Section 702 update. Kaspersky reports on Skygofree—dangerous Android spyware. Recorded Future on DPRK spearphishing. Healthcare hacks. Bogus patches. VR game could expose users.
Dave Bittner: [00:00:00:19] Hey everybody, it's Dave with a quick update. Yesterday we passed four million total downloads since we started the CyberWire Podcast just over two years ago. Thanks to all of you for making that number possible and for sharing the show with your friends and colleagues. We do appreciate it.
Dave Bittner: [00:00:19:01] The US Senate is ready to vote on Section 702 surveillance reauthorization. There's bipartisan Congressional support for an election security bill. Skygofree is an unusually capable variety of Android spyware. More evidence ties North Korea's Lazarus Group to a Bitcoin spearphishing campaign. German users are lured by fake Spectre and Meltdown patch sites. Healthcare organizations have been hit with a variety of attacks. And are you thinking of VR adult content? Think twice. No, better think thrice.
Dave Bittner: [00:00:56:17] Now I'd like to share an opportunity from our sponsor CYBRIC. On February 8th, cybersecurity thought leader, Dr Chenxi Wang, joins continuous applications security platform provider CYBRIC to discuss DevSecOps from cradle to scale, real world lessons and success cases. Many businesses are moving to DevOps and agile development methodologies. But most security tools and processes aren't designed for this new world and that hinders innovation. In this webinar, Dr Chenxi Wang, founder of the Jane Bond Project Cybersecurity Consultancy, and Vice Chair of OWASPS Board of Directors, joins CYBRIC's CTO, Mike D. Kail, to discuss integrating security into your DevOps process at scale using real world examples. Mike and Chenxi will also cover getting started with DevSecOps, what metrics to use and what security at scale can mean for you. Join them February 8th at 1:00 pm, US Eastern Time, for this insightful and information-packed webinar. To register, or to learn more, go to thecyberwire.com/cybric. That's thecyberwire.com/cybric. And we thank CYBRIC for sponsoring our show.
Dave Bittner: [00:02:20:08] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Wednesday, January 17th, 2018.
Dave Bittner: [00:02:30:19] Yesterday the US Senate voted for cloture on debate surrounding legislation that would reauthorize Section 702 surveillance. This means there will be no filibuster, and the bill will proceed to a floor vote, perhaps as early as today or tomorrow. Section 702 authorities are widely regarded within the US Intelligence Community as indispensable to modern foreign intelligence collection. Critics regard the surveillance programs as too susceptible to abuse and a potential threat to US citizens' privacy. Senators Wyden and Paul were among a relatively small number of opponents of reauthorization who had threatened a filibuster.
Dave Bittner: [00:03:09:13] Congress is also considering a bipartisan bill that would have the Executive specify penalties for election interference. The responses specified would be keyed to specific countries.
Dave Bittner: [00:03:21:12] Kaspersky Lab warns of a new and unusually dangerous strain of Android spyware. They're calling it "Skygofree," and it's evasive and capable. Among its features are location-based audio recording, interception of WhatsApp messages through Android Accessibility Service, ability to connect victim devices to attacker-controlled Wi-Fi, recording of Skype calls, and a keylogger. Kaspersky thinks Skygofree is the work of Italian lawful intercept shop Negg International, in part because they've found the domain h3g.co in the malware's traces; that domain is registered to Negg. The audio recording functionality strikes most of the people covering the discovery as unusually creepy. It essentially turns an Android device into a bug when the device is taken into a specified area determined by the attackers. There have been infections reported, for the most part in Italy. Kaspersky says the malware spreads via web landing pages that look like legitimate sites belonging to Vodafone and other mobile carriers. The campaign is ongoing, and users should be alert to the possibility of infection.
Dave Bittner: [00:04:32:18] More evidence is out on North Korea's designs on cryptocurrency. Recorded Future has a report on the Lazarus Group's concerted spearphishing campaign it conducted in late 2017 against South Korean cryptocurrency exchanges and their users. South Korea is an attractive target for obvious political and linguistic reasons. It's also attractive because it has a large number of active cryptocurrency early adopters. In addition to theft of Bitcoin, the campaign also prospected South Korean university students interested in international affairs. The campaign's malware used a known exploit - Ghostscript, CVE-2017-8291 - and went after users of Hancom’s Hangul Word Processor, a widely used Korean-language word processor. There are interesting connections between this campaign and earlier ones linked to the Lazarus Group. The malware payload, for example, shared code with Destover, a strain used to hit Sony Pictures in 2014, and early WannaCry victims last year. Both the Sony hack and WannaCry have been widely attributed to North Korean cyber operators.
