Ex-employee backdoor. Stealthy DDoS. Anubis dropper looks for motion. Influence operations. Privacy actions. The curious case of the espionage arrest in Russia.

Dave Bittner: [00:00:03] The WordPress Multilingual Plugin is compromised by a disgruntled ex-employee. A stealthy DDoS might escape notice. Anubis droppers wait for the phone to move before executing. The EU works against influence in its May elections. France fines Google for lack of transparency under GDPR. Facebook may face FTC action, and more emerges on the curious case of the American/Canadian/Irish/British citizen arrested in Moscow for spying.

Dave Bittner: [00:00:39] And now a word from our sponsor KnowBe4. You know, email is still the No. 1 attack vector the bad guys use with a whopping 91 percent of cyberattacks beginning with phishing. But email hacking is much more than phishing and launching malware. Find out how to protect your organization in an on-demand webinar by Roger A. Grimes, KnowBe4's data-driven defense evangelist. Roger walks you through 10 incredible ways you can be hacked by email and how to stop the bad guys. And he also shares a hacking demo by KnowBe4's chief hacking officer Kevin Mitnick. So check out the 10 incredible ways and learn how silent malware launch, remote password hash capture and rogue rules work, why rogue documents establishing fake relationships and compromising a user's ethics are so effective, details behind clickjacking and web beacons and how to defend against all of these. Go to knowbe4.com/10ways to watch the webinar. That's knowbe4.com/10ways. And we thank KnowBe4 for sponsoring our show.

Dave Bittner: [00:01:48] From the CyberWire studios at DataTribe, I'm David Bittner with your CyberWire summary for Tuesday, January 22, 2019. Much of the news that's developed today and over the long weekend deals with government and corporate wrangling over privacy and influence operations. We'll briefly cover a few of the other threats currently in circulation before we turn to those stories.

Dave Bittner: [00:02:10] A former employee, evidently one of those proverbially disgruntled ones, used a backdoor he created during his employment to compromise the WordPress Multilingual Plugin or WPAL. The developers of WPAL say that the hacker took customer data, including site keys, and also sent mass messages to customers warning of critical vulnerabilities in the plugin. Wpal.org (ph) says they've rebuilt their site, that payment information was not among the data compromised and that customers should change their passwords. No word on what's in store for disgruntled ex-employee. But one assumes the proper authorities have been notified.

Dave Bittner: [00:02:52] Security firm Nexusguard, in its third-quarter threat report, notes that there's been an increase in a relatively stealthy form of distributed denial of service attack. In this technique, attackers go after ASN level. That's autonomous system number communications service providers. They spread small amounts of attack traffic - junk, the researchers call it - across a large number of different IP addresses. This avoids tripping the alarms more familiar volumetric attacks would trigger. But it also produces troubling latency in the target networks and can, in some cases, deadlock them.

Dave Bittner: [00:03:29] In the seesaw struggle between attack and defense, the attackers have taken a new tactic. Researchers at security firm Trend Micro have found that some malicious apps dropping Anubis banking malware onto Android devices have been designed to activate only when the infected device's motion sensor indicates that, yes, the device is indeed moving. This is thought to be an attempt to fly beneath the detection radar of emulators, which typically don't offer motion detection. If it moves, the servants of Anubis conclude, then it must be a phone.

Dave Bittner: [00:04:02] Being the father of a pre-teen kid as I am, there's a lot of Fortnite gaming going on in our house. News broke recently of some researchers discovering some significant vulnerabilities in Fortnite. And our U.K. correspondent Carole Theriault has the story.

Carole Theriault: [00:04:19] Check Point released research that uncovered a major flaw in Epic Game's Fortnite. The researchers showed that the flaw could allow someone to log into a user's account by taking advantage of authentication tokens assigned to single sign-ons. This is from the likes of Facebook or Xbox or Google. Check Point, following the industry rules of ethical responsible disclosure, worked with Epic Games to remove the flaw before Check Point went public with their findings. Had the flaw been found by ne'er do wells instead of responsible researchers, it could have been a catastrophic data breach for its 80 million users. So Fortnite is no small potatoes.

Carole Theriault: [00:04:59] In fact, it made a reported $2.4 billion in 2018 thanks, in part, to its inbuilt financial ecosystem. All this money flying around makes Fortnite a valuable target to online criminals. But there is something else. Many Fortnite users are young. They probably have less experience with money management and cyberscams. And many an account will be funded by a player's parent. Could these young account gatekeepers be seen as an easier target than your cynical and watchful adult? I pinged a good friend and cybersecurity journalist and avid gamer, Maria Varmazis, to get her take on this epic Fortnite flaw.

