The CyberWire Daily Podcast 9.27.18
Ep 693 | 9.27.18

Fancy Bear, again and again. QRecorder is a banking Trojan. Authentication issues with Apple's Device Enrollment Program. Notes on regulation. Farewell to a code-breaker.

Transcript

Dave Bittner: [00:00:00] Hey, everybody. Just a quick program note that I am the guest on this week's "Smashing Security" podcast hosted by Graham Cluley and Carole Theriault - do check it out. It is a good time. That's the "Smashing Security" podcast.

Dave Bittner: [00:00:17] Fancy Bear has its very own rootkit. VPNFilter turns out to do a lot more than previously suspected. One of the Salisbury assassins is identified as a GRU colonel. A voice recorder app is kicked out of Google Play for being a banking trojan. Apple's Device Enrollment Program may have authentication issues. Big Tech might learn to like being regulated. And farewell to one of Bletchley Park's Jenny Wrens.

Dave Bittner: [00:00:49] Time to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:58] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 27, 2018. There are a few Fancy Bear sightings to report today. You'll recall that Fancy Bear is what Russia's GRU has come to be called when it operates in cyberspace - or, if you insist, Mr. Putin, Russia's GU since, ho, ho, there's strictly speaking no such thing as the GRU because its name got changed, and anyway it doesn't exist. We say phooey. Whatever the acronym, it's the same old firm, and we doubt the misdirection works even at the U.N. So tell it to Turtle Bay, or save it for a meteor shower over Chelyabinsk. But no one here is buying.

Dave Bittner: [00:02:42] Security firm ESET, the gang from Bratislava, reported yesterday that Fancy Bear is deploying a rootkit against its foreign targets. They're active so far mostly in the Balkans and other Central and Eastern European countries. And the kit they've deployed is LoJax, malware developed from the LoJack anti-theft software. The attribution to Fancy Bear is, as is usually the case, circumstantial - but compelling based on the presence of other known Fancy Bear hacking tools.

Dave Bittner: [00:03:13] Cisco's Talos unit looked into VPNFilter malware and has discovered that it's even more capable than initially believed. The researchers found seven additional modules in VPNFilter. They think it was designed to debut against Ukrainian targets on the anniversary of the NotPetya attacks. But they also note that VPNFilter was also designed to be a long-term attack platform. The malware is particularly adapted for IoT attacks, especially against vulnerable routers. When Talos started checking on VPNFilter this spring, it was hitting home routers - mostly those manufactured by MikroTik.

Dave Bittner: [00:03:51] At the time, the U.S. FBI attributed the campaign to Fancy Bear, took control of some of its command and control infrastructure and advised everyone to reboot their routers. It's difficult to say how many devices remain vulnerable, but VPNFilter turns out to be more capable than hitherto believed. The seven new modules include an HTTP traffic redirection and inspection tool and SSH utility, some network mapping functionality, a denial of service tool, a network traffic forwarding unit, a socks5 proxy and a reverse TCPVPN. So it does a lot.

Dave Bittner: [00:04:31] And one of the suspects in the Salisbury nerve agent attacks has been identified as a GRU Colonel. Both of the men British authorities hold responsible for the nerve agent attack in Salisbury have so far been known by their pseudonyms Ruslan Boshirov and Alexander Petrov. Boshirov turns out to be one GRU Colonel Anatoliy Chepiga, an officer thrice deployed to Chechnya during 17 years’ service as a Spetsnaz goon. He was also awarded the order Hero of the Russian Federation in 2014 by decree from the Russian president for peacekeeping, which probably means hybrid warfare against Ukraine.

Dave Bittner: [00:05:12] The investigative site Bellingcat, which did much of the inquisitorial heavy lifting here, says that Chepiga's alma mater, the Far Eastern Military Command School, has his name and the award up on their wall of honor. His mention is to the right of their statue of Marshal Rokossovsky. It's worth noting that the honorific hero of the Russian Federation is by custom awarded personally by the Russian president, the way the U.S. Medal of Honor is normally presented by the U.S. president. This would seem to deprive President Putin of some deniability he's hitherto claimed. Fact is he probably pinned the medal on Chepiga personally. Chepiga's fellow tourist Alexander Petrov has yet to be identified.

Dave Bittner: [00:05:57] We live in a world with Twitter bots, fake and stolen Facebook profiles and even automated AI-driven customer service chat bots. As the technology matures, it's getting hard to be sure you're dealing with a real human being. This notion of synthetic identities is cause for concern and attention. Daniel Riedel is CEO of data security firm New Context, and he offers these thoughts.

