The CyberWire Daily Podcast 6.15.18
Ep 621 | 6.15.18

MysteryBot developed from LokiBot. Satan rebranded as DBGer. Snooping on iOS got harder, but maybe not impossible. IG report on the FBI is out, not damning but not good, either.

Transcript

Dave Bittner: [00:00:04:00] MysteryBot is under development and presumably being prepared for sale on the black market. Satan ransomware gets a makeover and a new name. Apple has taken measures to make iOS traffic less accessible to snooping, but lawful snoops may already have a way round that security. Kaspersky will no longer work with Europol. The US Justice Department IG reports on the FBI, and a former Jeopardy champion cops a hacking plea.

Dave Bittner: [00:00:11:18] Time to tell you about our sponsor, Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it - the CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the Internet yourself, no matter how many analysts you might have on staff, and we're betting that, however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web: cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. We thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:48:10] Major funding for the CyberWire podcast is provided by Cylance. From CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, June 15th, 2018.

Dave Bittner: [00:02:01:01] Researchers at ThreatFabric are tracking what they've named "MysteryBot", multifunctional Android malware under criminal development that combines a keylogger with a banking Trojan and mobile ransomware. MysteryBot seems capable of targeting both Android 7 and 9 devices. MysteryBot abuses Usage Access permissions. ThreatFabric assesses the new malware as derived from LokiBot, whose source code has leaked. MysteryBot's ransomware module seems defective, but ThreatFabric thinks the developers are working on a tool that will fetch a good price in the black market.

Dave Bittner: [00:02:37:13] The authors of "Satan" ransomware have rebranded and upgraded their product. MalwareHunter says the criminals behind the code are now calling it "DBGer", and have incorporated Mimikatz to facilitate lateral movement within targeted networks.

Dave Bittner: [00:02:54:18] Apple may have closed off an access point police had used to get into suspects' iOS devices, but forensic experts think Grayshift may have found a way around the new USB Restricted Mode. In other intercept news, Elcomsoft says it's upgraded its Phonebreaker tool to decrypt iMessages in iCloud.

Dave Bittner: [00:03:14:20] Kaspersky will suspend cooperation with Europol. The Russian cybersecurity firm has long partnered with European police investigation of cybercrime, but now that the European Parliament has called for a ban on its products as security risks, Kaspersky has said goodbye to all that.

Dave Bittner: [00:03:34:08] The US Justice Department's Inspector General yesterday afternoon released the report on the FBI's investigations of "Various actions by the Federal Bureau of Investigation and Department of Justice in Advance of the 2016 Election". The inquiry covers, essentially, the FBI's investigation of former Secretary of State Clinton's handling of classified material and her use of a private server during her tenure as Secretary. That case, connected as it was to Russian hacking of the Clinton campaign and the Democratic National Committee, has been of interest to the cybersecurity sector for the last two years. The Report's 586 pages find more impropriety and insubordination than political bias. On balance, it's not good news for the Bureau.

Dave Bittner: [00:04:21:10] Five agents have been referred for consideration under Bureau disciplinary standards. As the report puts it, the agents' use of Bureau systems and devices to exchange messages that intermingled traffic about the ongoing investigations with partisan political opinion showed "extremely poor judgment and a gross lack of professionalism. We therefore refer this information to the FBI for its handling and consideration of whether the messages sent by the five employees listed above violated the FBI's Offense Code of Conduct."

Dave Bittner: [00:04:53:15] The partisan opinions so vigorously expressed went so far as to suggest that senior members of the Bureau would determine the election result. Those senior officials, notably Deputy Assistant Director Peter Strzok, say that these were regrettable temperamental utterances, not to be taken seriously, but the IG, after making due allowances for the right to hold personal political opinions, is not amused. It's unprofessional, to say the least. Anyone who's chatted and emailed will recognize, with an uneasy twinge of conscience, that they've typed things better left unexpressed, but, indeed, these indiscretions by members of the Bureau really do reflect discredit upon the organization.

