If you're running a red team, let someone know it's a drill. Apache patches Struts. Another exposed AWS bucket. Remcos abused by hackers. DPRK goes after Macs. Dark Tequila runs in Mexico.
Dave Bittner: [00:00:00] Hello, everybody. A quick reminder that we've got some nice bonuses over at our Patreon page - that's patreon.com/thecyberwire - including the highly desirable CyberWire laptop sticker. So check it out. It's patreon.com/thecyberwire. And if you can't afford to send a couple bucks our way every month, we understand. But we hope you'll consider going to iTunes and leaving a review for our show. It is one of the best ways to help spread the word. Thanks.
Dave Bittner: [00:00:29] A phishing attempt against the Democratic National Committee turns out to have been a poorly coordinated red-team exercise. Apache patches a remote code execution vulnerability in Struts. Another exposed AWS bucket. Remcos remote administration tool is being abused by black hats. Dark Tequila goes after customers of Mexican financial institutions. The Lazarus Group is back, and it's getting into Macs for the first time.
Dave Bittner: [00:01:02] Now I'd like to share some words about our sponsor, Cylance. AI stands for artificial intelligence, of course. But nowadays, it also means all image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminators. It's a tool that trains on data to develop useful algorithms. And like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit threatvector.cylance.com and check out their report "Security: Using AI for Evil." That's threatvector.cylance.com. We're happy to say that their products protect our systems here at the CyberWire. And we thank Cylance for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:02:03] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 23, 2018. In a week that's seen Microsoft, Facebook and Twitter shut down influence operations from Russia and Iran and warnings last week that China and North Korea were also interested in hacking U.S. elections, it's understandable that many people are quick to see foreign influence. And it seemed late yesterday that there'd indeed been another election hack, this one a phishing campaign directed against the U.S. Democratic National Committee, the DNC.
Dave Bittner: [00:02:38] The DNC's CSO briefed party leaders, informed the FBI and took a whack at the administration for not doing enough to protect voting infrastructure. It emerged overnight, however, that there was in fact no hack. It was a false alarm produced by a poorly coordinated phishing awareness exercise. Security firm Lookout reported a fake login page for VoteBuilder that appeared to be after credentials for the DNC's voter database. The DNC ran with the false alarm. As Lookout has since tweeted correctly, you don't know an alarm is false until you investigate. But the snafu, as CNN called it, is embarrassing. It's good to be aware of security, but it's also good to be aware of it in ways that don't turn a fire drill into a federal case.
Dave Bittner: [00:03:27] It's also worth pointing out that this is a good case study in the perils of attribution. DNC CSO Bob Lord, a Yahoo alumnus who distinguished himself by mopping up that company's big breaches, all of which occurred before he was brought in to fix things, was in full cry yesterday. He denounced hacks left, right and center, demanded action and more administration support, and congratulated his team on stopping the phishing in its tracks. Others piled on, like Representative Carolyn Maloney, a Democrat from New York, who tweeted that, quote, "this hacking attempt comes just weeks after the @HouseGOP voted against funding for voting protections. Our intel community warned us about this, and now it's happening. This isn't fake news. It's a real attack on our democracy. We need to act," end quote.
Dave Bittner: [00:04:17] The administration, in the person of Homeland Security Secretary Kirstjen Nielsen, simply congratulated the DNC on reporting the case to the FBI, which is, she said, the right thing to do. But consider, if you will, how this might have played out if victims of phishing generally had legal authority to hack back. Senator Whitehouse, call your office. This isn't a political comment, by the way. Democrat CSOs are probably neither more nor less Chicken Little-ish than any others. And Senator Whitehouse has bipartisan sympathy in Congress. But everyone, whatever their political inclinations, might well pause and think about the dangers of harum scarum attribution.
Dave Bittner: [00:04:58] We're so disposed to see cyber Pearl Harbor that we overlook the opposite possibility of a cyber Tonkin Gulf incident. No one's quite sure yet who ordered up the red-teaming phishing test. But people are pointing on background toward the Michigan branch of the Democratic Party. If that turns out to be true, then, hey, just chalk it up to experience and add the Michiganders to the list of bad-guy capitals Pyongyang, Moscow, Beijing, Tehran, Lansing. If they get to Grand Rapids, well, then, Katie, bar the door. Phishing campaigns remain a reliable way for adversaries to find their way into your systems - to trick employees to perform an action, click a link, pay a phony bill or transfer money to an offshore account. Oren Falkowitz is CEO at Area 1 Security, a company that specializes in phishing prevention.
Oren Falkowitz: [00:05:51] In some ways, phishing campaigns remain the same as they've always been. It's an attempt to lure a user to take some sort of action unwittingly, whether it's to click on a link that might drive them to a website where they might reveal a username and password or to download a file, which might infect their computer or, increasingly, to not click links or download files but just to engage in the transfer of data at the request of another or transfer of financial assets at the request of someone else.
