The CyberWire Daily Podcast 9.30.21
Ep 1429 | 9.30.21

GriftHorse’s premium service scams. Facebook open sources a static analysis tool. Update on the Group-IB affair. What the Familiar Four are up to. Counting ransomware strains.


Dave Bittner: GriftHorse will subscribe afflicted Android users to premium services they never knew they'd signed up for. Facebook releases a static analysis tool. Speculation about what put Group-IB's CEO in hot water with the Kremlin. A look from NSA about where the major nation-state cyberthreats currently stand. Malek Ben Salem from Accenture has thoughts on quantum security. Our guest is author and WIRED editor at large Steven Levy, who joins us with insights on Facebook's internal research teams. And a short census of ransomware strains.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 30, 2021. 

Dave Bittner: Security firm Zimperium late yesterday described the activities of a massive Android scam campaign they're calling GriftHorse. Around 10 million devices worldwide have been affected, and losses could amount to hundreds of millions of euros. It's a premium service scam in which the crooks use malicious apps and not the customary phishing to enroll users in paid services they don't want. The name GriftHorse presumably comes from gift horse, like the one you proverbially shouldn't look in the mouth. And that might as well be the favorite proverb of social engineers everywhere. 

Dave Bittner: At any rate, Zimperium's description of GriftHorse is instructive. The bait, as is so often the case, is the proffer of a free prize, one you need only claim for it to be yours. The crooks work to lull users into gullibility and complacent acceptance. Zimperium says, quote, "Overall, GriftHorse Android Trojan takes advantage of small screens, local trust and misinformation to trick users into downloading and installing these Android Trojans, as well frustration or curiosity when accepting the fake free prize spammed into their notification screens," end quote. In all honesty, it's the sort of thing many would fall for. Zimperium says the campaign has targeted millions of users from over 70 countries by serving selective malicious pages to users based on the geolocation of their IP address with the local language. This social engineering trick is exceptionally successful, considering users might feel more comfortable sharing information to a website in their local language. 

Dave Bittner: The infection - note - is the Android malware that serves the victim the pop-ups. Upon infection, the report says, the victim is bombarded with alerts on the screen letting them know they'd won a prize and needed to claim it immediately. These pop-ups reappear no less than five times per hour until the application-user successfully attempts the offer. Upon accepting the invitation for the prize, the malware redirects the victim to a geo-specific web page where they're asked to submit their phone numbers for verification. But in reality, they are submitting their phone number to a premium SMS service that would start charging their phone bill over 30 euros per month. The victim does not immediately notice the impact of the theft, and the likelihood of it continuing for months before detection is high, with little to no recourse to get one's money back. 

Dave Bittner: The proprietors of GriftHorse have avoided hard-coding URLs or reusing the same domains, both of which have made their malware relatively difficult to detect. They target different geographical regions differently and, quote, "this check on the server side of evades dynamic analysis checking for network communication and behaviors," end quote. Zimperium warned Google about the malicious apps before the researchers went public with their findings, and Google has ejected the bad apps from the Play Store. That's a good thing, but it's far from representing a permanent removal of GriftHorse. As WIRED quotes Zimperium's CEO Shridhar Mittal, quote, "These attackers are organized and professional. They set this up as a business, and they're not just going to move on. I'm certain this was not a one-time thing," end quote. 

Dave Bittner: Facebook has open-sourced its Mariana Trench static analysis tool used within the company to find security flaws in Java and Android applications. BleepingComputer notes that this is the third security-focused static analysis kit Facebook has released. 

Dave Bittner: TASS has been authorized to disclose a bit more about the treason charges Russian authorities have brought against Group-IB's CEO Ilya Sachkov this week. A source tells the outlet that, quote, "the investigation suspects Sachkov of handing over classified information on cybersecurity to foreign intelligence agencies," end quote. Which intelligence service employed him isn't being revealed because TASS' source says they don't want to compromise an ongoing investigation. But TASS observes that there are a number of unnamed possibilities. There are, indeed. Russia's got a lot of beefs with a lot of foreign countries. 

Dave Bittner: But it would be premature to assume that this is a clear, good faith prosecution. Sachkov, as Christopher Burgess points out in an interesting piece in Security Boulevard, isn't some unknown or minor figure. His company may now be headquartered in Singapore, but he's also a regular consultant to the Duma, Russia's parliament. As recently as two years ago, he received the Russian Federation's Big Business Award from President Putin himself and was photographed with Mr. Putin on the occasion. 

Dave Bittner: Group-IB's offense may be the appearance that it had been too cozy with the FBI. Sachkov's company, and especially one of its executives, Nikita Kislitsin, cooperated with the bureau in the investigation of Yevgeniy Nikulin, a Russian the U.S. indicted in 2020 for the 2014 compromise of Formspring and LinkedIn. Burgess writes, quote, "Group-IB, as well as Kislitsin, cooperated with the U.S. investigation, making themselves available for interviews with the FBI in the U.S. Embassy in Moscow. During that meeting, according to Radio Free Europe, Kislitsin said he was open to collaboration and wished to mitigate any problems. Of particular note is Kislitsin's revelation that a Russian hacker had worked with the Russian Federal Security Service, the FSB, to obtain compromising information on unnamed individuals," end quote. So it may be the implications of privateering or at least coziness with the FSB that Group-IB people appear to have given the FBI that put the organs' noses out of joint. 