Dave Bittner: [00:05:37:24] The Inspector General also found that some senior FBI officials, including former Director Comey, used personal accounts for official business and took other actions that contravened Bureau and Departmental policy. The use of personal accounts contains an instructive lesson for security practitioners. If a tool is cumbersome or frustrating to use, you'll drive users to find less secure, sometimes grossly insecure workarounds. We often see this in shadow IT. In this case, the FBI's official messaging platform, Microsoft Lync, was generally unpopular enough with employees that they sought unofficial chat channels. At least one of the officials who received the IG's attention during the investigation, Deputy Assistant Director Peter Strzok, says that he and his frequent correspondent, FBI attorney Lisa Page, really hated the clunky autocorrect on their Bureau-issued Samsung phones, and that's why they used other private systems to conduct business and exchange views. Strzok was involved in both the Clinton email and Russian influence probes.

Dave Bittner: [00:06:44:19] There were also findings concerning leaks to reporters that the IG found particularly troubling, and corrosive to the Bureau's professional culture. The IG notes that the FBI strictly limits who's authorized to speak to the media, but that this policy was widely ignored during the period under investigation. The report says, "We identified numerous FBI employees, at all levels of the organization and with no official reason to be in contact with the media, who were nevertheless in frequent contact with reporters." The IG regards such contact with "profound concern". Incredibly, the report goes on to say, "We identified instances where FBI employees improperly received benefits from reporters, including tickets to sporting events, golfing outings, drinks and meals, and admittance to nonpublic social events." A separate report on these will be forthcoming.

Dave Bittner: [00:07:41:19] Such conduct is, obviously, out of line, but the IG points out that fear of leaks and potential leaks had an unfortunate effect on the conduct of the investigation, including the timing of various announcements and letters to Congress. It's a cultural problem, the IG says, Bureau policy is both sound and unambiguous, it just wasn't followed.

Dave Bittner: [00:08:03:17] Congress expects to follow up the IG report with more hearings of its own, at least in the House Judiciary Committee, whose Chair has said they expect to subpoena Strzok and others if necessary.

Dave Bittner: [00:08:17:20] We turn with unaccustomed relief to that other prominent member of the US Intelligence Community, the Central Intelligence Agency. Motherboard, wondering, like most of you, who and where in the world Satoshi Nakamoto is, submitted a Freedom of Information Act request to the CIA asking if they had the goods or at least a file on the legendary creator of Bitcoin. The Agency replied tersely that it can neither confirm nor deny that it has any information on Satoshi-san. So who he is, or even if he exists at all, are questions we'll get no help with from Langley.

Dave Bittner: [00:08:55:19] Finally, the answer is, "Guilty", and the question, Alex, is: What plea did the former Jeopardy champ cop in that email hacking case?

Dave Bittner: [00:09:09:16] Stephanie June Jass, former Professor of History at Michigan's Adrian College, and at one time the top-scoring woman in the long history of the Jeopardy quiz show, told Lenawee County Circuit Judge Margaret M.S. Noe, "Yes, I knew what I was doing," when she pled guilty to one felony count of unauthorized computer access. She accessed another person's email account at Adrian College. Sentencing is currently scheduled for July 20th, and Ms. Jass could receive up to five years and a $10,000 fine.

Dave Bittner: [00:09:46:07] Now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies, and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption, and they'll round out what they can do for you with micro-segmentation and analytics. VMware's white paper on A Comprehensive Approach to Security Across the Digital Workspace will take you through the details and much more. See what Workspace ONE can do for your enterprise security at thecyberwire.com/vmware. We thank VMware for sponsoring our show.

Dave Bittner: [00:10:37:07] Joining me once again is Robert M. Lee. He's the CEO at Dragos. Rob, welcome back. I wanted to talk today about a little side project that you have, that I know many of us enjoy, and it is the Little Bobby comic strip. There's also a Little Bobby book, which you can get on Amazon - there's a print version, there's also an electronic version, which I understand if you're an Amazon Prime subscriber you can get for free, so I don't know how you feel about that.

Robert M. Lee: [00:11:01:19] Taking money out of my comic book empire!

Dave Bittner: [00:11:15:21] Exactly. I wanted to dig into the motivation. How this started, and why you chose this as a way to get some of those messages out there?

