The CyberWire Daily Podcast 2.5.19
Ep 774 | 2.5.19

ExileRAT versus Tibet. SpeakUp backdoors Linux. Facebook bans Myanmar militias. Norway sees a threat in Huawei. Westminster gets hacked? Bangladesh Bank sues over SWIFT caper.

Transcript

Dave Bittner: [00:00:03:19] ExileRAT targets Tibet's government-in-exile. The SpeakUp backdoor afflicts many varieties of Linux systems. Facebook bans ethnic militias in Myanmar from it's platform. Norway's PST intelligence service says that Huawei constitutes a security risk, and China says that's nonsense. Someone seems to be hacking contact lists belonging to UK Members of Parliament. And Bangladesh Bank is suing to recover the $81 million missing from its 2016 SWIFT heist.

Dave Bittner: [00:00:40:05] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in, it's the people you trust, the ones who already have the keys; your employees, contractors and privileged users. In fact, a whopping 60% of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT you don't have to. See, most security tools only analyze computer network or system data, but to stop insider threats you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond, and stop data loss. Want to see it in action for yourself. Try ObserveIT for free. No installation required. Go to observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:01:42:24] From the CyberWire Studio Studios at DataTribe, I'm Dave Bittner with your CyberWire Summary for Tuesday, February 5th, 2019.

Dave Bittner: [00:01:51:05] Cisco's Talos research group has identified a targeted campaign against supporters of Tibet independence, including element of the Tibetan government-in-exile, that installs the ExileRat remote access Trojan. The vector is a malicious PowerPoint file, and the attack shares command-and-control infrastructure with the LuckyCat Android malware earlier used against Tibetan activists. The researchers think espionage and not criminal gain is the goal. Talos doesn't say as much, but the Magic Eight Ball would probably say that signs seem to point to China, where Tibetan independence groups and sympathizers, as well as ethnic Tibetans both home and abroad, have long been of interest to Beijing's intelligence and security services.

Dave Bittner: [00:02:36:07] Researchers at security firm, Check Point, has found a new Linux backdoor, "SpeakUp", which can run on several Linux distributions and on the related MacOS. The Trojan, thought to be possibly the work of a Russian speaking coder, and so far apparently most active in East Asia, is said to evade most current security products. Check Point thinks its current activity is a sign of much bigger campaigns to come.

Dave Bittner: [00:03:03:17] Facebook has banned four "ethnic armed organizations" that operate in Myanmar from using it's platform. The militias all form part of the "Northern Alliance", and are among the armed militias that have long operated in that country. The groups Facebook banned include the Arakan Army, the Myanmar National Democratic Alliance Army, the Kachin Independence Army, and the Ta'ang National Liberation Army. This is part of Facebook's ongoing efforts to purge its platform of groups that advocate violence, and even more of groups that use Facebook to incite or coordinate violence.

Dave Bittner: [00:03:40:09] It's worth noting that this isn't being done necessarily at the behest of Myanmar's government, even though security forces have recently clashed with some of the militias, notably the Arakan Army. As TechCrunch notes in its coverage, Facebook has earlier taken action against some government leaders and organs, including the commander-in-chief of the armed forces and the military-owned TV network Myawady.

Dave Bittner: [00:04:06:17] Nor is this simply the restriction of content as hate-speech. Facebook has so thoroughly permeated Myanmar's late-adopting online culture that it practically constitutes the Internet for most of the country's users, and its platform has been actively used to incite and coordinate several violent campaigns, most notably those against the Rohingya Muslim minority in the Buddhist-majority nation. The UN believes some 700,000 Rohingya became refugees since August of 2017. The UN also reported that abuse of Facebook played a determining role in inciting the persecution.

Dave Bittner: [00:04:43:00] Cyberespionage from nation-states of industrial environments continues to be a global concern, the folks at EclecticIQ have been tracking these threats in their new fusion center. Joseph Williamson is a threat intelligence analyst with EclecticIQ.

