Keeping Winnti out of the goods while keeping an eye on them. GlitchPOS malware. What do apps want? Third-party Facebook data exposure. Digital hygiene. A scareware scam.

Dave Bittner: [00:00:03] Bayer, maker of pharmaceuticals and agricultural products, blocked an espionage attempt by China's Winnti Group and has been quietly monitoring the threat actor since last year. News on GlitchPOS and its evolution. Do those apps really need all that access? Two breaches of Facebook data by third parties. Some good digital hygiene notes. And no, there's no CIA officer warning you'll be arrested if you don't pony up 1.4 bitcoin.

Dave Bittner: [00:00:38] Now a moment to tell you about our sponsor ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in; it's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data. But to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT for free - no installation required. Go to observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:01:42] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 4, 2019. Pharmaceutical and agricultural chemical giant Bayer this morning announced that it had sustained a network intrusion by the Winnti Group. Active since at least 2010, Winnti has been associated with Chinese intelligence services, cutting its teeth on monitoring disfavored domestic populations - notably Uyghurs and Tibetans - and then moving on to industrial espionage. The goal of the operation seems to have been data theft, not attacks on industrial control systems. Bayer detected and contained the attack last year and has been quietly monitoring it ever since - the better to understand the attackers, how they work and what they're after. German authorities are investigating, and of course, Bayer, the victim in this case, is cooperating with them closely. Bayer may be the victim, but here the victim seems to have done a good job of self-defense.

Dave Bittner: [00:02:46] Booz Allen researchers who've been tracking GlitchPOS report that the malware has evolved; that suggests strongly that its masters are actively maintaining it. GlitchPOS' most interesting new functionality is an offline mode which could enable targeting of systems without direct Internet connections. It also probably enables a quieter mode of operation, reducing chatter to command and control servers. Booz researchers say the malware sleeps for a second between beacons, which may not seem like much but which drops the noise enough to make a difference. As the Booz report notes, Cisco Talos first published an analysis of GlitchPOS, and we'll hear from that research team later in this podcast.

Dave Bittner: [00:03:30] Apps really do ask for a lot more permission in users' mobile devices than they reasonably need, a Wandera study concludes. The security company looked at some 30,000 iOS apps and found that a lot of them ask for quite a bit - 62 percent wanted to access your photo library, 55 percent wanted into your camera, and 51 percent asked for location when in use. Sure, some of these may give the user a bit of convenience, but Wandera suggests that users really ought to be pickier about what permissions they're prepared to give.

Dave Bittner: [00:04:04] Organizations in the energy sector continue to improve their readiness when it comes to cybersecurity in the operational technology - that's the OT space - on the plant floor, for instance. With the ongoing digitization of critical infrastructure, how are energy companies adapting? Leo Simonovich is global head in industrial cyber and digital security at Siemens Energy.

Leo Simonovich: [00:04:27] Well, the energy sector faces two major challenges in security. One is to secure the vast brownfield, where the equipment is anywhere between 15 and 50 years old, where digital is being bolted on top. And the greenfield, where IoT and security is being implemented within and where attacks are reaching lightning speeds. For the vast brownfield, I think the challenge is foundational, to take some basic measures, like patching and vulnerability management and asset management. That's even hard to do for many companies, especially small- to medium-size enterprises. And then at the same time, how to think about security in a different way - around edge, around cloud and around this bifurcation where a lot of the intelligence is being pushed either into the office environment or right into the field.

Dave Bittner: [00:05:31] Yeah, I mean, it strikes me that that's an interesting challenge, where you have all these available streams of data that can come back to folks controlling these systems, but you still have to have that component on the ground. You're still dealing with mechanical objects, you know, out in the field that are controlling the flow of these critical infrastructure elements.

Leo Simonovich: [00:05:52] Yeah, that's absolutely right; it's where the physical and digital worlds really converge. And we think of security and digitalization as really two sides of the same coin. The attack in Ukraine really illustrates the point. The operative for the first few hours didn't know he was experiencing a cyberattack; he thought that his control system was malfunctioning. And if he was, in fact, collecting and correlating data from the network, the control system and the asset, he would've spotted a pattern that was really out of sync. And this is where AI, in fact, offers enormous benefit. It's those variations and the ability to identify patterns that, to a human brain, would be difficult to pull together but AI can bring to fruition, to say that my process logic says that the machine should be operating at one speed, my network says that it's operating in another, and pulling these pieces of the puzzle together, mixing, matching them and then identifying unusual patterns is sort of the promise that artificial intelligence, machine learning, neural networks can bring to the table.

Leo Simonovich: [00:06:49] But to do all that, you need connectivity, you need basic visibility, and foundationally, you need to embrace artificial intelligence as a tool. And that's something that many energy companies are hesitant to do because, to them, it seems like a black box.

