The CyberWire Daily Podcast 8.19.20
Ep 1155 | 8.19.20
Phone spearphishing is catching on after the Twitter hack. Taiwan blames China for hacking government agencies. FritzFrog botnet is cryptomining, for now.
Transcript

Dave Bittner: Phone spear phishing is catching on after the Twitter hack. Taiwan blames China for hacking government agencies. FritzFrog, a botnet, is cryptomining for now. Whoever's behind GoldenSpy is trying to cover their tracks. WastedLocker ransomware is successful without stealing data. The U.S. Senate Select Committee on Intelligence releases its final report on Russian interference with the 2016 election. Joe Carrigan looks at shady SIM cards. Our guest is Nathan Jones from WhiteCanyon Software on secure data destruction. And an AI company exposes millions of medical records.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 19, 2020. 

Dave Bittner: The phone-based phishing caper that enabled takeover of more than a hundred high-profile Twitter accounts is apparently serving as a template for other attacks. WIRED reports that a growing number of organizations are experiencing similar copycat approaches with varying but disturbing degrees of success. ZeroFOX sees the uptick in vishing attacks affecting not only corporations but social media influencers as well. Like the Twitter hack, these attacks seem to be launched by young, English-speaking troublemakers organizing on Discord and shady forums. But ZeroFOX says their techniques are so effective that organizations should prepare to see these tactics deployed by more sophisticated criminals and state-sponsored groups. Voice phishing, also called vishing, isn't new. But in the past, it's primarily been used against mobile carriers in SIM-swapping attacks. This recent wave of vishing attacks is more wide-ranging and often involves convincing a victim to enter their credentials on a spoofed login page. ZeroFOX recommends a mix of training, policy and technical defenses, quote, "training and education, monitoring and preemptive blocking of problem domains, SSO auditing and employing role-based access best practices for internal panels," end quote. 

Dave Bittner: Authorities in Taiwan have blamed two Chinese government hacking groups, Blacktech and Taidoor, for cyberattacks against at least 10 Taiwanese government agencies, Reuters reports. The Taiwan Investigation Bureau's Cyber Security Investigation Office said the actors had accessed around 6,000 government email accounts in campaigns that started as early as 2018. Reuters says the victims included at least four Taiwan tech companies that had been providing information services to the government. 

Dave Bittner: Guardicore has found a peer-to-peer Linux botnet FritzFrog, which it describes as sophisticated, fileless, evasive, proprietary and aggressive. It has attempted to brute force tens of millions of IP addresses using an extensive dictionary and has succeeded in breaching over 500 SSH servers, including those of known high-education institutions in the U.S. and Europe and a railway company. The FritzFrog malware operates completely in memory and doesn't attempt to survive reboots, but it leaves a public SSH key as a backdoor, enabling the attackers to return at their leisure. The malware could potentially be used to deliver a range of payloads but so far seems to have, for the most part, been engaged in cryptojacking systems to mine Monero. The botnet seems to be unique, which is why the researchers call its code proprietary, although it bears some minor similarities with another P2P botnet known as Rakos. 

Dave Bittner: Trustwave's SpiderLabs reports finding five versions of an uninstaller for the GoldenSpy backdoor, carried by tax software, whose use is required of companies doing business in China. The uninstaller was dropped by an update module to erase GoldenSpy before deleting itself. TrustWave believes the uninstallers were deployed by those behind the GoldenSpy backdoor to cover their traces. The actors issued modified versions of the uninstallers, which TrustWaves says, were specifically designed to evade our YARA rules we published. The researchers conclude that their findings, quote, "should serve as a wake-up call for organizations because it proves any actions, including implanting and extracting malware, can be taken covertly and at the will of the attacker with the help of the updater module without impacting the functionality of the Golden Tax software," end quote. 

Dave Bittner: Researchers at Menlo Security warn of an ongoing attack campaign dubbed Duri that's using HTML smuggling and JavaScript blobs - or binary large objects - to download malware onto devices. The malware itself isn't new, but it was previously delivered via Dropbox download links. The attackers have switched to other cloud hosting providers and added the HTML smuggling technique to evade detection. 

Dave Bittner: Securonix released a report on the WastedLocker ransomware attributed to the Evil Corp cybercriminal group. The researchers say the ransomware's operators have been effective at extracting multimillion-dollar ransoms in targeted attacks. The ransomware has hit more than 31 organizations, eight of which were Fortune 500 companies. The researchers also confirmed that WastedLocker's operators don't appear to exfiltrate data for the purpose of extortion, although they could easily add this capability in future attacks. 