Joseph Williamson: [00:04:57:24] Specifically with regards to espionage of industrial environments, I think you can break it down into two categories at the minute. The first category would be espionage or competitive advantage, and the second would be recon for destructive attacks. An example of espionage for competitive advantage, that's where a nation-state might want to take a look at the ways that Western countries run their businesses in the critical infrastructure sectors, so that they can employ certain strategies within their own firms within those sectors.

Joseph Williamson: [00:05:35:18] One example that we see a lot at the minute is a lot of China-based adversaries have been working in support of the Belt and Road Initiative. There's been an increase in Chinese espionage of western and South East Asian petrochemical and energy firms in order to bolster their own trades and gather insight into the other countries that they do business with there.

Joseph Williamson: [00:05:58:06] An example of the latter, which is recon for destructive attacks. It's difficult to gain too much insight into this because once the adversary gets information on one of the environments that they're surveying, you don't know exactly what they do with it. But to give you an example, there's a Russian-based actor called DragonFly, who has been lurking in a number of western energy firms for the last few years, exfiltrating sensitive data on those organizations' SCAT=DA systems. For example just to go right down to the detail, exfiltrating stuff like screenshots of wiring diagrams and stuff like that. What they do with that information is never going to be 100% clear to us on the defensive side, but the idea is that they could then use that to subsequent destructive attacks.

Dave Bittner: [00:06:44:11] How does the average person dial in the appropriate level of concern when it comes to these things?

Joseph Williamson: [00:06:51:23] That's a great question, I'm glad you asked it. In general, when it comes to reporting in mainstream media, we tend to take it way too far. The average person is not at risk. It's very unlikely that you're going to wake up and see the headline that cyberattack on a nuclear power plant is causing immediate danger to a populace. It's not likely that you're going to wake up and find that you have no electricity, although that has happened before. But it's unlikely, this doesn't happen very often and it happens to very specific targeted regions. Definitely a dose of realism is needed when you look at the headlines and mainstream media and taking a bit more time to understand the facts behind certain situations, these types of attacks are very unlikely to affect your average citizen.

Dave Bittner: [00:07:44:02] Looking forward into the coming year, what do you expect we'll see? Do you think we're going to see an uptick in these sorts of things? Will it run at the same pace that we've experienced in the past few years? Where do you think we'll land?

Joseph Williamson: [00:07:57:15] That's another good question. We closed out the year with a pretty big destructive attack. Supposedly an Iranian-based actor used a Shamoon Wiper to target an Italian petrochemical company, as well as a few similar organizations in other countries, that certainly suggests that things are not calming down. This is re-emergence of activity that we saw in 2012 and then again in 2017, and certainly suggests that destructive attacks might continue at the same pace. In terms of espionage, I would say that's going to continue at the same pace. There's a lot of China-based adversaries who work in support of the nation-states Belt and Road initiative. You can almost predict when certain attacks are going to occur based on when neighboring countries have their elections. There's always an uptick in targeting by Chinese actors when a country like Cambodia or Vietnam has a presidential election or something along those lines.

Dave Bittner: [00:08:57:15] That's Joseph Williamson from EclecticIQ.

Dave Bittner: [00:09:01:23] Norway's PST intelligence service has added Huawei to the list of threats to Norway. Benedicte Bjornland who runs the domestic intelligence unit, put it this way, "An actor like Huawei could be subject to influence from its home country as long as China has an intelligence law that requires private individuals, entities and companies to cooperate with China." The Chinese embassy in Oslo said, "It's very ridiculous for the intelligence service of a country to make security assessment and attack China with pure hypothetical language." And it added that "China poses no threat to Norway's security. The Norwegian decision comes in advance of the widely awaited report in the UK from the GCHQ unit charged with monitoring Huawei security. That report is expected to be a doozy.

Dave Bittner: [00:09:52:01] BuzzFeed reports that some Members of Parliament in the UK have been subjected to cyberattacks. Investigation is underway, but the hackers seem to have been interested in getting phone numbers and contact lists.

Dave Bittner: [00:10:05:10] Bangladesh Bank is suing Manila-based Rizal Commercial Banking Corporation, RCBC and others, for the $81 million lost to hackers in a 2016 caper that abused the SWIFT transfer system. In and unusual move, the New York Fed is working with Bangladesh Bank to assist with the claw-back.

