The CyberWire Daily Podcast 2.14.18
Ep 536 | 2.14.18
Olympic Destroyer updates. Cyber forecasts from the US Intelligence Community. Patch notes. Cryptojacking and coinming. Ad blockers (also an incentive to coin mining).
Transcript

Dave Bittner: [00:00:00:14] We do appreciate all of our Patreon supporters. You can find out how to support us at patreon.com/thecyberwire.

Dave Bittner: [00:00:10:22] Olympic Destroyer exploits EternalRomance and morphs as it moves from machine to machine. The US Intelligence Community tells Congress to expect a more assertive Iran, Russia and North Korea in cyberspace. They also forecast more election influence operations. General Nakasone has been nominated to succeed Admiral Rogers at NSA and US Cyber Command, and coin mining continues to make a nuisance of itself.

Dave Bittner: [00:00:42:05] Time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire we subscribe and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely. Because that's what you want: actionable intelligence. So, sign up for the Cyber Daily email, where every day you'll receive the top trending indicators Recorded Future captures crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates. That's recordedfuture.com/intel, and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:02:00:10] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Wednesday, February 14th, 2018.

Dave Bittner: [00:02:10:07] The Olympic Destroyer malware that hit the Winter Games being held in South Korea appears to be a complex piece of work. It's a wiper, and it spreads via EternalRomance, which is one of the alleged Equation Group exploits the Shadow Brokers leaked. More interestingly, it also contains a self-patching functionality that enables it to change its characteristics as it moves from machine to machine. Cisco's Talos research unit has been examining Olympic Destroyer, and they discern some similarities in its code to that used in NotPetya and BadRabbit. Speculation about attribution has turned largely toward Russia but, apart from circumstantial code similarities, such speculation remains based mostly on motive and opportunity.

Dave Bittner: [00:02:56:07] There are other hacks surrounding the Olympic Games, and Booz Allen's Cyber4sight research unit this morning published a useful guide to the range of threats surrounding the games. They fall into the familiar categories: nation states interested in information operations and espionage, hacktivists pushing whatever agenda they fell can be usefully advanced, and common cybercriminals looking to turn a dishonest buck by phishing and other scams.

Dave Bittner: [00:03:23:01] The US Intelligence Community's annual threat assessment sees Iran, Russia and North Korea as growing more assertive in cyberspace. They expect Russian influence operations, propaganda and disinformation, during this year's midterm elections. They say the goal is, as it was during the 2016 elections, to sow discord and mistrust.

Dave Bittner: [00:03:46:04] Spammers continue to up their game, taking advantage of botnets to send massive volumes of deceptive emails. They keep an eye on the calendar too and, with the run-up to Valentine's Day, researchers at IBM's X-Force Iris team have tracked a sizable uptick in targeted spam. John Kuhn is a Senior Threat Researcher at IBM X-Force Iris.

John Kuhn: [00:04:05:02] More specifically it's around dating spam. You know, someone impersonating someone else, saying that they like their profile on such-and-such social media, I think Badoo and maybe Facebook was in there, and pretending that they romantically like this person, or they want to talk more to this person that's getting the spam. It's just a large, large uptick in that amount of spam, centering around Valentine's Day, where people might be a little more vulnerable to responding to those types of messages.

Dave Bittner: [00:04:37:13] So, can you give us an idea of the scale of this? What's the size of the campaign?

John Kuhn: [00:04:41:09] So, we witnessed over 230 million spam emails coming from 950,000 different IP addresses, that are infected with the Necurs botnet.

Dave Bittner: [00:04:51:20] And the Necurs botnet, what's behind that? This is controlling zombie bots?

John Kuhn: [00:04:56:22] Exactly, yes. It's a peer to peer botnet that is rather large: it's over six million infected nodes last count.

Dave Bittner: [00:05:05:07] So, what's your recommendation for people to protect themselves against this? I mean obviously there is education, but if I'm running an organization and, you know, Bob down in the mail room has fallen on hard times in the romance department and thinks to himself, "Well, what would possibly go wrong? I might as well click on this and give it a shot." Beyond education, how can I protect my organization?

John Kuhn: [00:05:26:01] You know, utilizing spam filters, obviously. We've been using spam filters since spam was created, but keeping those updated, keeping the definitions updated, keeping the intelligence inside of them updated absolutely key. The little more tricky part about this as most spam, as you know, they use a lot of mixed English and they used a bit of misspelled words, and those things are easily identifiable. This particular campaign it was very straightforward plain English, so a lot of the spam filters might be tripped up, so monitoring those spam filters, seeing what's coming through and seeing what's coming through in your own In-box, again, educating your staff to report things as spam, absolutely key. Education is first and foremost, but there is technologies, obviously, that can help thwart this stuff from even getting to the endpoint or the victim in the first place.

Dave Bittner: [00:06:15:07] And in terms of an overall trend, is this something that we're seeing more and more of, these sort of targeted spam campaigns based on events throughout the year, taxes, Valentine's Day, things like that?