Dave Bittner: [00:05:43:03] Despite falling Bitcoin prices - off about 40% since their December highs -ordinary criminals as well as sanction-avoiding rogue states are still attracted to it and other alternative currencies. CoinHive is the tool most favored by cryptojackers.
Dave Bittner: [00:06:00:22] With the Winter Olympics less than a month away, there have been reports of increased phishing campaigns using the Games as the focus of their social engineering. Mark Orlando is Chief Technology Officer at Raytheon Cyber and he joins us with his perspective on these higher profile phishing attempts.
Mark Orlando: [00:06:18:20] As time goes on and more and more business and logistic support and just really more things are done on line, we're going to see a rise in these types of social engineering attacks. So I think it's natural to assume that more individuals and more organizations that are tied to these Games will be targeted this year than what we saw with the Rio Olympics and I would imagine at the next Games we're going to see an even wider target set, again as more and more of this work and the coordination and logistics and the communications are done over the Internet versus in person or telephone or some other ways that it might have been done in the past.
Dave Bittner: [00:06:57:18] And so what sort of specific recommendations do you have for people to protect themselves?
Mark Orlando: [00:07:02:12] Really what it comes down to is trying to practice good cyber hygiene. These are things like user training and awareness, making sure that anyone who is conducting business or working with other groups, other support elements, other individuals and businesses tied to supporting the Games in this case, that they're aware that these threats are out there and that they may be targeted, even if they feel that maybe the information that they have or they're using is not particularly useful to anyone, they can still be a target. So making sure that everyone involved and everyone who's participating is aware of the threats and aware that they may be a target and what to do if they receive an email, for example, that has been unsolicited or looks suspicious in any way, or comes from someone they don't know. And then hardening your systems and making sure that whatever information technology, whether it's your laptop, or your mobile phone, or any network infrastructure you're using, is as hardened as it can possibly me to these types of attacks. What we've seen in the security sector is that eventually users will fall victim to these types of attacks. It's just statistically assured that someone will fall victim to these attacks. So understanding that, what precautions have you taken on these devices, your laptops, computers, mobile devices, that makes them as resistant as possible should a user click on a malicious link or go to a malicious website or open a malicious attachment. So having those controls in place, in addition to making sure that users are trained and aware of the threat, those are probably the two biggest things that organizations can do to defend themselves.
Mark Orlando: [00:08:40:24] Given the story and given the visibility of it and obviously the Games are such a high profile event, multiple countries involved, and so there's that sort of espionage kind of element to it, I think there's a tendency to put a lot of focus on the who and the why which are reasonable questions to ask, but it's also important to note that from a defensive standpoint and a cybersecurity standpoint, this is a threat that organizations face every single day. So really from a defensive perspective, it's really just about focusing on the fundamentals and trying to defend yourself as well as possible, as opposed to focusing so much on the who and the why. It's really just understanding that you may be targeted and you've got to take those steps to defend yourself, no matter who it is or why.
Dave Bittner: [00:09:27:03] That's Mark Orlando from Raytheon Cyber.
Dave Bittner: [00:09:31:19] Bogus patch sites promising to fix Spectre and Meltdown are up in the wild. They target German users by spoofing the Federal Office for Information Security, the BSI. Instead of patches, Malwarebytes reports, the sites serve up malware loaded in a zip file. Let the buyer beware.
Dave Bittner: [00:09:50:21] Several healthcare organizations have been hit by a variety of attacks, showing the range of threats these attractive targets face: DDoS, data theft, and extortion by ransomware. Latvia's national health service was taken down early in the week by a distributed denial-of-service attack. Latvian authorities say it was a deliberate attack, that it was staged through a variety of foreign servers and IP addresses, and that it was probably the work of a foreign government. Which foreign government they think it was hasn't been specified, but it's difficult to avoid thinking of the usual suspect, that big country just to the east.
Dave Bittner: [00:10:27:17] Two attacks have been reported in the United States. One is believed to be unsuccessful. A Mississippi care provider, Singing River Health System, says it parried an attempt by hackers to get into its systems with the apparent intention of stealing patient information. The other attempt was successful, and it was a ransomware attack. Hancock Regional Hospital in Indiana suffered a ransomware attack last week that caused it to take its systems down for remediation. The infestation was sufficiently bothersome, however, that Hancock decided to pay the $55,000 the extortionists demanded just to get them out of their hair. Hancock Regional had backed up its systems, as is a best practice against ransomware, but in this case it wasn't enough. As always, it's better not to be infected in the first place.