Dave Bittner: [00:10:25:23] Consensus holds North Korea responsible for the theft, as does the FBI. The theft involved transferring funds from Bangladesh Bank's accounts with the Federal Reserve Bank in New York. $101 million were siphoned away to front accounts in Sri Lanka and the Philippines, before bankers involved in the transfer realized something was amiss. It's worth noting that alert proofreaders at Deutsche Bank noticed misspellings and wayward grammar in the transfer requests, and they're the ones who sounded the warning. As Americans we note with shame that the Germans were better proofreaders than our own boys and girls in New York apparently were.

Dave Bittner: [00:11:03:14] Of the $101 million stolen from Bangladesh Bank, 20 million of it went to front accounts in Sri Lanka, and essentially all of that was recovered. Most of the $81 million that went to the Philippines is still missing, and that's what Bangladesh Bank hopes to recover. The Washington Post points out that recovery will be difficult. Bangladesh Bank alleges that RCBC personnel helped the North Korean hackers transfer the money to RCBC accounts at the New York Fed, and then to the Philippines, where ever since it's been gone-baby-gone. RCBC has said in response that this is all PR and misdirection on Bangladesh Bank's part to cover up it's own negligence in permitting the transfers in the first place. They'll see one another in court, probably.

Dave Bittner: [00:11:49:06] Why not, you may ask, just sue Pyongyang, since after all they're the goons behind this caper? A good question, but remember a couple of things about North Korea. First, it's not exactly a country with deep pockets. That's why its government hackers are so busy with financial crime. And, second, it's really not a government that has a deep respect for international law. Still less for whatever decisions might be issued by some Yankee court.

Dave Bittner: [00:12:15:08] So what are you going to do? Send a repo man after Great Successor and Dear Comrade Kim Jong-un's Mercedes Limo? Not likely. In the first place it would be hard to get through the bouncers guarding it. In the second place you'd have to beat the Sinanju Highway Patrol to the Yalu Bridges, since you probably wouldn't want to try the minefields around the DMZ, which would be like trying to drive north on the 101 during a Los Angeles rush hour.

Dave Bittner: [00:12:41:04] And, finally, the value of the car probably wouldn't cover the full $81 million, even if it does contain that fully functional on-board toilet, rumored to have been installed after-market. So while the Mercedes is what anyone would call nicely loaded, Bangladesh Bank will have to get whole somewhere else.

Dave Bittner: [00:13:04:15] And now a word from our sponsor, KnowBe4. Many of the world's most reputable organizations rely on Kevin Mitnick, the world's most famous hacker and KnowBe4's Chief Hacking Officer, to uncover their most dangerous security flaws. Wouldn't it be great if you had insight into the latest threats and could find out what would Kevin do? Well now you can. Kevin and Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, will give you an inside look into Kevin's mind. You'll learn more about the world of penetration testing and social engineering, with firsthand experiences and some disconcerting discoveries. In this webinar you'll see exclusive demos of the latest bad guy attack strategies to find out how these vulnerabilities may affect your organization, and you'll learn what you can do to stop the bad guys. In other words, what would Kevin do? Go to knowbe4.com/cyberwire to register for the webinar, that's knowbe4.com/cyberwire. And we thank KnowBe4 for sponsoring our show.

Dave Bittner: [00:14:15:08] And joining me again is Joe Carrigan, he's from the Johns Hopkins University Information Security Institute, and he is my co-host on the Hacking Humans Podcast. Joe, it's great to have you back.

Joseph Williamson: [00:14:24:19] Hi Dave.

Dave Bittner: [00:14:25:07] I try to make a point to learn something new every day.

Joe Carrigan: [00:14:28:09] Good. I do the same thing.

Dave Bittner: [00:14:31:05] Recently something came by that was not necessarily new, but it was new to me. So much so that I wanted to check in with you about it because it exceeded some of my technical knowledge and I thought maybe you could help out here. It turns out that when you're logging into Facebook on a mobile device, Facebook is not exactly a 100% precise about checking your password. What's going on here?

