shocked by it. Which you really shouldn't be. And then the idea that you would take that level of computing power. If I told you I was going to give you a supercomputer, but I was never going to secure it. I was going to do anything to secure it. You'd be like "you're insane." And yet, almost everybody I know does that with their phones.

Dave Bittner: [00:26:54] I think you're right. I think for most people it doesn't even strike them that, I think particularly on the iOS side, to even think to install any sort of additional protection, because there is the sense that the walled garden of the app store is going to protect you.

Mike Murray: [00:27:09] Right. And it doesn't work like that. You know, there has never been a computer system that didn't have vulnerabilities that could be exploited. And especially now. Especially because of the value to the, like to the high-end attacker, of compromising that platform, that it's so valuable to the attacker that you have to realize that if there's vulnerabilities there are people exploiting them and they're exploiting them for gain. And we just have to get our heads around that this thing that we carry around with us, isn't a phone. It's a very powerful computer that almost everybody I know spends a lot of time basically connecting that to every part of their life. Their social media, their personal e-mail, their work e-mail, two-factor tokens, you know all of your contacts and calendar. Like I can, if I have access to your phone, I can tell you everything about you. And that asset needs to be protected. And yet, we treat it like it's not that kind of asset. And it's it's mind blowing to me.

Dave Bittner: [00:28:09] You know as an aside, it reminds me of a tweet I saw a couple months ago, where some, it was a longtime Apple employee, you know one of the old timers, and he said that, you know, this new iMac Pro that I just bought, he said has 11-times more RAM in it than the Apple II. And he said, and by Apple II, I mean all 6.5 million Apple IIs that were ever sold combined, right? (laughter)

Mike Murray: [00:28:34] Yes, exactly.(laughter)

Dave Bittner: [00:28:35] On this one machine, you know. And so I think you're absolutely right that, for those of us who've been around for a while, the scale of how things have changed, how things have developed, I think it's beyond our capability to really imagine.

Mike Murray: [00:28:54] You bet. And you know what? You know what the worst part about what you just said is? Is the people who have been around for for that long. We, you know, I remember 15 years ago, when I was a young whippersnapper, 20 Twenty years ago I guess. And when the senior executives wouldn't understand something like e-mail, and we would go "Wow, that, I don't get it, how do you, why do you still have your e-mail printed out for you? That's insane." We're now become, all of  us who are now C-level executives, and the people in charge, are making the same mistakes about the mobile platform that we used to deride senior executives for making about websites. And it's you know it's literally just the human condition that, as we grow we rely on our knowledge from previous eras. And if the previous era changes, we have to be really conscious about thinking about it. I love doing the the Cray-3 supercomputer in a roomful of C-level security executives, because you literally can watch, it's fun to watch it from a stage because the lights come on, and people are like "Oh my goodness".

Dave Bittner: [00:29:59] Right.

Mike Murray: [00:30:00] I haven't. So we've we've taken within Lookout to calling it the forgotten platform, right? These these people, you know us, me included. I'm old enough to make the same mistake. That these people are spending hundreds of millions of dollars protecting their Windows desktops and zero dollars protecting their mobile devices. And yet, one of my favorite stats is, we've started investigating this with our customers, oh for most enterprise customers, if they do a survey of what platform are people logging into Active Directory for, there's, I have yet to find an organization in the last three years that is not more than 50% mobile devices, and in some cases it's 80% mobile devices. Imagine if you had 80% of the devices in your network you have no visibility into, how do you protect that environment? Right? But because we're still thinking about it the old way, we're blind to it in the same way that C-level executives in the 90s didn't understand how the Web worked.

Dave Bittner: [00:31:02] So let's bring it home, in terms of recommendations, you know, of your average person, your enterprise security professional. How worried should they be about this and what steps should they be taking to make sure that they're not hit with it?