Robert M. Lee: [00:11:26:17] Yes. I think comic books are approachable. I mean, I have to admit a lot of it is based on Stark, as maybe folks who know me by now might appreciate. It really started out when I was in the military in the Intelligence Community. There was a variety of discussions around SCADA, industrial control systems and I found it very difficult to explain to folks. I started seeing some teams that would pop up, and I remember one team said, "We're going to do offense against SCADA." I was like, "Oh, goodness, civilian infrastructure, I don't know if we should do that. But, you know, if you're going to do it, I don't want you to do it wrong, so I'll teach you what I know." I spent hours with them, showing them things and teaching them things. At the end, these new offensive folks were like, "Yeah, cool. So what does SCADA stand for?" I'm like, "What?"

Robert M. Lee: [00:12:17:18] You're starting off like an offensive mission, you couldn't even be bothered to Google the term? I kind of got mad at it, actually, and so I furiously went home and wrote out the book SCADA and Me: A Book for Children and Management. It was a little bit of snark. And my buddy, Jeff Haas is a comic book illustrator, so I asked him to take my really awful drawings and make them better. So we gave it back to these military folks when that happened. But surprise, surprise, to me, is they were laughing and sort of took it in good stride and like, "Hey yeah, we were just randomly assigned to this mission." I'm like, "Ah, okay. You know what, no-one's trying to be a jerk." And so since then, I've kept it alive.

Robert M. Lee: [00:13:04:07] It's been crazily well-received in the community, then even published a second one, Threat Intelligence and Me: A Book for Children and Analysts. Then every Sunday, Jeff and I publish another little comic strip on our website - take some complex topic and try to break it down into an easy to understand kind of three pane comic.

Dave Bittner: [00:13:27:08] It strikes me that it allows you the opportunity to speak truth to power, in a way. That, by having this construct of a child, who is often questioning folks who are spewing platitudes or misconceptions. You know, the court jester was the only one who could criticize the king, right?

Robert M. Lee: [00:13:49:12] Yeah, absolutely, and I think you're hitting on something there, too. With a lot of our professionals in infosec, I think sometimes we can be afraid to ask questions. We're seen as the smartest person in the room sometimes, unfortunately, on any given topic. We all know, in reality, that we all have our small niche expertise. It can be intimidating to ask questions if some vendor, some Senator, some whoever comes and pitches, like, "We're going to do blockchain in artificial intelligence," and you're like, "Oh, how is that going to work?" And you want to ask questions, but you're like, "Oh, okay." So it's kind of that outlet where Little Bobby can do it for us, and be like, "You know what, can somebody explain the blockchain value to me, for security?" And then nothing happens, and he's like, "Okay, that's about what I thought."

Dave Bittner: [00:14:37:17] Right. Well it's definitely a lot of fun, worth checking out. What's the best place for folks to check out Little Bobby?

Robert M. Lee: [00:14:43:05] It's the website - every Sunday the free comic's published. It's littlebobbycomic.com.

Dave Bittner: [00:14:49:15] Rob Lee, as always, thanks for joining us.

Dave Bittner: [00:14:56:14] I've got a few notes to share from our sponsor, Cylance. You've heard a lot of warnings about Russian cyber operators and their threat to the power grid in the UK, North America and elsewhere. Did you ever wonder how they get in? Sure, there's phishing and spearphishing, those can never be discounted, but here's a twist: Cylance has determined that one of their ways into the grid is through routers. They've found that the Bears are using compromised core routers to hit government agencies and organizations in the energy, nuclear, commercial facilities, water, aviation and manufacturing sectors. That's a bigger haul than a phishnet could catch. Go to threatvector.cylance.com and check out their report on Energetic DragonFly and DYMALLOY Bear 2.0. I'm sure you'll find it interesting. We thank Cylance for sponsoring our show.

Dave Bittner: [00:15:40:09] At the RSA conference this year, there was one vendor booth that was not like the others. Selling his wares was one Francis Archibald Keyes, Esq. Yes, those initials spell FAKE. Complete with top hat, handlebar mustache and a traveling salesman's horse-drawn wagon, full of tonics and liniments that were sure to cure whatever cybersecurity ailments you might be suffering from. Fake security indeed, made all the more mysterious by the fact that that booth had no reference whatsoever to any known cybersecurity company. Needless to say, it generated some buzz. Scott Petry is CEO and co-founder of Authentic8, and he may just know something about what was going on here.