John Kuhn: [00:06:26:05] Yes, because they're most effective around seasonal things. Obviously, Valentine's Day they're going to go with a romance thing. Maybe around Christmas they go with sales or deals or something around the Christmas holiday. It just garners them more return on the spam campaign that they're sending out. I mean, the Necurs botnet, historically used to send malware, right? It used to distribute malware: banking Trojans, ransom-ware, remote access Trojans. They're kind of dabbling in this spam game, you know, with the pump and dump stock schemes that they're using. The most important thing about this is, this is a very, very large botnet, and it's important to track that the understand what their campaigns are to try to get ahead of them as a security researcher or a security organization or just protecting your organization against things that are coming from them. They tend to do things in a large high volume, so it's sort of easy to detect, but they don't care necessarily, because they have such a high volume that they figure if they just send it out everywhere they're going to get a bit of return, and even a slight return on their investment is a win for them.

John Kuhn: [00:07:32:12] The other thing is they save a lot of money, right? They're not utilizing their own resources. They're not buying servers to send this out, they're compromising endpoints, they're utilizing stolen bandwidth, stolen processors, processor usage. I think that's very key when they start talking about just the sheer volume of the Necurs botnet and what they're capable of.

Dave Bittner: [00:07:52:20] That's John Kuhn from IBM's X-Force Iris research team.

Dave Bittner: [00:07:59:00] On Patch Tuesday, Microsoft fixed 50 bugs, 14 rated critical, affecting widely used products including Outlook. Adobe patched 39 flaws in Acrobat and Reader.

Dave Bittner: [00:08:12:15] US Army Lieutenant General Paul Nakasone, long the front-runner, has been nominated to succeed Admiral Rogers as Director NSA and Commander, US Cyber Command. He'll be dual-hatted, at least initially, when he takes over this summer. A fourth star will come with the job.

Dave Bittner: [00:08:31:10] Cryptocurrency miners continue to trouble users of the internet. Kaspersky Lab warns of a zero-day in the Telegram messaging app that's been exploited by crooks to install miners on victim machines. The malware collects ZCash and Monero. Telegram has fixed the problem, which was specific to the Windows version of their app so, if you're a user, it's time to update your software.

Dave Bittner: [00:08:55:20] The malware, which Kaspersky researchers connect to Russian organized crime gangs, operates by concealing executable Javascript using Unicode right-to-left override characters, RLO. Thus, the malicious file looks like an innocent png image.

Dave Bittner: [00:09:13:19] Criminal coin miners last week infested a lot of government sites, mostly in the United Kingdom, but also in Australia, the United States and Canada. CoinHive is the typical payload crooks are installing in the targets. CoinHive, it seems, was developed by people who thought it would be innocent, fun and, mark this, voluntary. Unfortunately, as CoinHive's creators have explained to Motherboard, their code got away from them and found its way into the hands of criminals. For some reason, they didn't think this would happen and regret it.

Dave Bittner: [00:09:44:18] Among the casualties of CoinHive abuse, TechCrunch complains, is SETI, the search for alien life that looks anomalous and possibly intelligent, artificial signals in the cosmos. SETI had done a lot of its work by using unused CPU resources in thousands of machines. Thus, unused resources are now increasingly in use by third parties busily mining cryptocurrency.

Dave Bittner: [00:10:10:07] Google is about to deploy an ad blocker to Chrome. Mountain View is expected to roll out the new feature tomorrow. It won't be, observers say, an alternative to software like AdBlock Plus or uBlock Origin. Instead, it represents Google's attempt to stop the more annoying sorts of ads from hitting your screen. That is, it's designed to block ads that don't conform to guidelines issued by the Coalition for Better Ads, essentially applying the patterns realized in the community-sourced Easy Rules.

Dave Bittner: [00:10:39:19] The sorts of ads expected to be filtered will include pop-ups, prestitial ads, autoplay ads with audio and big "sticky" ads. There are some differences in the filtering depending on whether Chrome is running on a desktop or a mobile device, but the principles remain the same. To Google's credit, observers say the company is subjecting the contents of its own ad networks to the same filtering.

Dave Bittner: [00:10:44:07] So, if you make a living selling ads, we do, so we're not completely unsympathetic, although we don't use ad servers, at least not yet, what are you supposed to do? Graham Cluley reports that Salon magazine now offers a choice: you can block ads, but only if you let them install a coin miner on your machine. We've taken a look at Salon and, yes, it appears that's what they're up to. They even explain it in their FAQ. To the question, "What happens when I choose to 'suppress ads on Salon?" Salon replies with a discourse on how the old mutually beneficial relationship - what Thorstein Veblen would have called "the exploitation of man by man" - in which you, the reader, get information and they, the publisher, get ad revenue, well, the times have changed.

