The CyberWire Daily Podcast 1.11.22
Ep 1492 | 1.11.22

Software supply chains and the free-rider problem. An APT is bitten by its own RAT. Europol told to clean up its data. A leak investigation in Denmark. QR-code phishbait.


Dave Bittner: Log4shell as an instance of a more general software supply chain issue. An APT apparently mistakenly infects itself with its own RAT. A new back door, SysJoker, is in use in the wild. A warning on commercial surveillance software. A leak investigation continues in Denmark. Joe Carrigan explains bogus QR codes. Our guest is Casey Allen of Concentric on cyber vulnerabilities in automobiles. And Europol is told it has a year to clear its databases of information on people not involved in crime.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 11, 2022. 

Dave Bittner: The Log4j vulnerabilities represent an international challenge. Open-source software supply chains run freely across national borders. It's unsurprising that their vulnerabilities are no respecters of sovereignty. Australian authorities have been running through the same Log4shell issues their U.S. counterparts are working on, and they've been doing so in close partnership with their Five Eyes allies. The Australian Signals Directorate and the Australian Cyber Security Centre have been full participants in getting out guidance to the many stakeholders affected by the vulnerabilities in the open-source library. The Australian Associated Press today published an account of where the country stands with respect to remediation. So far, they're not seeing any significant incidents traceable to Log4shell exploitation. 

Dave Bittner: The U.S. Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities Catalog now includes Log4shell, and that's consistent with the agency's aspiration, expressed clearly during yesterday's media call, of serving as a single authoritative source for information on risk and remediation. The agency's leaders, while emphasizing the seriousness of the vulnerability, nonetheless offered a broadly optimistic view of the response. The incident is requiring organizations to manage an extraordinarily complicated supply chain with thousands of vendors, all of whom, CISA Director Easterly emphasized during yesterday's call, must prepare and deliver their own patches. Concern about the difficulty of the government gaining adequate insight into the scope of any particular risk has lent renewed urgency to lawmakers, Senator Peters among them, who are sponsoring legislation that would require organizations to report major cyber incidents. Roll Call notes that House and Senate measures failed to make it through conference during the last session of Congress, but that efforts to arrive at a bill that could pass both houses would resume as Congress reconvenes. 

Dave Bittner: Log4j vulnerabilities will not be amenable to any quick or easy fix. And in this respect, they represent, in heightened form, a problem that's common to open-source software generally. As WIRED points out, not even the big stick the U.S. Federal Trade Commission has waved at businesses will be able to effect an overnight cure for the flaws. As CISA's executive assistant director for cybersecurity Eric Goldstein said yesterday, remediation will have a very long tail. 

Dave Bittner: The open-source software supply chain may have a free-rider problem. BleepingComputer reported an infinite loop a developer inserted into two widely used open-source libraries. It was a gesture of protest. The developer, whom BleepingComputer identified as Marak Squires, is thought to regard himself as having been exploited by the many organizations who have used his software without either adequate compensation or support. The Apache Foundation addressed this sentiment and its causes in a position paper. SecurityWeek headlines its account of the paper "Apache Foundation Calls Out Open-Source Leechers." That's a strong way of putting it, and we couldn't find any variant of leech, still less freeloader or parasite, in the Apache text, but it's not too far off the mark. Apache doesn't call organizational users leechers or leeches, but its position paper describes a free-rider problem. Apache puts it this way. Quote, "we can't fix open-source supply chain issues by focusing exclusively on the upstream producer," end quote. The downstream users of open-source software should, Apache argues, contribute back - that is, help fix bugs, conduct security audits and feed back the results. Cash, while welcome and useful, isn't sufficient. They say they eagerly welcome audits and fixes from any source and have a process defined for doing so. This is not to say that the Apache Software Foundation endorses developers sabotaging their own code - far from it. Their concern is with the security and safety of the open-source products themselves. 

