The CyberWire Daily Podcast 5.23.18
Ep 605 | 5.23.18
Variant 4 and other chipset vulnerabilities. Confucius and Patchwork. Turla goes two-stage. Misconfigured not-for-profit bucket. ZTE's fraying lifeline. Facebook and the EU. Brain Food.

Dave Bittner: [00:00:03:23] Variant 4 - we may see more like it. Mitigations are under preparation. The Confucius threat group modifies its approach to targets. Turla adopts a two-stage infection technique. A misconfigured AWS S3 bucket exposes a California not-for-profit's clients. ZTE's lifeline may not be so strong after all. Facebook's EU testimony gets tepid reviews. A botnet is pushing smart pills and diet supplements, not that any of you would be tempted.

Dave Bittner: [00:00:39:09] Now a moment to tell you about our sponsor, ThreatConnect. With ThreatConnect's in-platform analytics and automation you'll save your team time while making informed decisions for your security operation and strategy, find threats, evaluate risk and mitigate harm to your organization. Every day organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligent, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows.

Dave Bittner: [00:01:16:24] The pioneer in threat intelligence platforms, ThreatConnect provides organizations a powerful cyber threat defense and the confidence to make strategic business decisions. With ThreatConnect your team works as a single cohesive unit, reinforced by a global community of peers. To register for a free ThreatConnect account or learn more, visit We thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:01:57:16] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 23rd, 2018.

Dave Bittner: [00:02:10:13] The speculative execution vulnerabilities at the heart of Spectre, Meltdown, and the recently disclosed "Variant 4" represent, observers say, issues at the foundation of most current chipsets. Many expect other flaws to emerge soon. A speculative execution side-channel attack of the kind Variant 4 would allow is, analysts say, difficult to execute, which is probably why Microsoft rated the risk associated with Variant 4 as low. But such vulnerabilities are also difficult to address. Various mitigations and fixes are expected over the next few weeks.

Dave Bittner: [00:02:49:09] Trend Micro offers an update on the Confucius threat group. It's still spying on South Asian targets, mostly Pakistani, but it's moved its infection vector from romance sites to adult content-serving Android apps, and, again, romance scams. In an extended sense perhaps this isn't too much of a thematic shift. Romance scams have a long sad history in ordinary crime as they do in espionage, but Trend Micro thinks using them for the installation of spyware is a relatively novel move.

Dave Bittner: [00:03:22:05] There's no consensus, by the way, about the actors behind Confucius, but Trend Micro sees a connection to the Patchwork group - there's a good bit of code-sharing. The Confucius downloader has an interesting self-deletion function that appears to confine it to targets from a list of allowed countries. Trend Micro's report says that most South and Southeast Asia countries, including Mongolia, are on the allowed list. Most of the Middle East and Africa are on the allowed list. In Europe, only Ukraine is allowed, and in the Americas Confucius is interested only in Trinidad and Tobago. No country in Oceania is on the allowed list. Make of this what you will, but of such thin circumstance is attribution often woven.

Dave Bittner: [00:04:10:18] According to ESET, operators of the Turla Trojan package have moved away from the custom backdoors they've hitherto used in their Mosquito campaign. They're now using the open-source pen-testing frameworks of Metasploit as their initial backdoor. Turla is widely regarded as run by Russian intelligence services. It's been tracked for some time - Symantec gives it a discovery date of January 13th, 2014 - and it's been involved in a number of espionage campaigns since then. It's used both in spearphishing emails and watering hole attacks to install its exploits in victim systems.

Dave Bittner: [00:04:48:01] Authorities in the UK have been particularly on the alert for Turla. The National Center for Cyber Security has warned that Turla is using tools, Neuron and Nautilus, that primarily target mail servers and web servers. The goal is to establish and maintain persistent access for intelligence collection.

Dave Bittner: [00:05:08:13] On the strength of ESET's recent findings, the security company sums up by advising incident responders to look for the two-stage infection process. The first stage is an open-source pen-testing project, and the second stage is installation of the custom "Mosquito" back door.

Dave Bittner: [00:05:26:06] UpGuard says it has located another misconfigured AWS S3 bucket. This one belongs to Los Angeles County 211, an LA-based not-for-profit whose business is providing information and referrals for health and human services in the county. Among the 3.2 million personally identifiable files exposed are logs and notes on suicide distress and domestic abuse calls, which makes the data exposure unusually troubling. Any enterprise that uses AWS would be well-advised to look carefully at its configurations to ensure that their buckets haven't been inadvertently exposed to the Internet at large.