Joe Carrigan: [00:14:56:01] That sounds scary, doesn't it?

Dave Bittner: [00:14:56:20] Yes. Yes, it was. But I figured there must be more to the story, so what's going on here?

Joe Carrigan: [00:15:03:23] Okay, so this is from a post on Y Combinator, and there's a user who noticed that he entered passwords differently. Facebook still accepted the password so he wrote Facebook and said, "What's up with this? Facebook told him from a mobile device they will accept four forms of the user's password. They will accept the original password, they will accept the password with the case switched, so in other words as if you have the cap locks on, and the third way is they'll accept it if the original password is in lower case, but it's in upper case.

Dave Bittner: [00:15:46:09] Oh, because mobile devices tend to automatically uppercase words.

Joe Carrigan: [00:15:50:12] Correct, that happens to me frequently on my mobile device, although nowadays in passwords it doesn't seem to be an issue. Finally, they will accept your password if it has an additional character at the beginning or an additional character at the end.

Joe Carrigan: [00:16:05:17] There's two things going on here. One is if I had to speculate on how this is being done, then I would say that they are storing three hashes of your password, when you enter or change you password to a new password. The first one is the original password, then they run a text conversion on the password to change the case of the first letter, they hash that, and then they run a text conversion on the password again to invert the case, then they hash that and they store those three passwords.

Joe Carrigan: [00:16:38:00] This is how I would develop it if I was a developer, when you enter your password, they're going to hash the password you entered, the password you entered minus one character at the end, and the password you entered minus one character at the beginning. That's going to give them three candidate hashes and if any of those candidate hashes matches one of the hashes that they have stored, then they authenticate you.

Dave Bittner: [00:17:01:13] My first inclination here is to think well what?

Joe Carrigan: [00:17:06:18] Right.

Dave Bittner: [00:17:07:09] Password is not a password, it just needs to be close, but I did a little digging on this and saw some people talking about it and saying, "Well no, because you're coming from a mobile device, that's something you have, and this is probably okay". It's worth the slightly lower amount of security for the convenience to the user.

Joe Carrigan: [00:17:28:15] Yes, the lowering of the amount of security is really not that big of a deal. You're changing the case of one letter. You're tripling the key space of available passwords but you're going from one to three. And then the truncating of the password really doesn't have any effect on your security level. Let's say I take a ten character password and then Facebook hashes two nine character passwords, that doesn't really matter, right? I can't think of how that does matter, I might be wrong, but I don't think it matters.

Dave Bittner: [00:17:58:21] Facebook has decided it doesn't matter enough.

Joe Carrigan: [00:18:01:18] Right. And that's really the key here, it doesn't matter enough. Once again, if you're using a 20 character password, that all upper case, lower case, special characters, numbers, you're going to be fine, this password policy is going to have a minimal impact on your risk. It might actually make it easier for you to log in when you're coming in on a mobile device.

Dave Bittner: [00:18:21:02] Right. And I guess Facebook has made the decision that it's worth it to make it easier for the user to log in on a mobile device, rather than whatever slight amount of insecurity it may add. Is insignificant, but worth it.

Joe Carrigan: [00:18:39:04] If this were my choice I wouldn't do it. If I was running the website, I wouldn't do this, but Facebook has opted to do it. I don't have that big of a problem with it.

Dave Bittner: [00:18:48:04] Yes. Alright, well it's interesting like I said, you learn something new everyday. Joe Carrigan. Thanks for joining us.

Joe Carrigan: [00:18:53:21] My pleasure, Dave.

Dave Bittner: [00:18:59:01] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible. Especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:19:11:18] Don't forget to check out the Grumpy Old Geeks Podcast, where I contribute to a regular segment called security HA, I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. And check out the Recorded Future Podcast which I also host, the subject there is threat intelligence and every week we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.

Dave Bittner: [00:19:40:00] The CyberWire Podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cyber security teams and technology.

Dave Bittner: [00:19:50:03] Our CyberWire Editor is John Petrik, Social Media Editor Jennifer Eiben, Technical Editor Chris Russell, Executive Editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.