Dave Bittner: Malwarebytes reports that an advanced persistent threat seems to have infected itself with its own remote administration Trojan, specifically the BADNEWS RAT. The APT is PatchWork, also known as Dropping Elephant, Chinastrats and Quilted Tiger. PatchWork is associated with the Indian government and has been observed collecting against targets in Pakistan. Malwarebytes was able to gain some insight into Dropping Elephant's interests. As usual, we like the animal names for APTs, so we're going to go with that one. The agencies the threat actor prospected include Pakistan's Ministry of Defense, the National Defense University of Islamabad, the Faculty of Bioscience, UVAS University in Lahore, Pakistan, the International Center for Chemical and Biological Sciences, the HEJ Research Institute of Chemistry, International Center for Chemical and Biological Sciences, University of Karachi and SHU University, with a particular interest in molecular medicine. The targeting represents, according to Malwarebytes, a noticeable shift in the APT's interests. Quote, "while they continue to use the same lures and RAT, the group has shown interest in a new kind of target. Indeed, this is the first time we have observed PatchWork targeting molecular medicine and biological science researchers," end quote. 

Dave Bittner: Intezer today described a new back door, SysJoker, whose Windows, Mac and Linux versions are out in the wild. SysJoker misrepresents itself as a system update, and Intezer thinks the purpose-written malware is the work of an advanced actor. The U.S. National Counterintelligence and Security Center, the NCSC, has issued an advisory on commercial surveillance products. Those are unnamed, but they clearly include such tools as NSO Group's Pegasus. Quote, "journalists, dissidents and other persons around the world have been targeted and tracked using these tools, which allow malign actors to infect mobile and internet-connected devices with malware over both Wi-Fi and cellular data connections," end quote. 

Dave Bittner: The advisory includes recommendations for digital hygiene that might make it less likely that a device be compromised. They'll be familiar to most of you, but they're worth a quick review. Regularly update device operating systems and mobile applications. Be suspicious of content from unfamiliar senders, especially those which contain links or attachments. Don't click on suspicious links or suspicious emails and attachments. Check URLs before clicking links, or go to websites directly. Regularly restart mobile devices, which may help damage or remove malware implants. Encrypt and password protect your device. Maintain physical control of your device when possible. Use trusted virtual private networks. Disable geolocation options, and cover your camera on devices. And finally, a commendation of paranoia as the sensible user's default psychological state - quote, "while these steps mitigate risks, they don't eliminate them. It's always safest to behave as if the device is compromised, so be mindful of sensitive content," end quote. 

Dave Bittner: According to Reuters, the former director of Denmark's Foreign Intelligence Service, Lars Findsen, is being held in custody at least through February 4 while the government investigates leaks of highly classified material. This is the latest development in an investigation that's been running for over a year. Mr. Findsen maintains he's innocent of any misconduct, and the government isn't revealing much publicly about what is surely a sensitive inquiry. 

Dave Bittner: And finally, the European Data Protection Supervisor has ordered Europol to delete data concerning individuals with no established link to criminal activity. At issue is the data subject categorization. In the course of its investigations, Europol inevitably scoops up information on large numbers of people who turn out to have no connection with or involvement in the crimes that are the subject of the inquiries. But it's not supposed to hold this information indefinitely. The EDPS has decided to impose a time limit of six months, by which time Europol will have to determine any information's data subject categorization and purge information it has no legitimate investigative use for. The European police agency has 12 months to bring its practices into compliance with the six-month limit. 

Dave Bittner: We are in the midst of multiple simultaneous transitions in the cars we drive as automakers electrify their fleets and respond to consumer demand for enhanced connectivity and mobile device integration. I have on more than one occasion joked that my favorite iPhone accessory is my car. 

Dave Bittner: Casey Allen heads up the information technology team at cybersecurity and digital privacy firm Concentric. And he reminds us that all that advanced automotive connectivity and functionality comes with a price. 