Oren Falkowitz: [00:06:23] Now, what does evolve is an attacker's leverage, authenticity as the key kind of lure in getting individuals to respond to their phishing campaigns. And these lures around authenticity come in two primary forms. The first is primarily the hundred largest brands or companies in the world. Their logos and their corporate assets are used to make the campaigns look authentic. So it's common to see the links that people click look like logins to Google or to look like logins to Dropbox or to your financial institution.
Oren Falkowitz: [00:07:04] And the second type of authentic lure is to leverage the organizational dynamics that we all play within to make it appear as if the CEO from your company is sending you an email or a financial officer is requesting information from you. And, you know, if you really think about our organizational dynamics, it's very hard if you work at for instance the Walt Disney Corporation to receive an email that you think comes from the CEO, Bob Iger, and to not respond because you think it looks funny.
Oren Falkowitz: [00:07:35] And so we see that in a hundred percent of the time when users fall for phishing campaigns that they're trying to do their jobs correctly. That's why they continue to be the root cause in over 95 percent of cybersecurity incidents.
Dave Bittner: [00:07:50] Now, is it common that you find that if someone does fall victim to something like this - are these incidents underreported? Is there an embarrassment factor?
Oren Falkowitz: [00:07:58] I think certainly that's the case that in some instances folks might have a suspicion that they've done something wrong. But primarily folks are unaware that that has happened. It's all happening at network speed, the transfer of this. And ultimately, until there's damage, I don't think people are realizing that something has gone wrong.
Dave Bittner: [00:08:19] And so what are your recommendations for organizations to better protect themselves against these attacks?
Oren Falkowitz: [00:08:25] There's two primary things. To start with, you know, the - today the cost of being a bad guy on the internet is just really good business. And so we need generically to be increasing those costs and making it more difficult for attackers to just be sending out emails and hoping one of them lands and someone transfer them $50,000. That's a really good day of work. You know, if you think about an hourly basis, that'd be great for you and I.
Oren Falkowitz: [00:08:52] And the second is that organizations need to invest in technologies that are comprehensive and specifically focused on stopping phishing. You know, historically organizations have invested in antispam technologies, which is not the same as phishing. And those antispam layers consistently miss some of these phishing campaigns. They're consistently bypassing those layers. Education and awareness programs are totally ineffective at stopping the inevitability of the click.
Oren Falkowitz: [00:09:22] And as part of layered defenses, organizations need to start investing in technologies that are special purpose designed for phishing and to be comprehensive. You know, on one level, many people believe phishing is an email problem. And while email is a primary vector for these phishing campaigns, it's not the only vector. A large number of them persist across the world wide web. And so there's a need for a comprehensiveness in this approach as well.
Dave Bittner: [00:09:49] That's Oren Falkowitz from Area 1 Security.
Dave Bittner: [00:09:54] Apache Struts has been found vulnerable to remote code execution. Security firm Semel described the issue, which the Apache Foundation is addressing with a patch. As Semel points out, remote code execution exploits have the potential to work great damage, so they encourage patching.
Dave Bittner: [00:10:12] Surveillance toolmaker Spy Phone left terabytes of data exposed in a misconfigured AWS S3 bucket. The exposure was disclosed to Motherboard by a security researcher who wishes to remain anonymous for fear of legal retaliation. Motherboard reports that 3,666 phones were tracked in the database, which contained things like texts and selfies. The security site Have I Been Pwned also looked into what the researcher found, and they concluded that 44,109 email addresses were among the material compromised. Spy Phone told Motherboard that they're investigating, and that they're thankful the researcher who found the bucket had good intentions. But again, do look at your buckets.
Dave Bittner: [00:10:58] Cisco's Talos security unit reports that Breaking Security's Remcos remote admin tool is being exploited by hackers. Breaking Security, a security software outfit based in Germany, says its tool is legitimate, that they don't want it misused and that they'll revoke the license of those who abuse it. But Talos isn't entirely convinced. Remcos is widely discussed and traded in grey or black markets.
Dave Bittner: [00:11:26] Researchers at Kaspersky Lab are tracking what they call Dark Tequila, a financial fraud campaign targeting customers of Mexican financial institutions. It's sophisticated and long-running, apparently since 2013. The attack is multistage and modular. It has an info stealer that harvests passwords from browsers, a key logger and a service module that keeps it running properly. The two known infection vectors are spear-phishing and injection by USB device.
Dave Bittner: [00:11:56] And finally, the DPRK seems to be branching out. Kaspersky Lab finds North Korea's Lazarus Group pushing Mac malware in Operation Apple Juice. The campaign affects Macs, which is new for Pyongyang's hackers, and its malware poses as a legitimate-appearing app from a cryptocurrency trading software vendor. When the victims take the bait, they're infected with the FALLCHILL RAT.
Dave Bittner: [00:12:26] And now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security - thecyberwire.com/vmware. And we thank VMware for sponsoring our show.
Dave Bittner: [00:13:26] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. He's also my co-host on the "Hacking Humans" podcast. Joe, welcome back.
Joe Carrigan: [00:13:36] Hi, Dave.
