Patch Tuesday notes. Skype DLL hijacking vulnerability. Olympic Destroyer malware described. Lazarus Group newly active. BitGrail heist? Cyber Valentine.
Dave Bittner: [00:00:01:05] We've got all kinds of nifty benefits for our Patreon supporters. You can find out all about that at Patreon.com/thecyberwire.
Dave Bittner: [00:00:10:23] Patch Tuesday, will not include a Skype fix. That one will take some time and attention. Olympic Destroyer is the malware thought to be infesting the Winter Games. Attribution remains unclear, but a lot of suspicious eyes are looking at you Mr. Putin. The Lazarus Group is stepping up it's cryptocurrency stealing game. Questions swirl around the alleged BitGrail cryptocurrency exchange losses. And hey, Valentine's Day is tomorrow.
Dave Bittner: [00:00:41:16] Time to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber daily. We look at it. The CyberWire staff subscribes and consulted daily. The web is rich with indicators and warnings but it's nearly impossible to collect them by eyeballing the Internet yourself no matter how many analysts you might have on staff and we're betting that however many you have, you haven't got enough.
Dave Bittner: [00:01:04:20] Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web. Cyber News, Targeted Industries, Thread Actors, Exploited Vulnerabilities, Malware and suspicious IP addresses and much more. Subscribe today and stay ahead of the Cyber attacks. Go to Recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future.
Dave Bittner: [00:01:37:00] That's Recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:52:04] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Tuesday, February 13th, 2018.
Dave Bittner: [00:02:02:03] It's Patch Tuesday and Microsoft, and other vendors will be issuing various fixes over the course of the day. It may be a relatively quiet month. Adobe put a new flash update out at the end of last week which may do it for Adobe for a while. Mozilla updated Firefox last week too. Google pushed a chrome patch out a week ago, so we may see little from them as well. Microsoft is expected to publish it's customary windows update today.
Dave Bittner: [00:02:28:12] One patch users will have to wait for involve Skype, a widely used telecom software. The product developed by Microsoft's subsidiary Skype technologies, has been discovered to suffer from susceptibility to DLL hijacking that could allow an attacker to gain system level privileges on Victor machines. DLL hijacking involves an attacker gaining the ability to control which dynamic link library, that's the DLL. A program loads which in turn permits that attacker to insert a malicious DLL into the loading process. Dynamic Link Libraries are basic components of the windows operating system that provide applications with essential resources.
Dave Bittner: [00:03:09:05] The problem arises from a flaw in Skype's update installer. Microsoft won't patch this issue immediately. It's not because Redmond is indifferent, or regards the vulnerability as minimally important, rather it's a tricky problem that will require significant re-working of Skype code. Microsoft intends to fix it in future versions of Skype.
Dave Bittner: [00:03:29:21] The bug could be weaponized but so far there are no signs that it has been. Exploiting the vulnerability isn't trivial either and so serious as the issue is, immediate danger while real is still relatively improbable.
Dave Bittner: [00:03:44:15] We recently received a report from researchers at Duo Security on a category of devices that aim to increase personal security, and whether the Cyber Security on these devices is up to the task. Mark Loveless is a Security Researcher at Duo and he explains?
Mark Loveless: [00:04:00:18] These are personal protection devices. Sometimes they are referred to as panic button. Very simple little bluetooth devices that basically if you press a button on the device, and the device is essentially only a button; it talks to an App on the phone that's matched up with it, and then the App uses the phone's GPS coordinates to send a message to a list of people that the person that pressed the button who is probably in some form of danger. Physical danger.
Dave Bittner: [00:04:35:06] And so what would be a typical use case for something like this?
Mark Loveless: [00:04:38:17] The main way these things are marketed are typically toward women who feel at risk. They're afraid of stalkers or some other type of attackers, similar in that nature. Perhaps if they, for whatever reason decide that they want to go running in a park for exercise or what not, and they just feel unsafe there. But they're also increasingly being used by human rights workers in foreign countries. People that are protesting under repressive regimes that also want some method to be able to say, "hey I'm in danger, hey come and get me".
Dave Bittner: [00:05:21:12] So the notion being that rather than pulling your phone out and having to make a phone call, you could in a very discreet way, just press a button on this device and it will do that in an automated way?
Mark Loveless: [00:05:32:19] Exactly. And, typically what the scenario that they often repeat is that in some cases getting your phone out it might actually escalate the situation.
Dave Bittner: [00:05:44:23] So we've got this device that is designed with people's safety in mind and yet in your research you all found some potential vulnerabilities in them, can you take us through those?
Mark Loveless: [00:05:55:18] We tested three devices. One of them the ROAR Athena came through with flying colors, in fact we were extraordinarily surprised as to how well it was put together.
Mark Loveless: [00:06:05:17] The second one was the Revolar device, and that one was subject to being able to track at via Bluetooth and not only be able to see the device but determine that it, in fact, was one of these personal protection devices. Because it gave it up in the name.
