Malicious apps do more than extort predatory loans. A Facebook account recovery scam. Notes from the hybrid war. Goodbye SHA-1, hello Leviathans.
Dave Bittner: A predatory loan app is discovered embedded in mobile apps - Facebook phishing - GPS disruptions are reported in Russian cities - NSA warns against dismissing Russian offensive cyber capabilities - farewell, SHA-1 - Kevin Magee from Microsoft looks at cyber signals - our guest is Jason Witty of USAA to discuss the growing risk from quantum computing - and welcome to the world, Leviathans. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, December 16, 2022.
Predatory loan app discovered embedded in mobile apps.
Dave Bittner: Zimperium has found a novel predatory loan application, MoneyMonger, embedded in mobile apps developed with Flutter. It's found in apps sold through third-party stores. MoneyMonger collects a large amount of personal information from its victims and then uses that information in what Zimperium describes as multiple layers of social engineering, ultimately seeking to extort even more money from the marks than the original conditions of their predatory loans themselves. Zimperium concludes that the code they've discovered forms part of a more extensive predatory loan malware campaign previously discovered by K7 Security Labs. So predatory lending is bad enough, but in this case, the criminals seek to enmesh the victims in a tangle of threats, pressure and further extortion with some data theft on the side.
Facebook phishing.
Dave Bittner: Researchers at Trustwave have observed a phishing campaign that informs recipients that their Facebook account will be locked within 48 hours for a copyright violation. The phishing emails themselves are very poorly written, but they contain a link to a fairly convincing Facebook post. The researchers write, instead of the usual phishing link to an external landing page, this mail sample is crafted with a link that points to an actual Facebook post. The content of this Facebook post appears legitimate because it uses a dummy page support profile with the Facebook logo as its display picture. At first glance, the page looks legitimate, but the link provided in this post leads to an external domain. The link in the Facebook post leads to a spoofed version of Facebook's appeals page, hosted on a domain that impersonates Facebook's parent company, Meta. Once you're there, thinking you're about to get your account unlocked, you'll be asked to enter some information. The Trustwave researchers explain, upon clicking the send button, any information entered in the form by unsuspecting victims will be sent to the cybercriminals, along with the victim's client IP and geolocation information. Inspecting the source code reveals a link to a JavaScript file which contains the function that will retrieve any information provided to its form when triggered. After the victims enter their information, they'll be redirected to Facebook's real website, possibly none the wiser. Trustwave concludes, these fake Facebook violation notifications use real Facebook pages to redirect to external phishing sites. Users are advised to be extra careful when receiving false violation notifications and not to be fooled by the apparent legitimacy of the initial links.
GPS disruptions reported in Russian cities.
Dave Bittner: Wired reports that GPS signals are being jammed in some Russian cities. Russian electronic warfare operations have periodically disrupted GPS during the present war. The motive in this case may be interference with GPS-guided Ukrainian drones and missiles that have recently struck military targets inside Russia.
NSA warns against dismissing Russian offensive cyber capabilities.
Dave Bittner: It's now become a commonplace and correct observation that Russian cyber operations have fallen far short of prewar expectations. But U.S. NSA cybersecurity director Rob Joyce warns against complacency. CyberScoop quotes him as saying, during a press briefing on the release of NSA's 2022 retrospective,, "I would not encourage anyone to be complacent or be unconcerned about the threats to the energy sector globally. As the war progresses, there are certainly the opportunities for increasing pressure on Russia at the tactical level, which is going to cause them to re-evaluate, try different strategies to extricate themselves." So listen to Mr. Joyce. And don't get cocky, kid. The mention of the energy sector is significant, as it had been expected to be a principal target of Russian cyber operators. They had shown the ability to interrupt service across portions of the Ukrainian grid in 2015 and 2016, but those cyberattacks haven't been reprised in the present war. This isn't due to any tenderness about civilian suffering or indiscriminate targeting, either. As the drum fire of Russian missile strikes demonstrates, some of the failure of Russian cyber operators to show up is certainly due to effective Ukrainian defense, but a complete explanation remains a matter for speculation.