Casey Allen: You know, I think by 2025, it's estimated about 86% vehicles on the road are going to have some kind of connectivity. And with that, obviously, comes increased amounts of cybersecurity incidents. So 2019, I believe we saw 150 or so, which was a 94% increase year over year since 2016. They have their own categories of CVEs, 33 three of which were reported last year, compared to 24 in 2019. So the trend is continuing to go up. 

Dave Bittner: You know, we see stories from time to time that are kind of illustrating the nightmare scenarios - you know, someone taking control of your car and driving it off the road or something, you know, very dramatic like that. But what are the actual things that are at risk here? Is this mostly about cars being stolen? What sort of things should people be aware of? 

Casey Allen: So I think the No. 1 impact of these attacks is usually some kind of data privacy breach. So if we think about someone who leases a Tesla for a number of years and then returns that car to whoever owns it, they're probably not thinking about wiping all of their personal information that's stored on the onboard computer system that can have their contact info from their cellphone phone book, their calendars, onboard recordings from them driving their car, waypoints that they go to frequently. So all that kind of information is stored on the vehicles, and even if you rent one for just a couple of days, if you connect your phone to take advantage of all the great technology in a Tesla, if you're not wiping that off when you leave, it's possible that somebody could download that and use it in all kinds of nefarious ways. 

Casey Allen: In terms of theft, the biggest avenue of attack there is definitely the wireless key fobs people use to lock and unlock their cars. And a lot of them now have the push-button start. So that's all done over radio frequencies, and, you know, with just a couple of dollars' worth of hardware, it's relatively easy to intercept those communications from the key fob to the car and then replay those to unlock it, start it up and steal it. 

Dave Bittner: What about the car manufacturers themselves? What is their approach to this? Are they at the point of seeing security as being some - any sort of competitive advantage? 

Casey Allen: I think they're going to have to. Tesla, you know - well, first of all, pretty much all the major car manufacturers now have bug-bounty programs, which I think has really helped. Just Uber alone, I think their bug bounty has resulted in about 1,500 vulnerabilities being reported. But one interesting thing that Tesla's done as the result of a bug-bounty disclosure is they've actually introduced code signing into their onboard computer systems, which, you know, I really think is one of the ways that this - these vulnerabilities are going to be locked down. But it's much easier for a manufacturer like Tesla to do that than, say, the manufacturers in Detroit that have much more disparate supply chains, where they're getting pieces and components from many different places. That's going to be hard to bring uniformity to those processes. 

Dave Bittner: What about people's right to repair? You know, as these systems become more complex and - you know, it's not just getting under the hood with a wrench and, you know, an electric meter. Do we find ourselves with sort of a natural tension here between the sophistication that consumers want but also the ability to protect people from getting under there and maybe causing things to go wrong? 

Casey Allen: Yeah, certainly. There's - a lot of these vulnerabilities are unintentionally discovered by, you know, what you might call grey hats that are trying to augment some of the features in their vehicle or do customization to them. But, you know, a close friend of mine who's been an auto mechanic for the last 20 years says, you know, it's not enough to have an auto mechanic degree anymore; you also have to have a computer science degree to really understand how the systems are working together in these vehicles. So, you know, in some ways, as more technology is being put in these vehicles, the number of vulnerabilities is going to increase, as is the cost of maintenance and updates, because now we're not just replacing brake pads; we also have to make sure that firmware is up to date and patched against whatever the latest vulnerability is. 

Dave Bittner: That's Casey Allen from Concentric. 

Dave Bittner: And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Joe, it's great to have you back. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: You know, we track a lot of scams over on "Hacking Humans." 

Joe Carrigan: We do. 

Dave Bittner: And there's an interesting one that came up here that we touched on. This has to do with some QR codes. What's going on here, Joe? 

Joe Carrigan: Well, Dave, the - one of the easiest things to do in this job is to make a prediction and wait for it to come true. 

Dave Bittner: (Laughter). 