Mark Loveless: [00:06:26:00] And then the Wear Safe device it also was subject to tracking, but it also had a vulnerability in it's Bluetooth implementation so that a remote attacker could disable the device. And there was no indication because there's no real light or anything on the device that would indicate whether it's working or not. You just press a button and that's pretty much it. And by doing this Bluetooth attack you could disable the device, and the victim would not know the device was disabled. So you could sit there and press the button thinking that help is coming, when help is not.
Dave Bittner: [00:07:08:09] I see. Overall what's your advice for someone who thinks that this might be the kind of thing that they want to use. If someone's out shopping for this sort of device, do you have any tips for them?
Mark Loveless: [00:07:18:13] Well, first off I would say you want to go with the one that does not have any vulnerabilities associated with it. I would look for ones that really make an effort to protect your privacy. While the physical disabling via Bluetooth is an issue you have to be close enough to the person to be able to do that. Same with the tracking, but just to prevent yourself from being tracked. For me the ROAR Athena was by far the best solution for this. So if anyone spends that much attention to detail and is really trying to protect someone's privacy with a security device that's going to be what I would look for.
Dave Bittner: [00:08:03:23] That's Mark Loveless from Duo Security. You can find their complete report on these IoT Safety devices on their website.
Dave Bittner: [00:08:12:15] The Olympics are now generally regarded as having been the victims of a Cyber attack, and not a mere glitch. The game sites were taken out during the opening ceremonies last Friday, and the malware used against official sites of the Pyongyang Winter Olympics now has a name. Olympic Destroyer. It's also said by Cisco's Talos Research Unit, to share some code with NotPetya and Bad Rabbit Pseudo ransomware strains famously used last year.
Dave Bittner: [00:08:40:00] The malware was apparently used with disruptive rather than financially motivated intent, which argues a political or ideological motive. How the malware got into systems it infected is unclear, but Talos did note that the software contained would appear to be hard coded credentials based on Pyongyang 2018.com, the official domain for the winter games. Whilst Talos hasn't been able to confirm those passwords validity, the coding suggests the possibility that the attackers have some kind of advance access to Olympic systems.
Dave Bittner: [00:09:13:01] The two usual suspects are Russia and North Korea, with more of the circumstantial evidence and motive than opportunity pointing toward Russia. Russia's ministry of foreign affairs is on the counter-messaging warpath, denouncing rumors of that countries involvement as nothing more than a CIA and NSA operation concocted with firm's like ESET, ThreatConnect and Trend Micro. Bratislava-based ESET is particularly mentioned in dispatches, and the Slovak-American plot against Russia would at least have the virtue of novelty. But, ESET understandably and believably denies that any such thing is up, characterizing the charges as propagandistic hooey and misdirection.
Dave Bittner: [00:09:54:03] But nevertheless, in this case the hackers seemed likelier to answer to Moscow than they do to Pyongyang. Russia has been taking cyber shots at the Olympics and related international athletic organizations, since it's team was banned for doping late last year.
Dave Bittner: [00:10:09:07] Besides, North Korea has played an unusually strong propagandistic hand these last couple of weeks. Kim Yo Jong, sister of North Korean Leader Kim Jong Un, has enjoyed a successful stroll around the international catwalk, as the appealing public face of these secretive impoverished and repressive Democratic People's Republic of Korea. Her appearance has amounted to an information ops coup as she's been the subject of positive coverage reminiscent of the flattering treatment Syrian first lady Asma al-Assad, also the glamorous and fashionable face of a pariah state dedicated to the pursuit of weapons of mass destruction, received in fawning profiles by Vogue and other outlets a few years ago.
Dave Bittner: [00:10:50:16] Kim is now back in Pyongyang; treat accounts of her goodwill embassy with appropriate skepticism.
Dave Bittner: [00:10:57:23] North Korea may be posing as a global model citizen during the games. But, its Lazarus Group has shown a new spurt of activity in it's familiar specialty of cryptocurrency theft. Researchers at security firm McAfee are tracking the resurgence of the group's HaoBao campaign. It uses tools pioneered in earlier campaigns directed principally toward espionage, in phishing efforts directed against Crypto currency users and financial institutions, especially cryptocurrency exchanges.
Dave Bittner: [00:11:28:01] The little known BitGrail Crypto currency exchange based in Italy, says it's lost $195 million to hackers, but observers are skeptical. The currency they lost is Nano formally known as RaiBlocks. BitGrail blames the Nano development team for the loss, but Nano Core cries foul and says BitGrail has been misleading people about it's solvency for some time. BitGrail has filed a complaint against Nano developers alleging "aggravated defamation". It's too early to know what actually happened here. Two weeks ago The Next Web noted rumors that BitGrail was attempting to scam users in the course of an announced suspension of support for non European users. Matters should become clearer as investigation and litigation proceed.