Daniel Riedel: [00:06:22] I think with synthetic identities, it depends on the industry that you're in to a certain extent. I think the banking industry has their concept of what synthetic identities are. I think other industries do as well. Obviously with the banking industry, it has to do with, you know, sort of fraudulent uses of payment systems. But I think that synthetic identities is going to grow and morph in ways that in some cases we don't - we can't foresee. It's sort of the unknown unknown concept. But I think it's going to have a huge effect on how we trust an entity that we have not seen in person basically - right? - so anything where we can't actually validate that it is a human that I'm actually talking to.

Dave Bittner: [00:07:11] And from your point of view today, where we stand, I mean, how do you define it in the present context?

Daniel Riedel: [00:07:17] So today I think that - I think you could say that, you know, some of the Twitter bots that are out there are synthetic identities. I think that I would look to see a little bit more sophistication - so, you know, LinkedIn accounts that are false but look absolutely real. Like, you can't tell the difference, but they are fake. Or a Facebook account that is fake, or sort of a - what we're seeing now, especially with some of the announcements of Google, you know, a conversation that you - if you cannot perceive that there is a human - not a human on the other side, like it's a bot that's talking to you, and you can't - you cannot make the distinction of whether that's a human or a bot, I think that's really the fit of where synthetic identity is.

Daniel Riedel: [00:08:05] A lot of those Twitter bots, you can absolutely - you know it's a bot. You can see that it's a bot. It's when it's very hard for your average person to make the distinction between, is this a bot or is this a human? I don't know. I can't tell.

Dave Bittner: [00:08:23] Yeah, and I think we've seen cases of this with things like romance scams, where people have, you know, sort of vacuumed up someone else's online profile, in somewhere like Facebook, and assumes their identity and uses it to scam unwitting people.

Daniel Riedel: [00:08:40] Absolutely. And I think you're going to see - so there's the age-old fraud that we've seen since the dawn of email where somebody wants you to wire $10,000 suddenly because, you know, they're in a bad spot in the middle of Africa. The synthetic identity allows it to be a little more challenging to really understand whether that's real or not. And so I think with anything, especially when it comes to financial transactions, it's always - you know, making sure that you really know the other party before you do anything.

Dave Bittner: [00:09:14] Yeah, I think of the example that we've seen in the past few months where, you know, Google had a technology demonstration where they showed, you know, artificial intelligence that was ordering up a haircut appointment for someone. And so I think, you know, certainly the possibility is there. You can look forward and see how that could be a useful application of this sort of thing. And yet, I feel like folks - there's just - there's that uncanny valley problem. I think there's - we just can't help having a sense that, at a certain level, sometimes these things are just a little creepy.

Daniel Riedel: [00:09:50] Yeah, it's like a "Black Mirror" episode. So, you know, it's you - you're kind of in this new world that we weren't quite sure where - if I picked up the phone, and I had a conversation with somebody, I'm almost positive that's human being. We're going to go into a world where that may not be the case especially if you extrapolate out.

Daniel Riedel: [00:10:07] And so the question is, from sort of a policy perspective, you know, are we going to have to have a policy where if the customer support calls up, and it's a very well-written AI that you can have a conversation with, should it say, hi, I am actually not a real person, but I'm here to help you in.

Daniel Riedel: [00:10:23] And therefore, those folks who don't do that - you know, it's a little easier to compartmentalize and possibly make a law so we can partially go after them. I don't know, you know, quite where that's going to go. Regulation isn't necessarily always the best way to approach something. But I think, you know, those organizations that put their best foot forward and think about that before anyone on the regulation side thinks about that, I think that would be a good thing.

Dave Bittner: [00:10:49] That's Daniel Riedel from New Context.

Dave Bittner: [00:10:54] Returning to some other ESET research, the company says it found a banking trojan masquerading as a call-recording app in Google's Play store. The bad app was called QRecorder. Google has given it the heave-ho.

Dave Bittner: [00:11:08] Duo Security reports finding an authentication weakness in Apple's device enrollment program that could be exploited for privilege escalation or rogue device deployment. Part of the problem is that a device serial number - and that's a predictable number according to Duo - well, it can be used to enroll a device. Duo recommends that enterprises protect themselves by requiring user authentication before a mobile device management enrollment. They notified Apple of what they found. But Apple has yet to address the matter. It thus falls into that familiar that's-a-known-issue category.

Dave Bittner: [00:11:44] Yesterday's hearings in the U.S. Senate covered online privacy. Big Tech expressed general approval of privacy regulations. Some of the GDPR's requirements are onerous, but Big Tech likes consistency and predictability. So while in some ways regulation isn't really welcome, it does have some upsides for those who fall under it. Privacy laws and possible antitrust actions continue to loom over Silicon Valley.