Mike Murray: [00:31:18] How worried should they be about it, kinda of depends. How worried should they be about it today? Well, if I am, I'm going to pick on some names. These are not Lookout customers, I'm not talking out of school, but if I have a real nation state attack problem, right, if I'm anybody who is worried about APT in the last five years, defense contractors, you know, financials around the world, any multinational. They should be terrified. Because those, the nation state level attackers, the real serious what we would call APT, have already figured out that (a) this device is so useful, right? But in terms of getting access to corporate resources because of the two-factor tokens, but also getting access just to the lives of your targets. And, you know, combined with, if I'm attacking your PC environment, I've got to get by firewalls and antivirus, and all of this stuff. If I'm attacking your mobile device, you probably have nothing on that device that tells you that you've been compromised. So, I'm blind, not only am I blind but it's the most valuable thing I can attack.

Mike Murray: [00:32:26] If I was a CSO of one of those companies, I'd be freaking out. This would be the first thing I'd worry about. If I am a Midwestern credit union, and I'm picking on just some random thing that doesn't have a nation state attacker level thing, what I'm thinking about is, in the history of security all exploits commoditize. What is nation state-only today, three years from now is going to be a Metasploit module that anyone can use. And so, my thought would be, ok maybe I don't have to worry about this in February of 2018, or March of 2018. I probably have to worry about it in February or March of 2019, and I certainly have to worry about it in February or March of 2020. And so I better start planning. Now, if I'm just the average user, then all of the old rules that we had for PCs apply.

Mike Murray: [00:33:18] Don't click on links from people you don't know, don't install things that people ask you to install, either over the Internet or just through an email. Like, the security awareness stuff applies, but what we found is really interesting. All of those rules that we had for doing security awareness well on the desktop. Every single person has been taught in their corporate security awareness, when you get an email that looks suspicious hover over a link to see that it's going to where it says it's going to.

Dave Bittner: [00:33:46] Sure.

Mike Murray: [00:33:47] Guess what? You can't do that on a mobile platform. Yeah that doesn't work. So we've taught our users all this stuff about how to protect themselves, and most of it's not applicable to the mobile platform. And what we're seeing is significantly higher rates of bad behavior on the mobile platform. If I send a phishing e-mail to an organization and I get 10% response, I'm gonna get 25% response on the mobile device. Because all the things we've taught the users, first of all, all the things we are taught don't work. But second, the users are thinking, "well it's my phone, it's you know, it's not really a computer, it doesn't have access to anything," without thinking. Back to that same, I'm still thinking of it as a phone not as a super powerful computer that has access to everything.

Mike Murray: [00:34:31] You know I'm not the one to, you know, preach the sky is falling, even though I obviously believe that there's some urgency here, but I think you have to really think about what your risk is. Because right now, let me back up for a half-second and flip this over. When we saw PC malware evolve, right, starting in the 90s, what we saw was the evolution went from small minor annoyance, you know in 1998, the ILOVEYOU virus, you know, to massive annoyance, SQL Slammer, Blaster, etc., to nation states later. The mobile ecosystem is going backwards. Right? You're going nation states and highly resourced attackers first, and then it trickles down to the cyber crimes. So if I'm looking at 2020, 2021, 2022, that's when I think we're going to see the mobile platform becomes a real target for everyone.

Mike Murray: [00:35:23] And it's my goal in life to get to 2021 and 2022, and not have every Android and iOS device, whether car, light switch, etc. I don't want all of those things compromised by ransomware, five years from now. I think it's important to just realize the scope of the problem and assess for yourself where you are in that spectrum of how fast you need to respond to it.

Dave Bittner: [00:35:51] Our thanks to Mike Murray for joining us. You can find the complete report about Dark Caracal on the Lookout website. It's in the blog section.

Dave Bittner: [00:36:00] Thanks to the Hewlett Foundation Cyber Initiative for sponsoring our show. You can learn more about them at hewlett.org/cyber.

Dave Bittner: [00:36:08] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cyber security teams and technology. It's produced by Pratt Street Media, the coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening

Copyright © 2018 Pratt Street Media and the CyberWire. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the is the audio record.

Supported by:
Hewlett Foundation Cyber Initiative

The Hewlett Foundation makes grants to proactively define, research and manage the burgeoning intersections between people and digital technologies. The Cyber Initiative seeks to cultivate a field that develops thoughtful, multidisciplinary solutions to complex cyber challenges and catalyzes better policy outcomes for the benefit of society.

Subscribe to the CyberWire
Subscribe to the CyberWire Podcast: RSS Stitcher Google Play Music
Follow the CyberWire