Dave Bittner: [00:12:15:06] Finally, tomorrow is Valentine's Day, did you notice? Did this reminder prompt you to hustle over to online purveyors of chocolate, flowers, pajamas, jewelry, cute stuffed animals and the other impedimenta of la vie d'amour? We thought so. Well, Caveat amator; experts caution the lovelorn against entrusting their hearts to the Internet. Believe it or not, scammers are out there looking to relieve you of cash credentials and whatever residual self respect you may still be clinging to. Catphish are out there looking for you in chat rooms and social media.
Dave Bittner: [00:12:48:17] And one very odd dating site is being described by Security Boulevard, the services matches soul mates by, wait for it, their passwords. Enter your password and it will find someone who uses the very same one, for a match made in Cyberspace. So, hop to it Ninja1234, put yourself out there, LetMeIn789, the one you've been looking for is out there.
Dave Bittner: [00:13:13:00] But, seriously don't let credential harvesting let good lovin' go bad. We'll have more on the topic of Valentine's Day tomorrow when we've talked to those experts in Affairs of the Heart, the researchers at IBM security. The heart has its reasons which the reason knows not. But, apparently Watson's got a pretty good idea of what's going on.
Dave Bittner: [00:13:36:00] Time for a message from our sponsors at E8 Security. They understand the difference between a buzz word and a real solution. And they can help you disentangle them too. Especially when it comes to machine learning and artificial intelligence. You can get a free white paper that explains these new, but proven technologies at E8security.com/cyberwire.
Dave Bittner: [00:13:55:18] We all know the human talent is as necessary to good security as it is scarce and expensive. But, machine learning at Artificial Intelligence can help your human analysts scale to meet the challenges of today's and tomorrow's threats. They'll help you understand your choices too. Did you know that while we might assume supervised machine learning, where a human teaches the machine might seem the best approach. In fact unsupervised machine learning can show the human something unexpected. Cut through the glare of information overload and move from data to understanding. Check out E8security.com/cyberwire and find out more. Follow the behavior find the threat. That's E8 Security. And we thank E8 for sponsoring our show.
Dave Bittner: [00:14:43:06] And joining me once again is David Dufour, he's the Senior Director of Engineering in Cyber Security at Webroot. David welcome back. One thing we saw in 2017 was an increase of attacks on the Mac and Apple also had a handful of I'd call them high profile software issues that affected security. Are we having a problem here with the Mac? Is the Mac more vulnerable than it used to be?
David Dufour: [00:00:01:10] Well, I would say it's probably not more vulnerable than it used to be. I always like to say why do before attack Windows machines. It's like why do bank robbers rob banks? Because that's where the money is. So I guess my point in saying that is, there have been vulnerabilities in the Mac environment but they've just not been heavily used to heavily attacked because it's easier to attack other types of machines out there. So they're there but it's just not as readily available, it's a little more challenging and just like the rest of us Cyber criminals can be lazy.
Dave Bittner: [00:00:38:07] So is it the combination that there may be more vulnerabilities on the Windows side but also they're just so many more installations.
David Dufour: [00:00:45:13] One man's opinion it is there are more installations and I wouldn't say access is built from the ground upwards with security in mind, where Windows when it came out it was really built for collaboration, integration, getting things to talk together. So there's a lot of communication back and forth. I will take my hat, Windows 10 is a very good operating system re-built from the ground up with security in mind. But the Mac again and we're just talking here. The Mac is inherently more secure with OSX but it does vulnerabilities.
Dave Bittner: [00:01:16:16] And so in terms of best practices for someone on the Mac side, what sort of care should they be taking?
David Dufour: [00:01:23:11] In every single segment that you let me say it, I'm going to say you should be backing up your data. Backing up your data is the best way in case something happens and Apple makes that absolutely simple with OSX. But, most importantly and again you should do this no matter what operating system you're running on what device. You need to apply patches and Apple does a great job of when a vulnerability comes out in the OS or even a third party that runs on their OS8 they do a great job of getting a patch out quickly and patching is the best way to make sure new attacks or exploits you're not susceptible to those.
Dave Bittner: [00:01:59:06] So when you get that notice from Apple saying there's an update available go ahead and install it?
David Dufour: [00:02:03:24] Absolutely go ahead and install it especially if it's from Apple, they're very reliable, they're very good in how they approach their security.
Dave Bittner: [00:02:12:14] All right. David Dufour, thanks for joining us.
Dave Bittner: [00:02:17:02] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible especially to our sustaining sponsored Cylance. To find out how Cylance can help protect you through the use of artificial intelligence visit Cylance.com. And thanks to our supporting sponsor E8 Security follow the behavior, find the threat. Visit E8security.com to learn more. The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe where their co-building the next generation of Cyber security teams and technology. Our show is produced by Pratt Street Media
Dave Bittner: [00:02:38:15] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe where their co-building the next generation of Cyber security teams and technology. Our show is produced by Pratt Street Media with editor John Petrik. Social Media Editor Jennifer Eiben. Technical Editor Chris Russell. Executive Editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.