Carole Theriault: [00:05:39] Maria, thank you for coming here, especially when you're feeling a little under the weather.

Maria Varmazis: [00:05:44] Oh, it's - (laughter) I'm happy to do it, Carole.

Carole Theriault: [00:05:47] Now, tell me about Fortnite and this big vulnerability that AV company Check Point notified us all about.

Maria Varmazis: [00:05:56] It all happened within a legit version of the game that allowed an attacker to log in as - they, basically, could steal a log-in token. And they could log into a legitimate player's account. And when they have access to that player's account, they could then buy a whole bunch of stuff within the world, assuming that that person has a credit card attached to their account, which they probably do. So they could then buy a bunch of stuff or buy a bunch of bucks. And then you can send stuff to other players within the world.

Maria Varmazis: [00:06:20] So essentially, rack up a huge bill. Buy a whole bunch of stuff, and then send it to, like, a master account somewhere else, like the one that you own, you as a scammer. It's your personal account. And suddenly, your scammer account has all these ill-gotten goods. But essentially, the person who's been scammed can't really do a whole lot to get that back. Like, they can file a report or a ticket or something. But a lot of times, the answer is tough luck, kid. So...

Carole Theriault: [00:06:43] Wouldn't two-factor authentication mitigate or at least help account holders be able to verify their authenticity?

Maria Varmazis: [00:06:51] Yeah, 2FA is always a great idea. I know Fortnite offers it. And they even incentivize people to use it. They give you some exclusive stuff within the Fortnite world, which is great. I'm sure that would help a lot. And I know that Fortnite does encourage people to use it. But it's a - again, you're talking to kids with poor impulse control (laughter). A lot of them don't want to go through that step.

Carole Theriault: [00:07:13] Yeah, because enforcing rather than recommending might be a way to resolve these issues.

Maria Varmazis: [00:07:18] A lot of these games have the same problem. Blizzard has an authenticator for World of Warcraft, for example.

Carole Theriault: [00:07:24] Right.

Maria Varmazis: [00:07:24] Similar problems happened in that world for years and years - and probably are still happening now. And Fortnite's having the same issue. When you have this - millions of people on these platforms, it's just going to happen. But then the adoption rate is much lower than it should be for 2FA, so that is a challenge for sure.

Carole Theriault: [00:07:41] OK, so what advice do we have for the user?

Maria Varmazis: [00:07:45] Try to use common sense. That might be a hard one for a kid who's still learning what that is, but use that...

Carole Theriault: [00:07:51] (Laughter).

Maria Varmazis: [00:07:51] (Laughter) Use that cynicism, I suppose. And it's - when you're thinking about getting free stuff in the game, just remember that there's never anything free in these - even in these free-to-play games. So unless you're getting something through the official website or through the official game, there's something off with that. And if you don't see what the hitch is, it's (laughter) probably access to your credit card data or giving up some sort of sensitive information that could be helpful on the black market. Don't give that up. And just question why you're getting something for free.

Carole Theriault: [00:08:22] Yeah. Trust me. Mom will not be happy if she finds this huge bill on her credit card.

Maria Varmazis: [00:08:27] (Laughter) So you could be actually very diligent about doing this kind of stuff and still have your account get compromised. With 2FA, it's a lot less likely. But it could still happen. One little trick that a lot of people use is to not put a legit credit card on your account to buy things. Use a gift card or a card that has a set amount of money on it, like one of those gift cards that you can charge a certain amount of money onto. And that way...

Carole Theriault: [00:08:52] Brilliant idea.

Maria Varmazis: [00:08:53] Yeah, so that way you can't rack up, like, an infinite bill. You just have however much money on that credit card you need to buy what you're getting. And if you want to buy some more, you have to put a new credit card on, so...

Carole Theriault: [00:09:02] You know, that's really good advice for many online accounts that we use. Thanks, Maria.

Maria Varmazis: [00:09:08] Thanks for having me on.

Carole Theriault: [00:09:10] This was Carole Theriault for the CyberWire.