Dave Bittner: Various government and industry bigwigs have been out in Aspen, Colo., swapping thoughts on matters cyber. NSA's Rob Joyce reviewed the current state of play with respect to the Familiar Four, as seen from Fort Meade. The Record glosses his remarks as follows. Quote, "Russian state hackers are disruptive and are doing intelligence gathering on critical infrastructure and governments. Hackers backed by Beijing are off the charts in terms of their scope and scale. Iran's hackers are often very focused on regional things right now, but they're dangerous because they're less judicious in what they decide is a reasonable action," end quote. So some wild and crazy guys are out and about from Tehran. 

Dave Bittner: And the North Koreans? They're out for the cash - still active - still a threat - very capable but mostly focused on crypto exchanges and creating money. 

Dave Bittner: And finally, Bitdefender's latest monthly threat report released yesterday notes the resurfacing of REvil under its familiar name. The report also counts some 250 active ransomware strains, which is a lot, especially given the challenge of survivor bias - duly noted by Bitdefender - and the difficulties of individuating things as slippery as bad actors. Anyway, their name is Legion. And to draw a conclusion the report doesn't, a look at the countries targeted suggests that half to two-thirds of Legion probably have a letter of marque from 24 Kuznetsky Most, not far from Ulitsa Lubyanka. 

Dave Bittner: The Wall Street Journal recently published an investigative series examining Facebook. And one of the areas they focused on was the social media giant's own internal research. Steven Levy is editor-at-Large at Wired, where he writes the column "Plain Text." He's also author of a number of bestselling books, including his latest "Facebook: The Inside Story." I caught up with Steven Levy on our "Caveat" law and policy podcast. 

Steven Levy: Well, research started pretty early in Facebook's history. They were watching what people did almost from the get-go. But in 2006, they hired a really bright person named Jeff Hammerbacher to make the - all the data very, you know, easy to search. And, you know, he created this infrastructure that allowed them to take the data and do all kinds of research. And they began to hire social scientists and statisticians to make the research more - in a more organized fashion. Interestingly, research was part of the organization at Facebook that was devoted to growth. 

Steven Levy: So a lot of the research was devoted to ways that people would stay on longer to Facebook and help them discover not only ways people might use Facebook better - a lot of companies in Silicon Valley use researchers to test how well you use the product, what you might want to do in the product, what you can't do, what you have difficulty doing. But in terms of Facebook, they also figured out how the algorithm would work to keep you using it more. And one of the big breakthroughs that happened in research was when they discovered how things can go viral in the system. And they published a paper on it called "Gesundheit" because, like a sneeze, certain things can go viral. And they thought that was the greatest thing ever. And they never realized, the researchers who published that, that really is the key not only to fun things going viral but, as it turns out, some things that create anger or divisiveness or just misinformation that's harmful. So the research is sort of a mixed bag there. 

Dave Bittner: Is this ultimately just about growth and money and profits? I mean, why do you suppose they're so hesitant to make meaningful changes here? 

Steven Levy: Well, growth is the North Star at Facebook. In my book, I devoted a lot of time to tell, for the first time, the story of Facebook's growth circle, they called it, which used all kinds of means, some of them pretty dicey, to get and retain users. And that is the key to Facebook, really. And money is important because, you know, that enables Facebook to spend money to grow more and retain more users. It is connecting the whole world, which is important to Facebook, and to do that in light of competition from places now like TikTok. That draws people away from Instagram and Facebook. Probably those TikTok users are using the Facebook main app anyway. And, you know, there's only a certain amount of time people spend in a day. So that is really important. And as it turned out, when push came to shove, in certain ways, the way Zuckerberg chose to look at it was to say, wait a minute - a tenth of our users, the teenage girls using Instagram, yeah, it makes them feel bad - aggravates your mental health problems. That means, like, four-fifths are doing great, right? So let's go with that. 

Steven Levy: But obviously, a fifth of the teenage girls who use Instagram represent millions of people, quite literally. So there is something really wrong if your researchers come to you - and if you look at these slides, it's almost like they're begging the leadership of Facebook to do something about it. You know, you're saying, our product is making millions of teenage girls feel bad, and some of them with mental health problems are seeing these problems aggravated by it. That's a serious problem for a company, to make the lives of millions of teenage girls miserable or worse even. You would think that all steps, any step possible, would be taken to change that situation. But in this case, at least according to the Journal reporting, those steps weren't taken. It was saying, well, gee, if we change that, people would use Instagram less. 

Dave Bittner: Where do you suppose things have to go for us to see meaningful change here? Is this something where we could see - if Facebook doesn't make effective change to themselves, perhaps we'll see some regulation? 