Dave Bittner: [00:06:08:00] Recent news about vulnerabilities in mobile fitness apps prompted security firm. SEWORKS to take a closer look at the top ten fitness apps on the Google Play Store. Sung Cho is VP of Growth and Strategy at SEWORKS and she shares what they found.

Sung Cho: [00:06:23:17] We found that they all have some sort of security issues and all of them have critical and medium degree of security vulnerabilities. We thought this was worth addressing.

Dave Bittner: [00:06:37:02] What kind of vulnerabilities did you find?

Sung Cho: [00:06:40:00] The common things that we found, firstly, was file input and output. One thing that I want to note is that this may not be seen as a critical vulnerability, depending on your internal app development environment. However, this still is considered as one of the top critical vulnerabilities in the overall mobile app world. We found that many apps have these vulnerabilities. Another thing is called Intent. Intent is a coding framework that allows apps and components to communicate with one another by passing messages. This helps specify between a procedure to code, and the arguments to use. This is basically a communication system, which is another thing that we consider as a critical vulnerability. In addition to file input and output and intent, we also found URL schemes which are intents that allow applications to communicate with servers and web pages from inside an app.

Sung Cho: [00:07:51:20] One thing that we often encounter is a lot of developers find it quite safe, once they have the server site secure. However, I would really like to highlight that, even if your server is secure, your apps are not as secure as your server. Hackers still can compromise your apps and even ultimately the server too, because apps are oftentimes used as an entry point for hackers.

Dave Bittner: [00:08:21:11] You all make the point of the importance of considering security from the very beginnings of developing the app. What are your recommendations for these app developers? How could they have done a better job?

Sung Cho: [00:08:33:08] I would really like to recommend thinking about security from the designing phase, from the architecture phase. Oftentimes developers don't have enough time to think about security when they develop apps, because they either don't have enough expertise in security or they don't have time or resources to invest in security. At the end of the day security will be the biggest problem in your app development, or even after your app goes live. So I would really recommend thinking about security from the beginning of the development phase. Once you're done developing there are also many other security solutions or softwares that can help to add and strengthen your security for your apps as well, so I would look out for those as well.

Sung Cho: [00:09:27:00] I would also like to mention more common vulnerabilities that we found were insecure data storage M2 and M8 code tempering, as well as M9 reverse engineering. Based on these results, I would like to address the importance of obfuscating and encrypting your source code to prevent reverse engineering and to protect many other hacking damages that can happen from that, such as, creating copycat apps, source code modification, which could also lead to malware insertion or payment frauds as well.

Dave Bittner: [00:10:10:10] That's Sung Cho from SEWORKS.

Dave Bittner: [00:10:15:06] The US Administration is squeezing ZTE for leadership changes and trade concessions. Congress however may buy none of it - many members argue that ZTE is a security risk. Recall that the Commerce Department sanctions against ZTE are based not on security concerns, but rather on ZTE's evasion of international sanctions against trade with certain proscribed countries, notably but not exclusively Iran.

Dave Bittner: [00:10:43:15] Facebook honcho Mark Zuckerberg's EU testimony yesterday has not been particularly well-reviewed. Many observers, including politicians connected with the European Parliament, felt that he was evasive and didn't really answer the questions they wanted answered. That's not, it seems, entirely Mr. Zuckerberg's fault. The format of the questioning had all the leaders of the various EU political groups lay out several questions in advance, and then Mr. Zuckerberg spoke to some of them over his 22 minute response. Under such circumstances you'd have to be more than flesh-and-blood to refrain from some picking and choosing.

Dave Bittner: [00:11:20:06] He did apologize for Facebook's involvement with Cambridge Analytica and for the presence of "fake news" on Facebook. He also gave a shout-out to GDPR. But this ground is well-tread, and the European parliamentarians wanted more. In particular they're interested in fostering competition among platforms, and on that score Mr. Zuckerberg offered a mostly anodyne caution against ill-crafted regulation stifling innovation.

Dave Bittner: [00:11:47:20] Security firm Proofpoint has outlined the "Brain Food" botnet, which is for the most part engaged in serving up dodgy nutritional products and regimes, often falsely branded as big successes on the popular plutographic TV show Shark Tank. The bots are sending people to pages that hawk supplements to help you diet and make you smarter. All of you, of course, are smart enough and fit enough to need neither, but you might pass this information onto friends who might be tempted. We're always looking out for friends.