Joe Carrigan: And I've been saying for a very long time that QR codes are going to be a vector for attack against regular people because as soon as I started seeing these things, I'm like, that is just essentially an encoded URL and it could go anywhere and there's no human readable part of that. And even if there were a human readable part of it, there's no guarantee that what's in the human readable text is what's in the bar code, which is essentially what a QR code is. It's a multiplex barcode. I know that from my printer sales days, Dave. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: That's how I learned about multiplex barcodes. I was fascinated by them. And they can contain a lot of information and they can contain - this is important - any information. So what's happening in Texas - Austin police is talking about this on Twitter. We had a story on "Hacking Humans" about Houston police. It's going around Texas, and it will be coming around to just about every major center - city center that has parking kiosks. So these parking kiosks, we have them in Baltimore. We have them - I haven't been - driven in D.C. in years, but I've seen them in other cities. You park at a place - there's no more meter anymore because few people carry cash anymore. And if they do, then they can use that at the kiosk. But you walk up to a kiosk and you interact with this kiosk some way and then you get a little ticket and you put that ticket in your window. And that's your - that's how you pay for parking now. Well, what someone has done or someone is doing right now is on the part of the kiosk, they have a printed, like, ad for their app, which is one of the ways you can pay for parking. Within the frame of that ad, there is a QR code. Someone has just stuck a QR code on there, and that QR code is malicious and just scams people out of money. That's how it works. It's the perfect crime, Dave (laughter). 

Dave Bittner: So it takes them to a scam site that makes them think they're signing up to pay for their parking. But in fact, these folks are stealing their credentials, their money and so on. 

Joe Carrigan: Right. And the credit card information as well. 

Dave Bittner: Right, right. OK. 

Joe Carrigan: How do you protect yourself against this? You know, the - in Houston, the police are saying - they're saying, don't scan the barcode. We don't use a QR code to pay for things. We use four ways of paying. You can pay with bills. You can pay with coins. You can pay with a credit card or you can pay with our app - our app, which you have to get from the app store. So be sure that you only use one of those forms of payment. The other thing you can do is there is a number of these things out there. I know Trend Micro has one that's free. You can just go out to the app store and get the QR code scanner that verifies or validates a QR code as either safe, malicious or unknown. Use that as well whenever you scan a QR code. Don't just open up your camera app. Go out and get a QR code verifier like the one from Trend Micro. If there are other ones out there that are also free and listeners know about it, I would love to hear about it. I don't - I'm only recommending the Trend Micro one because it's the only one I know about. 

Dave Bittner: Yeah. Yeah. So you can sort of pre-detonate those QR codes without having to actually visit the site. Yeah. 

Joe Carrigan: Right. And if Trend Micro thinks it's safe, it just takes you right to the site. If it thinks it's malicious or it doesn't know, it asks you for input. So it's actually a well-designed app. I like the Trend Micro one. 

Dave Bittner: Yeah, that's good. That's good. Yeah. You know, I think about this when I go and buy gasoline because I like to use the gas station's app because it lets me avoid using the credit card at the pump, which is, as we know, is a place where there are quite often credit card skimmers. 

Joe Carrigan: Right. 

Dave Bittner: So by avoiding using that, I feel like there's more of a sense of security there. But also on the gas pump, typically, there's a QR code for signing up for the app or signing up for loyalty points. And every time I see that, I think about how easy it would be for someone else to come along with their own sticker and just slap it on there and take advantage of people. 

Joe Carrigan: Yeah, absolutely. It would be trivial to do that. I mean, you can print QR codes. There are QR code programs out there. They're free. You know, I haven't even verified this, but I'm comfortable saying it, Dave. There are free things out there that will generate QR codes for you no problem. 

Dave Bittner: Yeah. Yeah, absolutely. For sure. All right. Well, be vigilant out there, folks (laughter). 

Joe Carrigan: Yes. 

Dave Bittner: It's something to keep an eye out on. Joe Carrigan, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.