Scott Petry: [00:16:45:23] The birth of the idea came from two places. One is the fact that the industry has been promising customers solutions to the cybersecurity dilemma for years, and just continues to sell more and more tech into the community. If you go to events like RSA, it's a cacophony of vendors yelling and selling. The other thing that drove us to do it was the fact that trade shows, they're hard, they tax organizations from a dollar perspective, from a messaging and creative perspective, from getting people to stand in the booth and try to engage with customers - they're difficult. We said, can we combine the observation in one, and have fun in two, and do something completely different at RSA? Hopefully get up a little bit of awareness.

Dave Bittner: [00:17:32:03] I think one of the things that certainly caught people's eye is the fact that there was not any branding for Authentic8 in the booth, which lent the whole thing a certain air of mystery.

Scott Petry: [00:17:42:15] It's funny, yes, because up until the day before, we were having discussions about: how do we reveal who we are? I stood by the booth. I was just enjoying the process so much, and we decided, we're not going to say anything about it. In fact, we coached the actors, if they keep digging and keep asking, just dig in more and be more obstinate - "I don't know who this Authentic8 is, but I can tell you that these are all the solutions you need here." It was really funny, because it created a psychological game about it. My favorite thing coming out of it was there was an information security team that did a deep forensic dive of how they tried to figure out who we were. They did "whois" records on our fakesecurity.com website. They looked at registered vendors. It wasn't that hard, because we bought the RSA booth under the name of Authentic8, so you didn't have to reach very far, but we created enough confusion by not being Authentic8 in the booth that people had to dig a little bit deeper.

Scott Petry: [00:18:51:13] We went there having no expectations, just let's call the lie to the market and let's have fun doing it, and it turned out to be a pretty good way to get some people to be aware of our company and aware of our message.

Dave Bittner: [00:19:03:22] What was the spectrum of responses? Did everybody get the joke, and were there some people who didn't appreciate it?

Scott Petry: [00:19:11:21] More got it than not. I think if we had have revealed it quickly, like "Oh, we're just joking, we're Authentic8." I think then people would have maybe, "Oh, it's just another clever marketing tactic by a company." Since we stuck to our guns, you could look at the faces of people - when they'd walk by, they'd do the double take, and then the actor would engage then and start riffing about Extract of Artificial Intelligence, or whatever, and start touting the goodness of the tonic, and then they'd smile. Then they'd have this look on their face, like, "What's the catch? What's the hook?" There'd be no catch. We'd hand them a bottle, and then we'd go onto the next person. People universally enjoyed it. We didn't get any negative response.

Scott Petry: [00:19:55:06] We had one guy who was a executive from another company basically respond to a LinkedIn post about it, which says, "That's not going to win you any friends in the industry." So I don't think other vendors necessarily liked it, but to the people walking by, attending a trade show, I think it was a little bit of a respite from the cacophony.

Dave Bittner: [00:20:16:04] What does it say to you about the state of the industry and how people are feeling about the products that are out there?

Scott Petry: [00:20:32:11] I think it says, very simply, the industry knows that it's an unhealthy relationship between customer and vendor, but they have to do it. You can't not buy security solutions. You can't not stay current on your technologies. You can't not listen to vendors talking about a breakthrough enhancements or new capabilities. At the same time, we've been hearing those promises forever. We're still in the situation where things are getting worse. It was maybe refreshing to step above it and acknowledge that we're all part of this equation.

Scott Petry: [00:21:06:03] We didn't have a lot of discomfort about: should we make this investment and should we try something that is a little more shocking or less traditional? We knew were going to execute it well, we just weren't sure how it would land. So I was very relieved that it landed well, because we put a lot of effort into this and really, we were resolute that we were going to true to it and stay committed. So it was a big relief that it actually worked.

Dave Bittner: [00:21:31:03] That's Scott Petry from Authentic8. The campaign is still running online. It's at fakesecurity.com.

Dave Bittner: [00:21:41:09] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out Cylance can help protect you using artificial intelligence, visit cylance.com. Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [00:22:00:08] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [00:22:09:03] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.

Dave Bittner: [00:22:18:01] Our show is produced by Pratt Street Media, with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.