Dave Bittner: [00:12:25:03] Now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro-segmentation and analytics. VMware's white paper on A Comprehensive Approach to Security Across the Digital Workspace will take you through the details and much more. See what Workspace ONE can do for your enterprise security, you'll find it at We thank VMware for sponsoring our show.

Dave Bittner: [00:13:26:16] Joining me once again is Daniel Prince. He's a Senior Lecturer in Cyber Security at Lancaster University. Daniel welcome back, we wanted to touch today on risk management and uncertainty. What do you have to share with us today?

Daniel Prince: [00:13:39:20] Thank you for having me back on. I've been doing quite a lot of work looking at risk management, thinking about actually: what do we mean by risk? When you start to look at some of the formal definitions, risk is really looking at a system where we can know all the specific outputs and we can assign probabilities to those possible outputs. The problem I'm finding with digital systems is that the ability to be able to enumerate all the possible outcomes, all the possible problems that that system has, is nearly impossible because of the complexities of the system. That leads us into the concept of uncertainty, where we know some of the possible outcomes, but we just don't know all of the possible outcomes. Therefore it becomes much more complicated to have a quantitative based system to understand where all the probabilities of all the different outcomes happen.

Daniel Prince: [00:14:38:05] This is really important when we start to talk about things like systemic risk within systems. Systemic risk is this concept that there is an underlying big problem that could actually change the way that people behave. But that assumes that one: we can identify all the possible outcomes and assign probabilities and, two: that we know the whole system. My point here is that we can't know all the possible outcomes, so we have to start thinking about systemic uncertainty. That leads you on to, instead of doing really a lot of planning, a lot more thinking about: how do we respond to incidents? Which is one of the reasons why, when I'm teaching and thinking about risk management, I'm actually thinking more about: how do we prepare people to be able to respond effectively to the materialization of unintended or bad events within a particular system, including the people and the technology?

Dave Bittner: [00:15:38:12] Do you find that people approach this in a logical way? Do people come at it thinking that they can eliminate all risk? Do they have unrealistic expectations?

Daniel Prince: [00:15:48:23] I think the unrealistic expectations starts with believing they can know all the possible outcomes that a computer system could generate. In some ways that's a little bit of a naïve position to take. I think, if you talk to a lot of technologists they wouldn't take that position, but a lot of other people, who are not completely aware of the complexities of computer systems, do take that position and believe that you can know all the outputs. There is often, I find, a bit of an overconfident bias within some technical people, within risk management, that they assume that they can know all the possible outcomes and quantify them and then they're dealt with.

Daniel Prince: [00:16:33:04] The reality is it's much more important for a whole organization to be really prepared to face an incident. That's not just the technical people, but the business people all across the whole organization. They need to think about how the organization really responds as a collective of people to support the organization to deal with a specific threat.

Dave Bittner: [00:16:59:24] It strikes me that it's not unlike how we deal with ourselves, our human bodies and our frailties and our ability to get sick. So, you can wash your hands, not sneeze on your co-workers, but still people are going to get colds, people are going to get the flu and, as an organization, you have to be prepared for that, that sometimes people aren't going to be able to show up for work.

Daniel Prince: [00:17:24:20] Yes, in our day to day lives most of us are quite happy with uncertainty. We're quite happy to be able to deal with the unintended outcome, things we didn't think about. We are capable of doing that, and we accept that we have that in our daily lives.

Daniel Prince: [00:17:45:05] But what's interesting, when it comes to computer systems, because it is technology and because it's engineered, there is this kind of, well why can't we know everything? That's the question that comes out. But if you take a standard computer system, you've got some hardware, that we don't know what's in it, we don't know where its vulnerability is. Things like Meltdown and Spectre are key examples of that. Then we put an operating system on top of that, which could have some problems. Then we install a wide variety of applications on top of that, and no one installation is exactly the same as the other. So every single system we have and all the systems that interconnect us, can be considered as unique as every single person on the planet. When you start to think about it like that then we really need to start to think about doing the best defense we can but also be able to respond as effectively as we can as well.

Dave Bittner: [00:18:40:12] Daniel Prince, thanks for joining us.

Dave Bittner: [00:18:47:18] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE intelligence. Learn more at

Dave Bittner: [00:19:15:22] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cyber security teams and technology.

Dave Bittner: [00:19:25:05] Our show is produced by Pratt Street Media with editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.