Dave Bittner: [00:11:18:04] And finally, not that this would be of direct concern to any of you, but you might be interested on, say, a friend's behalf, there's been a high-risk vulnerability discovered in SinVR, a virtual reality game that allows players to explore what are described as various "adult environments," sort of what we always suspected Commander Riker was up to in the Holodeck on Star Trek: the Next Generation. Like, make it so, Number One.
Dave Bittner: [00:11:44:24] Anyhoo, researchers at Digital Interruption found the flaw in the course of research they were conducting into the security of various adult websites -research, they stress. The flaw could result in the exposure, embarrassment, and potential blackmail of people who play the games. News that, not you, but your friends perhaps, can use.
Dave Bittner: [00:12:10:03] And now a moment to tell you about our sponsor, Control Risks. For over 40 years, across 178 countries, Control Risks has partnered with the world's leading companies to help them be secure, compliant, resilient and to seize opportunities. From kidnapping in the jungles of Colombia, to cyber-enabled extortion, they've been with their clients as risks have evolved. In an interconnected world, cyber risks are everywhere you operate. Control Risks has a comprehensive view of cyber security, a critical business risk within a context of geopolitical, regulatory and competitive complexity. And thanks to their unique heritage, they provide clarity and actionable guidance that only decades of risk experience can bring. Control Risks brings reassurance to the anxiety about your cyber risk. Let them show you what over 40 years in the risk business has taught them. Find out more at controlrisks.com. That's controlrisks.com. And we thank Control Risks for sponsoring our show.
Dave Bittner: [00:13:16:23] And I'm pleased to welcome to the show, Zulfikar Ramzan. He is the Chief Technology Officer at RSA. They're a Dell Technologies business. He leads the development of RSA's technology strategy and he's responsible for bringing to market innovations that protect customers from advanced cyber threats. Zulfikar, welcome to the show.
Zulfikar Ramzan: [00:13:33:06] Thank you for having me, it's a pleasure.
Dave Bittner: [00:13:35:00] So before we get going on some actual topics here, we always like to take a few minutes and introduce our new partners to our audience. So why don't we begin, how did you get started in cybersecurity, what's your background?
Zulfikar Ramzan: [00:13:47:01] Well interesting enough, I think I've always been somehow interested in cybersecurity. I began probably about a couple of decades ago. My school at the time had won a competition and got access to a number of at that time internet connector computers and that was a bid deal for us. And what was interesting is that the people maintaining those systems at the time were teachers, so they didn't know much about security and they were just trying to keep the systems up and running. But it was really a good fertile ground for somebody interested in cybersecurity because it was an opportunity to understand how these systems worked, how to bypass them and so on and so forth. I think around that same time I read Cliff Stoll's book, the Cuckoo's Egg, which is I think a bible for many people who are in the field today and the combination of reading the Cuckoo's Egg and getting access to these internet connected computers sparked an interest and love for me in this field and it's been a fun ride ever since.
Dave Bittner: [00:14:34:20] And you're an MIT grad, you also have a PhD in electrical engineering and you've got over 50 patents on your name.
Zulfikar Ramzan: [00:14:41:05] That's right, I've been very fortunate to work with a lot of really smart people and fun problems and being able to work in a field that's growing and where innovation is such a big part of what you do, it's really good fertile ground for coming up with new ideas and trying to advance to save the art.
Dave Bittner: [00:14:55:16] And so there at RSA, what kinds of things take up your time day to day?
Zulfikar Ramzan: [00:15:00:02] Well a number of things. I think I have two parts to my role. A big part of my role is what I think of the external facing part of the CTO role which involves going out, talking to customers, meeting with our partners, talking to people like yourself, really thinking about the way that the overall security landscape is trending, what are some of the major trends overall and how things are evolving in general. And then I take that knowledge and bring it back in house to figure out what we should be doing in terms of our technology strategy, how we should be looking in different areas. And sometimes it's a mix of both. Sometimes I learn about new technology areas so I can help advise our customers on how they should be thinking about those areas, so topics like Artificial Intelligence and machine learning, blockchain - which has been very common and popular lately - and so on and so forth.
Dave Bittner: [00:15:41:23] Right, well Zulfikar, we're certainly excited to have you be part of the show, welcome.
Zulfikar Ramzan: [00:15:46:08] Thank you.
Dave Bittner: [00:15:49:09] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of Artificial Intelligence, visit cylance.com. And thanks to our supporting sponsor, E8 Security. Follow the behavior, find the threat. Visit e8security.com to learn more.
Dave Bittner: [00:16:11:17] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John Petrik. Social media editor, Jennifer Eiben; technical editor, Chris Russell; executive editor, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.