Dave Bittner: [00:11:49:23] So, if you want to read Salon but don't want to see ads for, in our case, security software, then you'll have to let Salon install a cryptominer on your machine. Some people are complaining that mining starts as soon as you click the "Tell me more" button inviting you to install CoinHive. Well, at least they warn you that your computer's fan will turn on while Salon mines coin. Mining is disruptive but not very lucrative: the recent CoinHive infestations seem to have brought the crooks about $24. Maybe Salon should just consider a tip jar.

Dave Bittner: [00:12:27:20] And now a few words about our sponsors at E8 Security. If you've been to any security conference over the past year, you've surely heard a lot about artificial intelligence and machine learning, we know we have. But E8 would like you to know that these aren't just buzzwords, they're real technologies and they can help you derive meaning from what an overwhelmed human analyst would see as an impossible flood of data. Go to e8escurity.com/cyberwire and let their white paper guide you through the possibilities of these indispensable emerging technological tools. Remember, the buzz around artificial intelligence isn't about replacing humans, it's really about machine learning, a technology that's here today. So, see what E8 has to say about it, and they promise you won't get a sales call from a robot. Learn more at e8security.com/cyberwire. That's e8security.com/cyberwire. Follow the behavior, find the threat, that's E8, and we thank E8 Security for sponsoring our show.

Dave Bittner: [00:13:32:01] And joining me once again is Dr. Yossi Oren. He's a Senior Lecturer at the Department of Software and Information Systems Engineering at Ben Gurion University. He's also a member of BGU's Cyber Security Research Center. Dr. Yossi, welcome back. You know, we often talk about how important it is to use two-factor authentication, but that can be a challenge for people who may not have well-developed motor skills or even poor vision. You have been doing some research in this area.

Dr. Yossi Oren: [00:13:59:24] We have been doing this research together with researcher Benyamin Farshteindiker. The basic idea is that we want to be able to use two-factor authentication; many of us use it to log into our banks and so on. Basically how it works is you enter your username and your password to a website and then the website sends you a series of numbers and it could be sent to you by text message or, if you're more security conscious, you have this little dongle, which is like a keyring holder, and these numbers appear on the screen and then you go ahead and you copy these numbers from this little screen to your phone, and then you can log in.

Dr. Yossi Oren: [00:14:04:16] But the problem with this is that many people are simply unable to use this. Because, if we look at the sequence of operations you need to do, it's not very simple for many people. For example, you have to have very good vision to be able to see these small numbers; some of us have poor vision. You also have to be able to memorize it. It sounds to us very simple to memorize a sequence of, let's say, six numbers and copy it, but for some people this is a very difficult task. There are people who don't have the ability to touch a touch screen or manipulate a very sensitive keyboard.

Dr. Yossi Oren: [00:15:16:01] So we were looking at a way to make two-factor authentication more accessible to these people who will be able to use their computer with more security and with more dignity, so they won't have to ask anybody to help them. So we took advantage of a very interesting phenomenon called piezo gyro coupling, which is something which we initially thought of as a security problem. When you place a very particular type of speaker called a piezoelectric transducer next to your phone's gyroscope, which is one of the sensors on your phone, you can actually transmit data from this transducer to the phone and it's actually very easy to read this from websites and from apps. You don't need any permissions, you don't need to do any modifications.

Dr. Yossi Oren: [00:15:32:16] We actually built a device which transmits these small sequences, let's say these six-digit sequences from this little transducer to the phone, and then on the phone you have a website or an application which reads it. What this means is that, for two-factor authentication, all you need to be able to do is to put your hands together. So you will be holding your phone in one hand our device, which is about the size of a coin, for example, when we finish shrinking it, and you just put them together. You touch them together for three or four seconds, and during this time period this transducer is going to send the two-factor authentication sequence to the phone through the gyroscope.

Dr. Yossi Oren: [00:16:46:09] We've tested this on various phones and on various web pages and applications. You get a pretty good data rate and error rate using this system. What's nice about this gyroscope system is that it already works on the hardware that you already have on your phones or on your tablets or on some of your laptops.

Dave Bittner: [00:17:03:21] I see.

Dr. Yossi Oren: [00:17:05:02] So you can start using it tomorrow.

Dave Bittner: [00:17:07:04] So, the code that's being sent to you is being converted by the piezo speaker and then the phone is set up to receive that signal. So the person transmitting it, they're not doing anything different than they would normally?

Dr. Yossi Oren: [00:17:19:11] Yes. So, instead of looking at the sequence of numbers with their eyes and memorizing it with their brain and typing them with their fingers, they're just going to put two hands together and the same sequence is going to be transmitted. We actually implemented using RFC, the internet standards, which is a very standard way of generating these sequences, these two-factor authentication sequences. We exactly used this exact same standard. The only difference is, instead of transmitting it using our eyes and memory and fingers, we're transmitting it using this gyroscope and a piezoelectric transducer.

Dave Bittner: [00:17:56:18] Right, that's interesting research, as always. Dr. Yossi Oren, thanks for joining us.

Dave Bittner: [00:18:05:07] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor, E8 Security. Follow the behavior, find the threat. Visit e8security.com to learn more.

Dave Bittner: [00:18:26:23] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening.