Security issues with Zoom for Macs. Astaroth fileless malware reported in Brazil. GoBotKR distributed by torrent. ICO hits British Airways with a record fine. State attacks and state defenses.
Dave Bittner: [00:00:03] Zoom user security appears to have been sacrificed on the altar of user experience. The fileless Astaroth Trojan is again in circulation, mostly for now in Brazil. Torrents are distributing the GoBot2 backdoor. The UK's Information Commissioner's Office clobbers British Airways with a record fine under GDPR. Croatian government offices are spear phished. Iran says it's now got an attack-proof com system. And NSA's IG reports.
Dave Bittner: [00:00:37] Now a moment to tell you about our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms: Everything You Need To Know About Security, Orchestration, Automation, And Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire, and we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:01:48] Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.
Dave Bittner: [00:02:03] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 9, 2019. Those of you who use the popular Zoom video conferencing tool on your Macs should be aware that a serious vulnerability has been reported. Security researcher Jonathan Leitschuh reports that the flaw allows any website to forcibly join a user to a call complete with camera access, so you could be pulled into a call and watched while you're simply minding your own business. You may not be interested in the call, but the call is interested in you. The problem amounts to susceptibility to drive-bys.
Dave Bittner: [00:02:43] There have been other issues with Zoom. Some versions of it could, for example, induce a denial-of-service condition in an affected Mac by repeatedly joining a user to an invalid call. And should you have uninstalled Zoom, the conferencing tool will have left behind a reinstallation feature that could reinstall the Zoom client without any user action on your part beyond visiting a web page. Zoom has a reputation for convenience, and it's pushed back in its own defense by maintaining that the vulnerability is really more of a feature, one that enables users to get beyond an otherwise cumbersome and click-heavy experience when they're joining a call. If you do use Zoom on a Mac and if you're not interested in the possibility of being on unwanted display, go to the Zoom preferences and select turn off my video when joining a meeting. That will at least keep you off camera.
Dave Bittner: [00:03:34] Microsoft warns that a campaign using the fileless Astaroth information-stealing Trojan is underway. Astaroth lives off the land, which can render detection difficult. The tools the campaign uses would typically be whitelisted, and so their mere employment wouldn't necessarily trigger any alerts that were simply looking for known malware and known file signatures. On the other hand, as Bleeping Computer quotes Microsoft, they do use those tools in anomalous ways, and that can become fairly obvious to systems on the lookout for suspect behavior. Most of the current Astaroth campaign victims - some 95%, in fact - are located in Brazil, but that shouldn't move people elsewhere in the world toward a false sense of security.
Dave Bittner: [00:04:19] Security company ESET has identified a campaign using torrents to distribute the familiar commodity GoBot2 backdoor. ESET calls this particular version GoBotKR. The bait in this case, as is appropriate to a torrent-based campaign, consists of movies and television shows. In this case, they're Korean movies and TV. Most of the victims have been in South Korea. GoBotKR, a relatively straightforward bit of badness, does the sorts of things most botnets do. It enables misuse of the affected device. It allows the botnet to be controlled and extended. And it seeks to evade detection by the victim. GoBotKR is well-suited to conducting distributed denial-of-service attacks. ESET notes its ability to seed arbitrary files using BitTorrent and uTorrent. If you think you're affected, you can scan for the malware and remove it if it's found. But here's some better, more general advice. Don't download torrents from pirate sites. It's not just about GoBot2. Lots of other malicious code is distributed that way.
Dave Bittner: [00:05:23] In the most recent version of their "State Of The Internet" report, Akamai took a closer look at the online gaming community and the security issues they face. Akamai's Martin McKeay is one of the report's authors.
Martin Mckeay: [00:05:36] We chose gaming because we knew when it comes to credential abuse, gaming is a huge target. And as we dug into it, we found out that it was an even bigger target than we thought. Even though the number of gaming targets is relatively low compared to all of the rest of the types of industries that we see, the amount of traffic flowing to them was over 20% of all of the attacks that we see. One of the key findings is, overall, SQL injection attacks are increasing greatly. They used to be 45% to 55%, usually closer to the 45. With this report, overall, SQL injection has risen to 65% of all of the attacks we see. That's not gaming when - we can look at that a little bit later, but that is a huge increase over the last 12 months. And a lot of that unluckily seems to be coming from Russia, and I don't mean - a lot of the growth seems to be coming out of systems in Russia, and that one was very surprising to us. We started looking into the gaming and where, in credential abuse, the targets and the source of attacks seems to come from and to the U.S. For gaming, it was actually, again, Russia that a large part of the attacks are coming from.
Dave Bittner: [00:06:54] I can imagine that perhaps some gamers don't apply the same level of security or scrutiny to their gaming accounts that they would to, say, their banking credentials.
Martin Mckeay: [00:07:05] You would think that. But actually, when you look at what the gaming companies are saying themselves - their push into two-factor authentication, their pushes into educating their users - you realize that's not necessarily the case. There are some users out there who I would suppose actually pay more attention to their gaming credentials than they do their banking credentials. And the whole reason we're seeing that move into gaming is because it's a lucrative market. There is value to all of the skins, all of the devices you can buy for your characters. Those have value. It's easy to go and say to the FBI or to your local law enforcement, hey, somebody cracked into my bank account, and here's how much they stole. Here's how much it was - I lost, and can you go investigate? If you go and say, somebody broke into my Minecraft account and took it over and sold it, it's a lot harder to explain to a police officer or a law enforcement officer that that has value.
Dave Bittner: [00:08:07] What are your recommendations? What are the take-homes from this report?
Martin Mckeay: [00:08:11] You know, when it comes to protecting accounts, two-factor authentication is going to be the single biggest thing folks can do. If your game allows it, do it. If your bank account allows it, do it. The second, I would say, is use a password vault. Use a notepad. Use some form of recording your passwords and making sure your passwords are unique per account. Between those two things, that can make such a huge dent in credential abuse. That's what I would say for the consumer. Follow the instructions that your games are giving you to protect your accounts. But for businesses - and this is outside of gaming - this is everywhere - your APIs are under attack. Your APIs have people constantly trying to get into them. Be aware of that. Take some measures to make sure that you're actually monitoring that because in a lot of cases, organizations aren't paying the same amount of attention to that API traffic that they are to the web traffic. And if you're popped on the API, it's just as bad as being popped on your website. You need to be aware that it's happening, that that's where - one of the places bad guys are moving to.
Dave Bittner: [00:09:25] That's Martin McKeay from Akamai.
Dave Bittner: [00:09:29] The fine the U.K.'s Information Commissioner's Office levied against British Airways for a September data breach is confirmed to be 183 million pounds - that's roughly $229 million - far exceeding the ICO's previous record of half a million pounds, Forbes observes. High as it is, the fine is shy of the 4% of annual turnover the ICO could have taken. In British Airways' case, 4% would have amounted to 500 million pounds. Another way of ballparking the fine is to notice - as Securonix did, for one - that the ICO is costing British Airways about what they'd pay for two airliners. The airline, which points out that it disclosed the breach within a day of discovery and has since found no sign of large-scale criminal exploitation, intends to appeal.
Dave Bittner: [00:10:19] We received a note from Oleg Kolesnikov, who heads up Securonix Threat Research Lab. He points out that British Airways was one of many businesses hit by the Magecart operators. As he puts it, quote, "the malicious threat actors have been continuing the attacks following the BA breach at even larger scale, infiltrating over 2,000 e-commerce businesses this year alone," end quote. The ICO apparently intends the penalty as a deterrent. Any site that handles personal information should take careful note. As Kolesnikov wrote, quote, "this should send a clear signal that organizations have a responsibility for protecting personal data and the need to make cybersecurity a business imperative," end quote.
Dave Bittner: [00:11:01] Croatian authorities have revealed that earlier this year, an unknown threat actor infected government organizations with a malicious payload called SILENTTRINITY. Assembled largely from off-the-shelf components readily found in various corners of the internet, SILENTTRINITY as a whole was a distinctive, never-before-seen piece of malware. The attackers approached their victims by spear phishing. The phish bait consisted of bogus delivery notifications, some of them posing as the Croatian postal service, others presenting themselves as various retail services. Who's behind the campaign is unknown, but they appear to be using some of the same infrastructure the Russian organs have employed against Ukrainian targets.
Dave Bittner: [00:11:44] Iran, apparently moved to action or at least proclamation by the cyberattack the U.S. is said to have executed against Tehran's intelligence and missile units, has announced the fielding of a new military command and control system. The commander of the Islamic Revolutionary Guard Corps says they've fielded the domestically developed Sepehr 110, a military communications system designed to be protection against cyber and other modes of electronic attack, as any such system can be. Whether the Sepehr 110 represents a real capability, a misfire, an aspiration or simply strategic deception remains to be seen.
Dave Bittner: [00:12:21] Finally, the inspector general's office at the U.S. National Security Agency has rendered its annual report to Congress. The report finds no serious or flagrant problems or abuses, but it does list a number of issues it judges significant. That is to say Fort Meade struggles with many of the same cybersecurity issues that concern other government agencies and, indeed, nongovernmental enterprises as well - things like compliance, continuity planning and so forth.
Dave Bittner: [00:12:54] And now a few words from our sponsor Dragos, the leaders in industrial cybersecurity technology. Threats to industrial organizations are proliferating. As Dragos recently identified, the most dangerous threat to ICS, Xenotime, the activity group behind TRISIS, has expanded its targeting beyond oil and gas, illustrating a trend that will likely continue for other ICS-targeting adversaries. Learn more about the eight public threat activity groups Dragos tracks at dragos.com/adversaries and how taking an intelligence-driven approach to ICS security is the most comprehensive defensive strategy to combat industrial adversaries. To register for a free 30-day trial of Dragos' ICS threat intelligence, visit dragos.com/worldview. And we thank Dragos for sponsoring our show.
Dave Bittner: [00:13:57] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Joe, it's great to have you back.
Joe Carrigan: [00:14:05] It's good to be back, Dave.
Dave Bittner: [00:14:06] We got some news in the past few days here about a major manufacturer of, I guess, primarily consumer devices.
Joe Carrigan: [00:14:14] Yes, D-Link.
Dave Bittner: [00:14:15] And they have - I guess they've made an agreement with the FTC. What's going on here?
Joe Carrigan: [00:14:19] They have. This starts from an FTC action with a - it started with a 2017 complaint specifically mentioning D-Link routers and IP cameras. And the FTC, which is the Federal Trade Commission, pointed out that there were hard-coded login credentials for the IP cameras - right?...
Dave Bittner: [00:14:37] OK.
Joe Carrigan: [00:14:38] ...Which is bad.
Dave Bittner: [00:14:38] Very bad.
Joe Carrigan: [00:14:39] That means that everybody knows what they are, and they're the same for all the cameras.
Dave Bittner: [00:14:43] And they don't change.
Joe Carrigan: [00:14:44] And they don't change.
Dave Bittner: [00:14:45] Right.
Joe Carrigan: [00:14:45] And storage of mobile app credentials and cleartext - so if I'm using the mobile app, the storage of the credentials are happening on my phone in cleartext.
Dave Bittner: [00:14:54] So the mobile app to, I guess, control these devices.
Joe Carrigan: [00:14:57] Right.
Dave Bittner: [00:14:58] Yeah.
Joe Carrigan: [00:14:58] Yeah, a cleartext.
Dave Bittner: [00:14:59] Another bad thing.
Joe Carrigan: [00:15:00] These are bad, right?
Dave Bittner: [00:15:01] Yeah.
Joe Carrigan: [00:15:01] So as part of the settlement, D-Link will implement a new security plan. They will have threat modeling and vulnerability testing before releasing a product...
Dave Bittner: [00:15:11] (Laughter).
Joe Carrigan: [00:15:11] ...Which they should already have, right?
Dave Bittner: [00:15:13] (Laughter).
Joe Carrigan: [00:15:13] But they don't.
Dave Bittner: [00:15:14] Yeah.
Joe Carrigan: [00:15:15] And they're going to move in the more secure direction. That's good. I'm happy with hearing this information. Additionally, the company will monitor existing systems for security flaws. They'll start pushing automatic firmware updates, which is good, right? A lot of these IoT vendors are not going to be able to do that. There are some that you're just never going to get to be updated because the companies may not exist anymore because they're cheap and just manufactured on the fly.
Dave Bittner: [00:15:40] Right.
Joe Carrigan: [00:15:40] They're going to create a bug bounty program as well...
Dave Bittner: [00:15:42] Oh.
Joe Carrigan: [00:15:43] ...A vulnerability reporting system for security researchers, which is something that every company out there who produces a product should do, but very, very, very few of them do.
Dave Bittner: [00:15:53] This is one of the things that you work on...
Joe Carrigan: [00:15:55] Correct.
Dave Bittner: [00:15:55] ...At Johns Hopkins.
Joe Carrigan: [00:15:56] Correct. I am actually the Information Security Institute's vulnerability disclosure coordinator. So when some of our students or our faculty or staff find a vulnerability, it's my job to reach out to the company or to the organization to disclose that vulnerability.
Dave Bittner: [00:16:11] And your experience is this is not an easy job.
Joe Carrigan: [00:16:13] It is almost never an easy job to do.
Dave Bittner: [00:16:16] (Laughter) Right, right.
Joe Carrigan: [00:16:17] It's very easy with Apple, so much so that when people find vulnerabilities in Apple, they don't even work through me. They just contact Apple directly.
Dave Bittner: [00:16:25] Interesting.
Joe Carrigan: [00:16:25] I'll say that Apple does a very good job with this.
Dave Bittner: [00:16:27] Yeah. Not everyone does.
Joe Carrigan: [00:16:28] Not everyone does. I've had people I've tried to disclose vulnerabilities to who didn't react until someone from Bloomberg contacted them, and that got the attention of the vice president of communications.
Dave Bittner: [00:16:39] (Laughter) Funny.
Joe Carrigan: [00:16:40] So yeah, now - oh, now the media is looking. Let's - and that's really the only way to get these companies to do it. Companies should be - actually, and this and the government regulation as well, as we're seeing here (laughter).
Dave Bittner: [00:16:51] Yeah.
Joe Carrigan: [00:16:52] But, you know, these companies really should be proactive in this. They should - hey, have you found a security vulnerability? We want to know about it.
Dave Bittner: [00:17:00] Right.
Joe Carrigan: [00:17:00] And the counterproductive knee-jerk reaction is, well, don't disclose it, or we'll sue you. That is not helpful at all.
Dave Bittner: [00:17:09] I - it's a shame that it got to this point too, that you have to have a government action...
Joe Carrigan: [00:17:14] Right.
Dave Bittner: [00:17:14] ...To get this sort of positive change.
Joe Carrigan: [00:17:16] Yeah, well, all these things - the reason, Dave, is all these things have costs, right?
Dave Bittner: [00:17:20] Yeah.
Joe Carrigan: [00:17:21] And the motivation is not to produce a vulnerable product, but it's actually to produce the product cheaply and effectively, not necessarily securely. So I guess the only way to change the economic paradigm here is to actually impose costs and sanctions...
Dave Bittner: [00:17:37] Yeah, yeah.
Joe Carrigan: [00:17:37] ...You know, from a government standpoint. And I'm not one who's big into government regulation...
Dave Bittner: [00:17:42] Yeah.
Joe Carrigan: [00:17:43] ...Personally, but I don't know what else you can do here.
Dave Bittner: [00:17:46] Well, and I'm thinking of that consumer, you know, standing there at their local electronics shop...
Joe Carrigan: [00:17:51] Right.
Dave Bittner: [00:17:51] ...Looking at a shelf full of routers. They know they need a new router. They want to buy a security cam or something like that. And it doesn't seem like security is put on the box as a differentiating factor...
Joe Carrigan: [00:18:04] Yeah.
Dave Bittner: [00:18:04] ...Very often. It's in...
Joe Carrigan: [00:18:05] No, it is not. It's all the features that come with it...
Dave Bittner: [00:18:07] Right.
Joe Carrigan: [00:18:07] ...All the cool things it can do.
Dave Bittner: [00:18:08] And it seems like - I don't know. Are we heading into an era where security can be a feature...
Joe Carrigan: [00:18:14] Right.
Dave Bittner: [00:18:14] ...That people want?
Joe Carrigan: [00:18:15] Well, hopefully, because, as you said, the consumer is not really demanding the security built into the product, right? They're just going out and buying the cool features.
Dave Bittner: [00:18:24] And the cheap one.
Joe Carrigan: [00:18:24] And the cheap one.
Dave Bittner: [00:18:25] Yeah.
Joe Carrigan: [00:18:25] Exactly. So I think two things need to happen. One is consumers need to step up and say, I don't want a product that's not as secure, and I'm willing to pay more for a product that is because I understand that has a cost associated with it.
Dave Bittner: [00:18:39] Right.
Joe Carrigan: [00:18:39] And the other thing is that these companies need to just step up and say, we need to produce a more secure product.
Dave Bittner: [00:18:45] Yeah. And I guess if they don't, then that's when folks like the FTC...
Joe Carrigan: [00:18:49] Right.
Dave Bittner: [00:18:49] ...Step in...
Joe Carrigan: [00:18:50] Step in.
Dave Bittner: [00:18:50] ...And make the - get their attention...
Joe Carrigan: [00:18:53] Yeah.
Dave Bittner: [00:18:53] ...One way or another.
Joe Carrigan: [00:18:53] But the FTC is never going to penalize a company - a foreign company produces a bunch of insecure products and then closes, right? It's never going to happen that way.
Dave Bittner: [00:19:02] Well, I suppose it's good news that...
Joe Carrigan: [00:19:04] This is good news.
Dave Bittner: [00:19:05] ...Change will happen here.
Joe Carrigan: [00:19:06] Yeah, and other companies are hopefully taking notice of this. You know, they don't want the government coming in and telling them, you're going to do this. They're just going to say, you know what? We're going to go ahead and take this proactive step now...
Dave Bittner: [00:19:15] Right.
Joe Carrigan: [00:19:16] ...I hope.
Dave Bittner: [00:19:16] Because look what happened to D-Link.
Joe Carrigan: [00:19:17] Right, exactly.
Dave Bittner: [00:19:18] We don't want that to happen to us.
Joe Carrigan: [00:19:19] We do not want that to happen.
Dave Bittner: [00:19:20] Yeah. All right. Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:19:22] It's my pleasure, Dave.
Dave Bittner: [00:19:28] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:40] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.