Dave Bittner: The U.S. Senate Select Committee on Intelligence has released the final volume of its report on Russian interference with the 2016 election. It found that President Putin directed the campaign and set its goals - generally disruptive but specifically anti-Clinton - and that despite troubling behavior by sometime Trump conciliatory Paul Manafort, there was no collusion between the Trump campaign and Russian intelligence services and that the FBI made loose and careless use of the retrospectively implausible Steele dossier. Democrats emphasized Manafort's counterintelligence problems. Republicans point out that the FBI didn't exactly cover itself with glory in the investigation. 

Dave Bittner: Secure Thoughts reports that artificial intelligence company Cense.AI exposed 2.5 million medical records and PII, including names, insurance records, medical diagnosis notes and much more. The data were left in two folders stored at the same IP address as Cense's website. The information appears to be related to individuals who had been in car accidents and received neck or spinal injuries. The databases were secured on July 8 after Cense was notified by a security researcher, but the company hasn't yet commented on or disclosed the matter. 

Dave Bittner: And finally, The New York Times reports that President Trump said Monday, he would pardon a very, very important person on Tuesday. Who it was going to be, he refused to tell, but he did explicitly say that it wouldn't be Edward Snowden. It turns out it was Susan B. Anthony. Mr. Snowden and others will have to wait their turn. 

Dave Bittner: We routinely discuss the many ways organizations go to great lengths to protect their data, using everything from encryption to multiple off-site backups. But what if you need to destroy data, to delete it and make sure it's gone for good? For more on that, we turn to Nathan Jones from WhiteCanyon Software for his insights on secure data destruction. 

Nathan Jones: So if you go back into the '70s, '80s and '90s, almost every use case was for physical destruction. Whenever you're getting rid of your old laptops, desktop servers, you would just physically destroy those drives. And we found that that was being, obviously, quite wasteful and unnecessary in a lot of cases. So this - it really came about because we were looking for a better solution than just destroying everything and everything ending up in a landfill. 

Dave Bittner: So take us through some of the reasons why securely wiping a drive is better than physically destroying it. 

Nathan Jones: It has a lot to do with the audit report that's generated as part of the process. So a lot of what you're having to do is to prove that the data is secure. And part of what the software does is it creates an audit report that says this drive with this unique identifier was wiped at this spec. It started at this time and ended at this time, and then it was performed by this technician. It was done in this location. So that report gives you the context of everything that was done at that drive, when, where, how - all the important information about that. And that's required for meeting standards like HIPAA and NATO and GDPR, where you're trying to meet the requirements that are on you from a regulatory standpoint. So that report is actually quite impossible to do with a physical destruction. So part of the erasure solution is that we're doing this via a secure application, where we're going through and we're capturing all this information. We're encrypting the audit report, so it's impossible to spoof these reports. So just from a compliance standpoint, it's a far superior solution. 

Dave Bittner: But what about just the notion of not having so much waste end up in the landfills? 

Nathan Jones: Absolutely, and that's an - but you've got to make sure you've checked the boxes on the security side and on the compliance side. But then that's the most compelling reason after the security side, is that these devices that are - have been working in a data center for a couple of years, they could have a second and a third life. And realistically, a lot of these drives, you know, 90% of them - plus - are still in great shape. They don't have any remapped sectors, you know? That they still have 90% of their life left. So these drives that are coming from these giant data centers could then have a second life in more of a midrange system, where these companies aren't quite - aren't wanting to pay top dollar for the top-of-line equipment, but these could be repurposed or reused. And when we're talking about laptops and desktops, hey, they could be going into schools or libraries. 

Dave Bittner: That's Nathan Jones from WhiteCanyon Software. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting article from VICE, another one from Joseph Cox. This one is titled "The Secret SIMs Used by Criminals to Spoof Any Number." What's going on here. Joe? 

Joe Carrigan: So there are these providers of SIMs out there, SIM being the network card that you put into your phone. And these are being called Russian SIMs or encrypted SIMs or white SIMs. And some of the features of this SIM allow you to change the phone number that you're calling from. So when you make a call, you have - caller ID information gets sent along. And it looks like that information can be changed on these SIMs so that when you make the call it, you're essentially spoofing a different call - a phone number you're calling from. 

Dave Bittner: And so the way these SIMs are working is that the providers are basically buying up access in bulk to other people's networks? 

Joe Carrigan: Right, that's how this - a lot of these SIMS work, like Google Fi works this way as well. And the article says these are called mobile virtual network operator. They have a really great acronym here, the MVNO. All these cellphone terms get - boggle my mind, Dave. 