Dave Bittner: [00:13:36] So we've got an article here. This comes from Digital Content Next, a online service, and it's called "Google Data Collection Research." And this is research that was done by Professor Douglas C. Schmidt. He's a professor of computer science at Vanderbilt University. And they're looking at how much data Google collects from their users on mobile devices and contrast that over what kind of data is collected on iOS devices. I must admit, Joe, I'm trolling you a little bit here.
Joe Carrigan: [00:14:09] I was going to say, you - Dave, you're trolling me, aren't you?
Dave Bittner: [00:14:10] (Laughter) Yes. For those of us who aren't regular listeners of the CyberWire, Joe uses Android devices, and I prefer iOS devices. So this comes up more often than it probably should.
Joe Carrigan: [00:14:22] And Dave often likes to compare Apples to Googles.
Dave Bittner: [00:14:25] There you go. So what do we know from this research here?
Joe Carrigan: [00:14:28] Well, we do know that you're correct that Android devices, even when they're idle and stationary, communicate a lot more with the Google services than the Apple devices communicate with Apple.
Dave Bittner: [00:14:41] Right.
Joe Carrigan: [00:14:42] What Professor Schmidt found is that a lot of this information is location data.
Dave Bittner: [00:14:47] Yeah, 35 percent of the data was location data.
Joe Carrigan: [00:14:49] Thirty-five percent of the traffic is location data.
Dave Bittner: [00:14:51] Right.
Joe Carrigan: [00:14:51] I don't know why it feels necessary to do that. We use that location data in our family so that we can track where everybody is. But we are under no disillusion that Google also has access to that location data. Before we started, you were talking - you and I were talking about this. And one of the key points that you brought up is that Apple and Google are in very different businesses.
Dave Bittner: [00:15:15] Right, right, which they brought out in the research here as well.
Joe Carrigan: [00:15:18] Right. Apple is in the business of selling people hardware, and they are very user-focused. And Google is in the business of a search engine and advertising and marketing.
Dave Bittner: [00:15:30] Right.
Joe Carrigan: [00:15:31] And they provide some remarkably good services to users for free - for example, Google Docs, which I use, and it doesn't seem to have a lot of advertising on it.
Dave Bittner: [00:15:41] Right.
Joe Carrigan: [00:15:42] It's a great tool, but I'm under no disillusion of what that entails, that Google has access to every single thing that I type up there. If I have something - some intellectual property I don't want shared with Google, I don't put it on that service. For example, my Password Safe file, which I have started protecting now with a physical UBKey, I don't keep that on Google at all. I keep that on another cloud provider service...
Dave Bittner: [00:16:08] That shall go unnamed.
Joe Carrigan: [00:16:09] ...That shall go unnamed, I guess, yeah.
Dave Bittner: [00:16:10] (Laughter) Right. Right.
Joe Carrigan: [00:16:12] But it is one of the big three or four or five ones. But yeah - because I don't think that - I'll say it's Microsoft (laughter). I don't think - Microsoft's business is selling me software and cloud services...
Dave Bittner: [00:16:26] Right.
Joe Carrigan: [00:16:27] ...Not selling me advertising. So I don't think they're mining my data, or if they are, they're not mining it to the extent that Google is. Google is definitely mining my data.
Dave Bittner: [00:16:36] Yeah.
Joe Carrigan: [00:16:36] I know they're doing that. That's what they do.
Dave Bittner: [00:16:39] Yeah. It was interesting statistics they had here. They said an Android phone - a stationary, dormant Android phone contacted Google 340 times during a 24-hour period. That averages out to 14 communications per hour.
Joe Carrigan: [00:16:53] Yeah.
Dave Bittner: [00:16:54] And an idle iOS phone didn't communicate back at all. You had to be using the iOS phone for it to be sending that sort of data back.
Joe Carrigan: [00:17:03] Right.
Dave Bittner: [00:17:04] Interesting.
Joe Carrigan: [00:17:05] So it's a consumer choice, you know.
Dave Bittner: [00:17:07] Yeah. Yeah.
Joe Carrigan: [00:17:09] And I understand consumer advocates will say most people don't know that this is a choice they're making. And that's true, they don't know. And that's kind of why we talk about this and why Professor Schmidt has published this is because people should know this. This is something they should - they should be making this as a conscious decision.
Dave Bittner: [00:17:26] Right.
Joe Carrigan: [00:17:27] They shouldn't just be going, oh, it's free. That's great. And like we always say, if something's free, you're the product.
Dave Bittner: [00:17:32] Yeah. Yeah.
Joe Carrigan: [00:17:33] And Tim Cook says that a lot.
Dave Bittner: [00:17:36] Yeah (laughter). All right. Well, the research is called "Google Data Collection." Again, we found this on Digital Content Next. It's worth a look. And, Joe, as always, you're a good sport.
Joe Carrigan: [00:17:47] (Laughter) Thanks, Dave.
Dave Bittner: [00:17:48] All right. Thanks for joining us.
Dave Bittner:  And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:18:02] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. Find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:18:29] If you enjoy the CyberWire and our "Research Saturday" show, we hope you'll check out the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I co-host that show with Joe Carrigan from the Johns Hopkins University Information Security Institute.
Dave Bittner: [00:18:51] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Huh. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:19:20] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.