Dave Bittner: [00:12:12] Finally, it's worth remembering our heroes, and one such received a last farewell Monday. Jean Briggs Watters, who died last week at the age of 92, was laid to rest at the Omaha National Cemetery. She was buried with a Union Jack over her casket and honors from Her Majesty's government. Miss Briggs was one of the last surviving Bletchley Park bomb operators who ran the code-breaking machines that yielded up German signals during the Second World War.

Dave Bittner: [00:12:41] She enlisted in the WRNS, the Women's Royal Naval Service, at the age of 18 out of an art school in Cambridge. During the war, she fell in love with an American Army Air Force pilot, John Watters. They married and, after the war, settled in Nebraska. Mr. Watters died in June at the age of 101. And this week, Jean was laid beside him. Thank you, Miss Briggs, and may you rest in peace.

Dave Bittner: [00:13:14] Now a moment to tell you about our sponsor ObserveIT. It's 2018. Traditional data-loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time-consuming to maintain and too heavy on the endpoint. They are high-maintenance and require endless fine-tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats. And it's extremely difficult, even for the most technical users, to bypass. Bring your data-loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:14:23] And joining me once again is Mike Benjamin. He's the senior director of threat research at CenturyLink. Mike, welcome back. You know, we've seen plenty of stories come by about Spectre, Meltdown and most recently, Foreshadow. And there's been a lot of teeth-gnashing and handwringing over that. But you wanted to make the point today that maybe it's not all doom and gloom.

Mike Benjamin: [00:14:44] Yeah. I mean, any bug that hits our industry or puts anybody at risk is - it's, of course, interesting. And people need to understand it. They need to patch it or mitigate it, as the case may be. But if we look at the class of bugs, these are really very difficult to exploit when you compare to what we were looking at 10, 20 years ago, right? The - gone are the days of a simple buffer overflow in a privileged application on an internet-facing service.

Mike Benjamin: [00:15:14] The fact that we're getting into this complexity of chips really, really shows how much we've matured as an industry. So I actually think it's a good opportunity to step back, look at it and be proud of what we've been able to accomplish in terms of maturity to technology and software - and look at these bugs as not all a bad thing.

Dave Bittner: [00:15:33] What do you say to the folks who make the case that this is a result of the chip makers not being able to increase clock speeds fast enough, that, you know, market pressure still means that they wanted to do things faster. So, you know, they went back to the computer science books, and they came up with these - they dug out these speculative processing routines and - without maybe giving it the closer look that it deserved?

Mike Benjamin: [00:15:58] Well, I think that's a little unfair. You can look at any technology advancement we've made in any area and probably point to some security issue that came out of it. And so this is part of evolving technology, right? And so academia has brought us some interesting methodologies in order to receive increased execution speed. And I don't think we should criticize, necessarily, everything they do.

Mike Benjamin: [00:16:19] On the flip side, from a chip manufacturer perspective, this is a great opportunity to learn from the experience and think about how to properly vet these technologies in the future. So it's a maturity item. And the pendulum will swing both ways. We're going to have advancements. We're going to learn from them. And then hopefully, we mature to the point where things like the class of bug that gets provided by speculative execution really is no longer going to be an issue, after we learn from it in future spins of this technology.

Dave Bittner: [00:16:43] Yeah. So, you know, meanwhile here in the real world, for folks who have to deal with this, should they be worried? What's an appropriate level of concern people should have with this?

Mike Benjamin: [00:16:54] Well, my recommendation to everyone that's asked me has been, be aware of what it is. And so the concept of retrieving information through these bugs is a risk to certain organizations in certain environments. And of course, the environments that get mentioned most from the publicity that these bugs receive is always the shared, multi-tenant cloud environments. The infrastructure is a service provider environment. It's where other people's data is running on the same chip. It's being stored in the same system. And that's where the risk is.

Mike Benjamin: [00:17:28] And so reaching out to the service providers that offer those technologies and ensuring that they've patched their environments or mitigated in an appropriate way so that you're not at risk is an appropriate reaction. From other cases, either the data being stored is not as at high of risk, or they're in their own private environments where they need to be aware more of other security issues in front of this and need to allow the natural patching cycle to occur inside their company.

Dave Bittner: [00:17:54] Mike Benjamin, thanks for joining us. And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.

Dave Bittner: [00:18:07] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE intelligence. Learn more at vmware.com.

Dave Bittner: [00:18:34] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cyber security teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.