Dave Bittner: [00:09:14] Returning to influence operations, privacy rules and arrests for espionage, Politico reports that EU elections scheduled for this May are thought to present an attractive target for nation-state hacking and influence operations. For one thing, the elections are unusually protracted by European standards. And they also amount to a number of distinct votes, with disparate member nations presenting various attack surfaces. Voting will take place May 23 through 26 in the 27 member nations of the European Union. The principle concern is with disinformation and influence operations in the form of online trolling. The principal suspect is, as usual, Russia.

Dave Bittner: [00:09:56] Google, Facebook, Twitter and Mozilla have agreed to provide reports on influence operations during the election season. These can be expected to concentrate on transparency and on the exposure of inauthentic accounts of the kinds previously deployed by Russian state-directed actors - the Internet Research Agency prominent among them. The threat isn't solely Russian, however. In at least one case, a disaffected individual also succeeded in roiling political waters. German authorities recently arrested a 20-year-old student in connection with a fairly long-running doxing effort that exposed correspondence of political figures, including President Steinmeier and Chancellor Merkel.

Dave Bittner: [00:10:37] Facebook COO Sheryl Sandberg says that her company intends to work with Germany's BSI, the federal office for information security, to impede influence operations designed to sway the elections. The BSI hasn't commented, and Facebook's situation in Germany has been a touchy one, with some official suspicion of the company's data handling and privacy practices.

Dave Bittner: [00:11:00] There's also a renewed legal wrangling in the U.S. over Russian cyber operations. The Democratic National Committee has amended its civil complaint against Russia, and a number of others, to include allegations of post-midterm hacking attempts. Those attempts seem to have consisted of phishing, with indifferent success. But official Washington is currently in a state of bipartisan concern over the potential deep fakes. Convincing but utterly bogus videos and similar artifacts could play a disruptive role in future campaigns.

Dave Bittner: [00:11:33] France's CNIL, the nation's privacy watchdog, has fined Google 50 million euros over GDPR issues - essentially for lack of transparency and user consent, the Telegraph reports. Former Facebook CSO Alex Stamos is interested to see whether GDPR will prove to be more about competition than privacy. In a series of tweets, after the CNIL's actions Stamos noted the sheer difficulty of compliance, especially with respect to online advertising. He said in one tweet that, "it's very hard to find a European advertiser who lives up to these standards. Maybe they are just starting with the biggest. But if CNIL doesn't fine any EU-based ad networks in the coming months, we know GDPR is about competition policy not privacy," end quote.

Dave Bittner: [00:12:22] Stamos' point is worth considering. But the publication AdExchanger noticed back in November that CNIL had warned a small European ad company Vectaury about possible violations despite Vectaury's having structured its operations in accordance with the IAB GDPR transparency and consent framework - generally thought a safe guide to compliance.

Dave Bittner: [00:12:46] Russian censorship authority Roskomnadzor has opened an administrative enforcement action against Facebook and Twitter, The Wall Street Journal reports. The communications agency says the two social networks haven't complied with requirements that data on Russian citizens be stored in Russia. SecurityWeek notes that Facebook may be set for a large fine in the U.S. The Federal Trade Commission is said to be preparing an enforcement action against the company for privacy failings related to the Cambridge Analytica scandal.

Dave Bittner: [00:13:18] The Washington Post has new details on Russia's arrest of Paul Whelan on espionage charges. He's said to been passed a USB drive containing secret information - a state secret, as sources put it. Whether he knew that's what he'd received remains unclear. His defense attorney Vladimir Zherebenkov, who has the reputation for defending high-profile clients in high-profile cases, said that Mr. Whelan, who holds U.S., British, Irish and Canadian citizenship, thought the flash drive held photos and videos of an earlier trip to Russia. He'd asked for the files because he'd been unable to download them electronically. Mr. Zherebenkov also said, quote, "how he got the flash drive, what he was supposed to do with it and whether Whelan knew he had secret information is unknown," end quote. Mr Wheelan, who maintains his innocence, has been denied bail.

Dave Bittner: [00:14:11] The case is a very odd one. And most observers speculate that the Russians grabbed Mr. Whelan in the hope of using him in a swap for the Russian national Maria Butina, who's taken a guilty plea in the States and is herself widely regarded as a Russian asset. All four of the countries in which Mr. Whelan claimed citizenship sent consular officials to his hearing.