Dave Bittner: (Laughter). 

Joe Carrigan: But essentially, what it is, is you're piggybacking off the existing infrastructure of another provider like T-Mobile or AT&T or Verizon and you're striking agreement with them. And there are a lot of different companies that do this, and they all do them - like, I think TracFone does this as well. In fact, I know TracFone does this, and ADMET Mobile does this. A lot of prepaid companies do this. And they make money by selling - essentially, reselling the existing network's phone services for a premium. You know, if it's a prepaid card, it's something that you're - you know, maybe you can't go out and get a regular phone contract so you have to get a prepaid phone. There's a cost associated with that as well. Google Fi, actually, is fairly inexpensive. You can get that service starting at around 20 bucks a month, plus they charge you for data. But if you don't use data, you can get pretty good phone service for around 20 bucks a month. But what these people are claiming is that their system is built on top of these other systems, but it's more secure and the information is encrypted, and they let you spoof phone numbers. And they also - the SIMs also have the capability of augmenting your voice, so you can disguise your voice, which... 

Dave Bittner: Yeah, that's interesting to me. I would not have guessed that that capability was built possible within the... 

Joe Carrigan: Built into a SIM. 

Dave Bittner: Built into a SIM. 

Joe Carrigan: Right, yeah. 

Dave Bittner: So I don't - I'm not sure what's behind that, but that's an interesting tidbit for sure. 

Joe Carrigan: It is. 

Dave Bittner: I guess the point here is - or the danger is that, for example, if I buy one of these and I spoof my phone number as being from, say, a bank... 

Joe Carrigan: Right. 

Dave Bittner: ...A local bank or... 

Joe Carrigan: Exactly. 

Dave Bittner: ...Any major service provider. So if I called you up and you looked at your phone and it said, oh, it's my - M&T Bank is calling me or Verizon's calling me... 

Joe Carrigan: Right. 

Dave Bittner: ...That's a great first step into some sort of social engineering issue. 

Joe Carrigan: Absolutely. It's a great way to break that first barrier of getting the phone call answered, right? What's interesting is that at least in the U.S., this kind of works when people spoof phone numbers. The caller ID system looks up the phone number and then displays the actual company that is calling you, right? 

Dave Bittner: Right. 

Joe Carrigan: So we hear about this, and we talk about this over at "Hacking Humans." Somebody is calling, purporting to be from, like, Verizon. I think you even had this happen with your father, right? Somebody was spoofing Verizon's... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Phone number, and it came up as they were Verizon... 

Dave Bittner: Right. 

Joe Carrigan: ...On the phone call. So just spoofing the number is enough to fool the caller ID system. There's probably some technical solution there that need to be implemented, right (laughter)? 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: That's got to be verified. So, yeah, it's a great way to, like I said, break that first barrier of getting the phone call answered. These things are not cheap. This VICE article has a picture of costs in here. To get a prepaid card that works worldwide for one week, functions for one week, $150. But if you want one that works for six months, that's only $250. But even that's kind of expensive, I think. But - and towards the end of the article, they talk about how these things are being used to evade law enforcement, but they're not entirely effective. You know, you still have to connect to a network, and you still have to make phone calls. And you still might be connecting to a stingray device, even though you might not be making your call over that device. It says you may actually give away your location on it. 

Dave Bittner: Right. 

Joe Carrigan: They quote somebody in here who says you cannot be invisible on the mobile network. That's just not possible. And they also make a point that it's really hard to protect yourself against a government that's very upset with you, is the way they put it in here. 

Dave Bittner: Yeah. Well - and it seems like, I guess, that one of the attractive things to folks who may not be up to good things is the sort of don't ask, don't tell kind of way that they're selling these. 

Joe Carrigan: Right. 

Dave Bittner: They don't really require any information from you. You can buy one of these pretty much anonymously, plug it into your phone and you're in business. 

Joe Carrigan: Right, exactly. And that's one of the things that these - all these websites are saying, is that, you know, just send us a bitcoin, we'll send you the device. In fact, in this article, they sent a hundred dollars in bitcoin to somebody, and they got that SIM card the next day. 

Dave Bittner: Now, that's service. 

Joe Carrigan: Yeah, that's service, exactly. 

Dave Bittner: (Laughter) Right, right. All right. Well, again, it's over on Motherboard, written by Joseph Cox. The title is "The Secret SIMs Used by Criminals to Spoof Any Number." Joe Carrigan, thanks for joining us. 

Joe Carrigan: Yeah, it's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.