Steven Levy: I think it's more likely the more we see leaks like this coming out, which isn't - let's say it's in the category of shocking but not surprising. People don't really expect Facebook to be dealing honestly with them anymore. Certainly the legislators that have been trying to get information out of them, the regulators, don't think that. There's a whole class of skeptics and critics of Facebook who wouldn't be surprised by this.  The independent board that Facebook set up, whose job it was, basically, to rule on decisions that Facebook made that people are challenging, overstepped their charter intentionally and said, wait a minute; we want to get into this. We want to look into this. So they're going rogue in a way, which is kind of interesting. I think, ultimately, this pressure is going to lead Facebook to make some changes, maybe not willingly. 

Dave Bittner: That's author Steven Levy. His most recent book is titled "Facebook: The Inside Story." You can hear the rest of my interview with Steven Levy on this week's CyberWire "Caveat" podcast. 

Dave Bittner: And joining me once again is Malek Ben Salem. She's the technology research director at Accenture. Malek, it is always great to have you back. I wanted to touch today on some work that I know you are involved with with quantum security and safety. What can you share with us today? 

Malek Ben Salem: Yeah. I wanted to talk to your audience about a question that I typically receive when I have conversations with my clients around quantum safety and quantum readiness. As you know, Dave, you know, we talk about the quantum threat, the threat of a universal quantum computer that is able to break our current encryption schemes that rely on integer factorization, right? And that - so it will be able to break the most popular public key algorithms such as RSA and our digital signature algorithms, et cetera. 

Dave Bittner: Right. 

Malek Ben Salem: And the way of dealing or preparing for that quantum threat is to use those quantum crypto algorithms that are, you know, quantum safe or to rely on this other approach known as quantum key distribution where, you know, organizations can distribute keys through a quantum channel, so not classical keys but quantum keys. And that provides basically the ability to ensure that those keys have not been tampered with and they would not be at the risk of being factorized or decrypted if a threat actor is eavesdropping. 

Malek Ben Salem: The difficult question that I get from clients is, you know, what are - do I need both? Or is it OK to just choose one approach to be quantum safe versus the other? And my answer is that they're - you probably - or most folks will need both because they're complementary. So first, quantum crypto, again, relies on certain mathematical assumptions. They're not the same as the ones we've been, you know, relying on to build RSA, for instance. They're new mathematical assumptions. But they eventually are dependent on those mathematical assumptions and are as strong - only as strong as those assumptions are. 

Malek Ben Salem: The number of algorithms are being evaluated by the research community, The crypto research community, NIST is enabling that. And NIST is expected to announce a, you know, the winner of that assessment or what will be potentially the new crypto standard by 2024. So that's one approach. And, you know, organizations can already, you know, implement those algorithms and try them out in their environments, understand the - their computational overhead and, you know, the latency that they introduce in comparison to existing crypto. 

Malek Ben Salem: But QKD, you know, relies not on the mathematical assumptions, but on the quantum properties, the mechanical properties - or as quantum physics properties - right? - that can provide this, you know, temper evidence property when keys are distributed. However, those quantum crypto is more - you know, can deal with scale - right? - can be scaled to the - the scale of the internet versus QKD has some physical limitations because it's a link. It's based on a link-to-link transmission. So there is a limited number of qubits that can be transmitted on a line. And so there's, basically, physical limitations. So yeah, so that's why I think for companies - for most use cases, you'll need both. And it's also a good practice to defend in layers. So to have both QKD, Quantum Key Distribution, PQC, Post-Quantum Crypto, and also QRNG, Quantum Random Number Generation, together all in one strategy and all in one defense and in-depth strategy going forward. 

Dave Bittner: You know, we've been talking about this coming quantum revolution or threat - however you want to look at it - for a few years now. And my recollection is a couple of years ago, it was really a hot topic, and it seems like things have sort of settled in, and people are taking very practical approaches these days. Where are we in terms of the computational heavy lift versus, you know, Moore's law making everything get a little faster? You know, by the time this is ready for widespread distribution, are we going to be in a good place in terms of it not being too much of a burden to transition to? 

Malek Ben Salem: I think that is a great question. Knowing how long these transitions take, particularly crypto - right? - whenever you're changing standards in crypto or changing algorithms in crypto - we've seen this over and over - they take years, if not decades. And I go back to the example of the DNSSEC being deployed. We still see DNS servers that are not using the DNSSEC protocol, even though that is a simpler change, right? But now with, let's say, Bisq quantum crypto, you know, organizations would have to upgrade thousands of applications - right? - and certificates and - you name it. So again, the transitions take years. So I think if we don't start now, we're not going to be ready, knowing that a quantum computer is expected to be available within 10 to 15 years, depending on whom you talk to. 

Dave Bittner: Right. 

Malek Ben Salem: And also, because for certain, you know - this harvest-now, decrypt-later threat, right? So threat actors can, you know, listen on our communications today and harvest all of that data and then decrypt it 10 years from now. So the threat is here. It exists today, and we need to deal with it, and we need to mitigate it as soon as possible. 

Dave Bittner: All right. Well, interesting stuff as always. Malek Ben Salem, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.