Dave Bittner: The report that Cybersecurity Director Joyce was introducing also outlined the support NSA has rendered over the course of 2022 to defensive operations prompted by Russia's invasion of Ukraine. The NSA Cybersecurity Year in Review report summarizes - as Russia invaded Ukraine in early 2022 and the U.S. held Russia accountable, intelligence indicated that the Russian government was exploring options for potential cyberattacks against the U.S., including its critical infrastructure sectors. NSA, CISA, and FBI issued cybersecurity advisories in January, February and April to heighten awareness of the threat and promote understanding of Russian state-sponsored and cybercriminal tactics, techniques and procedures so that net defenders could strengthen their defenses. Through operational collaboration with defense industrial base companies and their service providers, NSA's Cybersecurity Collaboration Center played a leading role in protecting key critical infrastructure sectors. The CCC conducted more than 2,000 bidirectional exchanges in the first four months of 2022, sharing NSA's insights, actionable information on Russian cyber TTPs and building a more fulsome intelligence picture with industry's help. Throughout the conflict in Ukraine, NSA has provided foreign signals intelligence insights that have aided U.S. government leaders, NATO and the U.S. European Command. It has also provided cryptographic security products to meet unplanned emergency requirements and to support urgent missions. It has rapidly deployed more than 150 communications security devices to support mission operations during the global crisis.
Ave atque vale, SHA-1.
Dave Bittner: It is so long at last to SHA-1. NIST urges those who still use it to move away from the venerable SHA-1 encryption algorithm in service since 1995. They state the SHA-1 algorithm, one of the first widely used methods of protecting electronic information, has reached the end of its useful life, according to security experts at NIST. The agency is now recommending that I.T. professionals replace SHA-1 in the limited situations where it is still used with newer algorithms that are more secure - that is, with SHA-2 or SHA-3. SHA-1 has grown unacceptably vulnerable to collision attacks. Leaving SHA-1 will be a long goodbye. NIST explains that these things aren't done overnight, stating modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government. Companies have eight years to submit updated modules that no longer use SHA-1. Because there is often a backlog of submissions before a deadline, we recommend that developers submit their updated modules well in advance so that CMVP has time to respond.
Welcome to the world, Leviathans.
Dave Bittner: And finally, the U.S. Army has activated the 11th Cyber Battalion, the Leviathans, at Fort Gordon, Ga., with official ceremonies welcoming the new organization held yesterday. Good luck and good hunting, Leviathans.
Dave Bittner: Coming up after the break, Kevin Magee from Microsoft looks at cyber signals. Our guest is Jason Witty of USAA to discuss the growing risk from quantum computing. Stay with us.
Dave Bittner: Quantum computing has the potential to greatly increase the speed and power of computers and with that comes great promise as well as potential risk, particularly to encryption methods. Jason Witty is chief Security officer at insurance and banking organization USAA, and I caught up with him for insights on being quantum ready.
Jason Witty: There are things that exist today already in terms of different quantum computing offerings that large-scale technology companies have today. But there's also what we predict is going to happen in the next 10 years, and that's where it gets really interesting and why we're talking about it now. Quantum computing certainly has the promise of delivery - tens of thousands, hundreds of thousands, even tens of millions of times more compute capacity than classic computing environments have. So that can, you know, really go to solving some really, really, really large challenges that we couldn't do with today's compute environment. But also, from a security standpoint, having that much compute power at your fingertips roughly 10 years from now puts asymmetric cryptography at real risk of being decryptable at that timeframe. And because we're using asymmetric encryption in so many different things like SSL or TLS or just, you know, HTTPS in general, all of that traffic being hoovered up by, you know, military intelligence in several countries for the purpose of being able to decrypt that 10 years from now is certainly, you know, a concern. So that's why I think we're talking about that now. And there's a lot to unpack there.
Dave Bittner: And where do we stand in terms of having confidence in the timeline with the research that we're seeing, the announcements we've seen made? Where do we stand there?
Jason Witty: Yeah. That's really a good question. The - one of the things that happened five years ago was that there was a prediction that it would take about five years for there to be quantum parity, so being able to calculate, you know, using a quantum computer the same thing that you could do with a regular classic computer. And so if that was five years ago, that actually happened about three years ago. So it was greatly accelerated to have this prediction that it was going to take five years, well, we actually took two. Similarly, for a very narrow scope, quantum superiority, where you can actually calculate the things faster using a quantum computer than a classic one, was predicted to be several years after that, and it actually happened the same year.