Dave Bittner: [00:07:35] So how do you overcome that resistance? How do you convince them that this is something that's beneficial?

Leo Simonovich: [00:07:41] Well, I think it begins by tackling visibility one block at a time, starting with an understanding what assets you have, how important those assets are, prioritizing them and then beginning to implement some monitoring capability. You shouldn't monitor everything, and the things that you do monitor need to have both operational benefit and security benefit. In fact, the data that we're analyzing - and this is what we're doing at Siemens. We've built a monitoring platform that ingests process and network data to provide insights to customers, in terms of finished intelligence. What we often find is that 90 percent of the alarms have more to do with operational changes than they do with security. But nevertheless, they need to be investigated because a configuration change could mean a cyberattack, or it could mean that a compressor or a turbine is malfunctioning. So this digital revolution that we are all experiencing is inevitable. The question is, how do we protect it to ensure the viability of our economy?

Dave Bittner: [00:08:52] That's Leo Simonovich from Siemens Energy.

Dave Bittner: [00:08:57] Another big Facebook data exposure has been disclosed; this one due to third parties who left the data in indifferently configured AWS buckets. Researchers at security firm UpGuard found 450 million Facebook users' records exposed online. That's pretty big, but we may be growing inured to big breaches. The data were in unsecured AWS buckets belonging to third-parties Cultura Collectiva and now-defunct At The Pool. Cultura Collectiva, a Mexican media outfit, left such data as comments, likes, reactions, account names, Facebook IDs and more waggling around on the Internet, unsecured by so much as a password. The situation was similar with At The Pool; this was a Facebook-linked app whose exposed S3 bucket include a baker's dozen of data categories, including Facebook user ID, user, friends, likes, music, movies, books, photos, events, groups, check-ins and interests, as well as passwords for At The Pool. At The Pool may be gone, but the Facebook data remain and even the passwords to At The Pool are problematic. As UpGuard points out, many people reuse passwords, so even these could have some utility in credential-stuffing attacks. Reuters says Facebook has succeeded in getting the information taken down. The company has taken the opportunity to point out that, quote, "Facebook's policies prohibit storing Facebook information in a public database," end quote. But as so often happens, there's many a slip twixt the bucket and the lip.

Dave Bittner: [00:10:35] AT&T's Cybersecurity's Alien Labs reports finding a Python-based bot scanner which they're calling Xwo. It's actively looking for exposed surfaces and any default passwords users might carelessly have left in place. This serves as a timely reminder of one aspect of good digital hygiene - don't leave that default password in place when you deploy hardware or software tools. People notice. They have bots looking for them. Another aspect of good digital hygiene is, of course, regular, secure backup.

Dave Bittner: [00:11:08] There's a sad story out of Michigan this week in which a small business, specifically a medical practice, is going under due to a ransomware attack. Brookside ENT and Hearing Center in Battle Creek will close its doors permanently on April 30. Attackers encrypted the practice's files and demanded $6,500 in ransom. When Brookside refused to pay, the extortionists wiped the practice's data. Rather than try to rebuild their records - and they decided that this would be difficult, to the point of impossibility - the two principals decided to close the practice and retire. Brookside's files were encrypted, and the attackers aren't believed to have been able to access them, but essentially, all the practice's business data and medical records were lost. Brookside is remaining open until the end of the month but only to answer patient's questions and refer them to other care providers. Several things about the incident are striking. First, ransom need not be large to destroy a business. Indeed, it probably won't be the ransom demand but rather the data loss that proves the killer. Second, the doctors declined to pay because they didn't believe they'd be provided with a key to decrypt their files. And third, while the data were encrypted, which is important, they apparently weren't effectively backed up in a way that would enable them to be restored, and that broke the practice.

Dave Bittner: [00:12:33] And finally, some news you can use - if you were contacted by someone who says you're about to be arrested for naughty stuff on your device, just blow them off; it's scareware and not real. Trustwave's Spider Labs has been looking into one such scam. The subject line is replete with the sort of officialese that might seem spooky - your email, and that's where they put in your email address, has been verified, and that's followed by a Central Intelligence Agency case number. The body of the email says it's caught you distributing material involving underage children and urges you to open a zip file which will prove that they've got the goods on you. Your arrest is scheduled for April 15, at least in the sample Spider Labs is sharing. Why? Well, the technical collection officer says it's come to his attention that you're a wealthy person concerned about your reputation, and that he's offering to expunge you from the records and the arrest list if you pay 1.4 bitcoin - about $5,000 - in accordance with his instructions.

Dave Bittner: [00:13:36] So is this some rogue Langley flyboy out to make some blackmail money on the side? No, it's the usual jerk trying to scare the naive. Delete the email, and for heaven's sake, don't open any attachments or click on any links.