Dave Bittner: [00:14:39] And now a word from our sponsor Coalfire. When organizations stand up new services or move existing applications to the cloud, they need to coordinate IT security efforts with business units and partners. So the question arises - is security the cloud platform provider's responsibility, or is it the customer's responsibility? To answer that data security question, you must clearly articulate who owns what, identify security gaps and determine who will close those gaps. With the HITRUST shared responsibility program, there's now a clear path to address the misunderstandings, risks and complexities when partnering with cloud service providers. Coalfire has delivered hundreds of HITRUST CSF certifications since 2011. And they help organizations clarify the roles and responsibilities of security controls that protect information. They've certified the leading global cloud service providers and can help you migrate data to the cloud securely. Find out more from Coalfire, the HITRUST cloud assessor, at coalfire.com/hitrust. That's coalfire.com/hitrust. And we thank Coalfire for sponsoring our show.

Dave Bittner: [00:16:02] And joining me once again is Johannes Ullrich. He's the dean of research for the SANS Institute, and he's the host of the ISC "StormCast" podcast. Johannes, it's great to have you back. You have been tracking some scams that have been involving gift cards. Bring us up to date here. What are you looking at?

Johannes Ullrich: [00:16:20] Right. I think what's really special about this is that these are attacks that we used to see in a more targeted fashion that are now sort of becoming these automated commodity attacks because I think the attackers are getting better in really figuring out relationships between people sort of in an automated fashion.

Johannes Ullrich: [00:16:39] The way these attacks work is that the - some random worker at a company often associated with accounting gets an email that claims to come from a manager, from the CEO and asks that worker to go out and buy gift cards with company funds, and there's usually some pretense around it - like, of course, the holidays recently, we have also sometimes seen sort of disasters being used like this - and then send images of these gift cards to the attacker, who claims to be that manager. So that's always sort of how it works. But I think what's really special about it is how these attacks appear to be automated, based on the volume that we're seeing for these attacks.

Dave Bittner: [00:17:20] And - so what are you seeing that makes you think that they're automated?

Johannes Ullrich: [00:17:22] The texts are fairly similar. And sometimes you can also tell by where they sort of get it wrong. They don't get names quite right. But they use names, for example, from LinkedIn and platforms like this. Sometimes where - they also target new employees that were just sort of added, for example, to the company's website. That appears to be sort of another pattern that we somewhat see there. But overall, we are still collecting a lot of these emails. So if anybody has them, send them our way. And we try to get a better handle on what they're exactly using, how they're getting this information.

Dave Bittner: [00:17:57] Yeah. That's interesting. So they could be scraping someplace like LinkedIn for folks in the positions that they want to target, someone in HR or something like that. But then, that's interesting, targeting new employees. Do you think they - they're looking for changes on a website, something like that? Someone new shows up?

Johannes Ullrich: [00:18:13] That appears to be - that's, at least, my best guess right now. We haven't really recovered any of the sort of tools they're using to do that yet. That, of course, would be really great if someone finds a compromised system that still has these tools installed on it. But company websites of course - and particular, new employees of course are particularly vulnerable to this. They still want to impress the boss. They're not really that familiar with the exact relationships and how things work in a company.

Johannes Ullrich: [00:18:39] In one case actually, we had one person sort of keep tracking them along, like, after the initial hook. Then it appears to be manual because then you actually can communicate with the attacker sometimes, and they try to convince the employee to actually go out and use personal funds because they sort of, oh, send a fake reply back saying that a company credit card doesn't work for gift cards. And...

Dave Bittner: [00:18:59] Yeah, that's interesting. I did have a friend who fell for this. She was an HR manager in a tech company and went down the path - actually went down to the local grocery store, bought some gift cards and was in the process of sending the cards out and happened to wander down the hall to where her boss worked, who was supposed to be the person making these requests, and told him about the gift cards. And he said, what gift cards? This is a smart person, you know, (laughter)...

Johannes Ullrich: [00:19:27] (Laughter).

Dave Bittner: [00:19:27] ...Working in a tech company. So anyone can fall for these.

Johannes Ullrich: [00:19:31] And that's it, really. You know, by customizing these scams so well, I think that's why they're successful. They're not as easy to detect as some of the other scams we have seen in the past.

Dave Bittner: [00:19:44] Yeah. All right. Well, it's something to look out for. And certainly, listeners, if you've got any additional information on this, let us know or get in touch with Johannes himself. He'd like to see it. Johannes Ullrich, thanks for joining us.

Johannes Ullrich: [00:19:56] Thank you.

Dave Bittner: [00:20:01] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:20:14] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik; social media editor, Jennifer Eiben; technical editor, Chris Russell; executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.