Jason Witty: So I would say our ability to predict where this technology is going has been kind of, you know, not a whole lot of confidence in terms of, is it really like a decade from now or is it two decades from now or is it like a year from now? However, what I would say is that we generally are stating that quantum things are going to happen in the five to 10 to 20-year timeframe. And we're generally seeing that those things are happening faster than most of the predictions. But across the scientific community, having quantum computers at the level where they can actually break asymmetric encryption, there is general consensus right now that that problem is about 10 to 12 years from now.
Jason Witty: And because it's 10 to 12 years from now, we should be very thoughtful about, what does that mean for the next five years in terms of new algorithms coming online that are in the post-quantum encryption environment? We will then need to understand, where do we have traditional algorithms and inventory of all of those, you know, traditional algorithms? Then plan on replacing them with these post-quantum encryption algorithms. And then how long is that rollout going to take, and is that going to be able to be done by the time, you know, the threat landscape around quantum changes?
Dave Bittner: What is your sense in terms of urgency for folks who are responsible for security? To what degree should they be actively pursuing solutions for their own environments?
Jason Witty: Yeah. So the National Institute of Standards and Technology has recently come up with a small number of PQE replacement algorithms - post-quantum encryption algorithms. So now it is really on all of us to make sure that we start in the inventory phase to ensure that we have the ability to migrate to these new algorithms. And we know where they're, you know, where they're in use today. Then there's the phase of actually doing the migration. And then there is along that same timeframe, let's just say for argument's sake that the inventory might take you two or three years, and the migration might take you two or three years. And we actually start the migration, you know, in parallel. Along that roughly six-year window, hypothetically, you also want to be able to decouple as much as possible the encryption and the decryption and the key management processes so that you have crypto agility, so that if you get to the end of that six-year timeframe and now all of a sudden, something's wrong with one of the algorithms or there's some breakthrough that's happened, you have the ability to switch out again, and you have an agile way of doing your sort of key change or algorithm changes.
Dave Bittner: Is there a hit that organizations could take in terms of performance by implementing some of these more advanced algorithms, or does the asymmetry mean that that's not so much of an issue?
Jason Witty: No, it could certainly be an issue. And the whole thing with post-quantum encryption is it's - it is classically computed algorithms using classic computers that are more resistant to quantum computers attacking those algorithms. There's a lot of different theoretical algorithms that are out there today. They are all trying to balance the performance hit with the additional security that you get with the algorithm, but certainly, that's part of the process - is understanding, you know, where do you take that hit? And can you horizontally scale to just deal with it? Or do you have to, you know, have bigger compute capacity on a individual server-by-server basis?
Dave Bittner: That's Jason Witty from USAA.
Dave Bittner: And joining me once again is Kevin Magee. He's the chief security officer of Microsoft Canada. Kevin, always great to welcome you back to the show. You and your colleagues at Microsoft recently released a report. It's, I believe, titled the Cyber Signals Digital Briefing. This is the second one you all have put out. Can we go through some of the highlights here from this report?
Kevin Magee: Thanks, Dave. Thanks for having me back. It's always great to chat with you. This is a new quarterly research report. This is our second edition we've come out with, and we're taking a different approach. The, you know, vendor report market is kind of crowded. We want to make sure we're adding value. So this report's really focused, in my mind, on not listening to what's happening on the dark market and on the chat boards and whatnot and sort of reporting and not focused for the super highly technical. It's more like a signals intelligence report where we're listening to the 40 - 40, 50 - I'm not sure how many trillion signals we have at this point across our global platform. And we're building intelligence that can be shared with business leaders. So this is a report that you can share with the business leaders in your organization, with your senior executives, with your board of directors, to help them understand some of the challenges you are seeing in the marketplace. But it's not driven on sort of hearsay or, you know, observations. It's driven on hard data that we're seeing from our platform. So I think that's the unique place that we're trying to carve out in educating the vendor community and also our customer base.
Dave Bittner: Can we dig into some of the specifics here? What are some of the things that caught your eye?
Kevin Magee: Yeah, this one is on - focused on ransomware, and it's entitled "Extortion Economics: Ransomware's New Business Model." And my read of it is really the days of the ma-and-pa sole proprietor hacking team is kind of done. We're seeing a professionalization and industrialization of the ransomware industry. I often joke that you'll run into a hacker now in, you know, the criminal markets. They don't want to be called a hacker. They want to be called an extortion engineer. I think that's the phase of the ransomware we're seeing going through. But what does that mean in real terms? Distributed networks. Cybercrime is becoming a gig economy. There's a great deal of focus on innovation. We're seeing a move to subscription-based business models, ransomware-as-a-service, initial access brokers. You've covered a lot of this on the podcast, which - you see more and more evidence of this in the marketplace, as well. We're also seeing adoption of affiliate marketing and multilevel marketing and human-operated approaches. They're running these more like businesses and distributed businesses as opposed to sort of how we envision the traditional hacking team. And it's a profound change in the business models, which presents some threats. And it also presents some opportunities for us, as well.