Dave Bittner: [00:13:56] Now a moment to tell you about our sponsor, ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms

Dave Bittner: [00:15:12] And joining me once again is Craig Williams. He's the director of Talos Outreach at Cisco. Craig, it's great to have you back. You all recently published some new research about some point-of-sale software you guys have been looking at. What's going on here?

Craig Williams: [00:15:26] Yeah. Thanks, Dave. So this piece of malware we found, we're calling it the GlitchPOS, or Glitch Point of Sale malware. And what's really interesting about this one is it's - you know, all these types of kit malware are really designed to allow unsophisticated attackers to basically run malware that's out of their league - right? - to take a really sophisticated idea and make it simple so that anyone can control it and use it successfully.

Dave Bittner: [00:15:52] So walk me through what's going on with this one.

Craig Williams: [00:15:55] So this one's pretty interesting. The author behind it is advertising it on these forums, obviously, for sale. But what I found really interesting is that he's basically using his credibility to help market it. And so a few years ago, he released another similar kit called DiamondFox that was very, very popular, had a post out by Check Point, I think it was, back in 2017 or so. And so, you know, it's one of those interesting things that they do on these criminal forums, right? How do you know who to trust? You know, because anybody could just take somebody's money and run. But - so this guy's standing up and saying, no, I'm an experienced malware author, and I know what I'm doing.

Dave Bittner: [00:16:31] (Laughter).

Craig Williams: [00:16:31] Which - it's hilarious when you think about it, right? Like, talk about operational security fails. You know, it's like, hey, let me just take all my illegal activity and sign my name to it and notarize it with a copy of my ID.

Dave Bittner: [00:16:41] Right.

Craig Williams: [00:16:43] (Laughter) But at the same time, it gives other bad guys a sense of, oh, we can trust him. He's a really bad guy.

Dave Bittner: [00:16:49] (Laughter).

Craig Williams: [00:16:49] He's written malware in the past.

Dave Bittner: [00:16:51] Yeah.

Craig Williams: [00:16:52] It's...

Dave Bittner: [00:16:53] Honor among thieves.

Craig Williams: [00:16:54] Right. Well - oh - wait till we get to the end. It gets even funnier.

Dave Bittner: [00:16:56] (Laughter) OK.

Craig Williams: [00:16:57] And so, you know, when this malware comes out, it's basically packed. It's got a lovely little kit and unpacking routine. So, you know, he's clearly learned to avoid AV. You know, he's attempting to do that through packers. I believe it was a UPX packer, which is, you know, again, time-tested and proven. But the basic payload for this is really interesting. So it's got, like, a command and control system, right? And it's actually pretty visually appealing.

Craig Williams: [00:17:26] You know, I looked at this, and I've got to give this guy credit. It's probably one of the prettiest C2 setups I've seen. It's put a lot of effort into this that we just don't see a lot of times. And so to me, one of my core takeaways from this it's almost like anyone with the sophistication to install a video game could probably run this successfully. The reason I find that so concerning is because a lot of the people who are going to be looking at these underground forums potentially just out of curiosity may be drawn into this because it looks like something they could handle.

Dave Bittner: [00:18:02] Yeah. It's interesting to see where the bar is set, and then it would even extend to something like this in an underground market.

Craig Williams: [00:18:09] Right. And, you know, this is new malware. We did look - there were some visual similarities, so it's pretty clear that they did steal a little bit from the DiamondPOS control panel - or I guess C2 is probably a better word - certainly your graphic interfaces. But the actual malware itself is new. And so that actually does give additional credibility to was this guy behind the other piece of malware. So we do believe these are linked. We believe it's the same author. We believe it's new software he put out there to make some money.

Craig Williams: [00:18:38] But here's where it gets really funny, right? So we're looking at these forums, looking through the malware. And (laughter) the guy comes out. Presumably, this guy bought the malware from the original author, and then he comes out basically claiming it as his own and wanting to sell it on his own. (Laughter) And so he's actually trying to increase some of the prices. And so people called him out on it. But, you know, thieves are going to thieve, you know? (Laughter) What can you do?

Dave Bittner: [00:19:06] Right. Yeah. I guess there is no honor among thieves.

Craig Williams: [00:19:09] Well, at least he was smart enough to use a different forum. But, you know, these type of attacker communities are so small that people are going to tend to use multiple forums. And so while he was called out on it, I'm sure he did make a decent amount of money from it. And so, you know, unfortunately this is going to be one of those things that I think is going to continue to evolve. It's one of these things that Talos is going to have to basically continue to monitor and ensure that our coverage stays in place and ensure that we can properly work with law enforcement all around the world to take these guys down.

Dave Bittner: [00:19:36] Yeah. All right. Well, Craig Williams, thanks for joining us.

Dave Bittner: [00:19:44] And that's the CyberWire. For links to all of today's stories, check out our CyberWire daily news brief at thecyberwire.com.

Dave Bittner: [00:19:51] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:20:02] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.