Dave Bittner: Yeah. Can we talk about some of those opportunities? I mean, what in your mind are the possibilities in terms of disruption?
Kevin Magee: I think, you know, for the short term, it's going to get worse because they're evolving faster than we are. But what is happening in the back end. And I hope I'm proven right in there - is in order to build these bigger markets where you're having less sophisticated people join affiliate networks or whatnot, you have to standardize. And you have to build standard products and build, you know, things that are consistent because if you're providing ransomware-as-a-service as a service and you need to provide an upgrade, you're now acting like a software vendor as a cybercriminal. And you need to run that business. So standardization means they're going to continue to use the same tactics. They may lower the tactics. They may make them easier, whatnot, as that continues. So that gives us a chance to, when we defend, defend against a larger segment of these attacks. So short term - and I don't know what short term means. You know, in cybersecurity, it could be weeks. It could be years. I think there will be more pain. But as we see them try and really build business models that are global and distributed, they're going to suffer the same challenges that any other business faces and that gives us as defenders the chance to find new ways to build defenses.
Dave Bittner: Are you optimistic that we're on the right path here, that this is something that's achievable?
Kevin Magee: Well, I have to be, Dave...
(LAUGHTER)
Kevin Magee: I wouldn't be able to do my job. I want to think, you know...
Dave Bittner: You are, after all, Canadian.
(LAUGHTER)
Kevin Magee: Yes. And I'm sorry.
(LAUGHTER)
Kevin Magee: But - we have to really look at capitalizing on some of these opportunities and thinking forward of how we're going to address these challenges. We're seeing the transition in the cyber criminals from technical, highly technical operated attacks to more business email compromise, more focusing on the business. You know, that's something as an organization we can respond to. Our tech folks, when we're trying to talk to senior executives and whatnot about building defenses, they didn't understand our language. They understand the language of extortion. They understand the language of affiliate model ransomware. I think, again, as we standardize and as we see cybercriminals become more like a business, the private sector, who's pretty good at business and competition, will eventually be much better equipped. And we'll be able to harness the entire resources of the organization at layer nine, as Bruce Schneier would say, to sort of combat and defend against some of these attacks. So I'm optimistic. I do think we'll go through some pain and a lot more of it till we get there. But eventually, every time there's a new technological advance, the attacker-defender balance shifts. Eventually, I believe it will come back into our favor.
Dave Bittner: Yeah. I can't help wondering if, you know, as you say, that the professionalism continues here, but I don't think it's ever going to go away completely, but I wonder if we might reach a point where it exists mostly at the nuisance level, where it's not an existential threat to your business. It's just one of many risks that you have to plan for, but it can be dealt with.
Kevin Magee: And I think that's where it was, you know, bespoke, you know, one-off type of highly creative hackers and a very immature market that didn't know how to deal with it. Now we're having a more commoditized attack approach, a more institutionalized approach to cybercrime. We're getting every year more of an understanding and integrating into resilience, not just security on the business side. So I think you're right. At some point, it will become a cost of doing business and we will understand how to deal with that. That's going to take time. That's going to take education. That's going to take really the integration of cybersecurity to be operationalized throughout the organization, not just still in the tech department.
Kevin Magee: And in my career, I've really seen that change. I mean, there was, you know, maybe five, 10, 20 of us in the industry it seemed when I got started a few years ago. And now everyone's talking about cybersecurity in all aspects of the business. And if you'd told me that that would have happened so quickly as it did, I would have been surprised 10 years ago to hear you say that. So again, I'm optimistic. I think when we're in the trenches and we're fighting it every day, I can see why it's never ending. But I do see some light at the end of the tunnel. And hopefully it is, you know, as they proverbially say, not a dream (ph).
Dave Bittner: Yeah, that's right. All right. Well, Kevin Magee, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to check out "Research Saturday" and my conversation with Or Katz from Akamai. We're discussing highly sophisticated phishing scams and how they're abusing holiday sentiment. That's "Research Saturday." Check it out.
Dave Bittner: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.