Magecart is getting interested in exposed databases. Agent Smith may be in your Android app store. Tracking FinSpy. A contractor gets spearphished.
Dave Bittner: [00:00:03] GDPR fines and their implications. A reminder about Magecart and some notes on its recent interest in scanning for unprotected AWS S3 buckets. Agent Smith - of Guangzhou, not "The Matrix" - is infesting Android stores with evil twins of legitimate apps. FinSpy is out and about in the wild again. Carole Theriault explores the risks facing financial firms. Daniel Drunz is the catphish face of a gang that stung a U.S. government contractor for millions in goods.
Dave Bittner: [00:00:38] Now a moment to tell you about our sponsor, ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book "SOAR Platforms: Everything You Need To Know About Security, Orchestration, Automation, And Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:01:49] Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.
Dave Bittner: [00:02:03] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 11, 2019. This has been a week of record fines under the European Union's General Data Protection Regulation. As we've noted, Britain's Information Commissioner's Office has whacked both British Airways and Marriott with stiff penalties for breaches of customer information they sustained. The fines were, respectively, over 183 million pounds for the airline, 99 million pounds for the hotel chain.
Dave Bittner: [00:02:35] Given the high regulatory risk that accompanies GDPR, it's worth noting that the British Airways breach was the work of the card-skimming gang behind Magecart, and Magecart is newly active with a disturbing new approach to theft. RiskIQ reports that Magecart's online card skimmers are actively looking for unsecured AWS S3 buckets. The gang has spread its skimmer code to some 17,000 domains over recent months. They've gone for reach and not precise targeting.
Dave Bittner: [00:03:05] Some observers find the ability to scan for exposed databases and the willingness to do so particularly alarming. AWS come secure by default, but many - perhaps most - enterprise users will change those settings at some point and all too often neglect to notice that they've done so and sometimes forget to restore them to secure options. It's worth checking on your settings, if only to keep the ICO's wolves from your door. Speaking of the Information Commissioner's Office, it's also issued a warning this week to law enforcement agencies about their responsibilities under GDPR for data collected by facial recognition technology.
Dave Bittner: [00:03:44] Check Point is tracking Agent Smith, Android malware whose name is an homage to the villain of the Wachowskis' film "The Matrix." Agent Smith replaces legitimate apps with imitations that carry adware and that have the capability, in principle, to do more than that. Its appetite is said to be voracious. It will attempt to replace every app it finds on a device with a plausible but malicious double. According to ZDNet, researchers have traced the operators behind Agent Smith to an unnamed company based in Guangzhou, China. The company's legitimate business is helping app developers publish and promote their apps overseas. They also apparently operate an illegitimate malware business behind this front, one which was confirmed in part by the company's job postings, which suggested ongoing work to develop malicious code.
Dave Bittner: [00:04:35] Agent Smith has been out as a garden-variety adware threat since 2016 but late last year evolved into the more sophisticated threat it represents today. It originally turned up in the third-party app store 9Apps, but its controllers appear to be working toward establishing a foothold in Google Play as well. Most of its 25 million victims so far have been in India, Bangladesh and Pakistan, but there have been infections reported in Australia, the United Kingdom and the United States as well.
Dave Bittner: [00:05:06] Financial organizations generally enjoy the reputation for having their security house in order. Makes sense because that's where the money is. But with the continuing growth and the adoption of mobile devices, they've got their work cut out for them. Carole Theriault has the story.
Carole Theriault: [00:05:22] Specialist firm in mobile security Wandera have released a report in which they effectively call out the financial industry for poor mobile security standards. So I got to speak with Michael Covington, a VP at Wandera, to share a few report highlights with us. Michael, thanks for chatting with us today. I really appreciate the time.
Michael Covington: [00:05:44] Thanks for having me.
Carole Theriault: [00:05:44] Now, you have said that in the financial services industry, you found it disconcerting to find mobile security still being an afterthought. Was this your conclusion after you pulled together all the research into the financial industry and their practices?
Michael Covington: [00:06:02] It was. And, you know, I think one of the things that's interesting about financial services is the amount of private data that they maintain as a result of their business. And you would think that all computing elements that touch that data would have some form of security to protect it as it's being utilized by employees. One of the things that we found from this study is that that doesn't appear to be the case on mobile.
Carole Theriault: [00:06:25] Wow. So it seems that not all is tickety-boo when it comes to cybersecurity. Tell us, what are a few of the highlights from your findings in this report?
Michael Covington: [00:06:33] Well, you know, there's good news, and there's bad news. And I'll start with the good news because this may come as a surprise to your listeners. One of the things that we found from our study is that financial services is pretty consistent with what we see with cross-industry statistics around mobile malware, and the reality is that it's quite low in the business environment. We found that on Android, less than 1% of devices are actually impacted by mobile malware. And on iOS, it's even better. It's almost zero.
Michael Covington: [00:07:00] But I think where we have real concern is around some of the threats that people don't always think about applying to mobile. Phishing, for example - that's what we'd say is probably the most important or relevant threat today for mobile employees. And we found that, within financial services, more organizations across the board were impacted by mobile phishing than we see across all other industries. So it almost seems as though financial services employees are being targeted, but they're not being trained or being provided with the right tools to protect them against the new threat vectors that are being utilized to kind of levy these phishing attacks - SMS, social networks, et cetera.
Carole Theriault: [00:07:40] Yes. You'd kind of say almost that they're hacking the human inside the financial industry, so to speak.
Michael Covington: [00:07:47] It's a great analysis. And I think, you know, there's a very strong belief that mobile devices are built well, that they protect information kind of by default. And, you know, generally, we see...
Carole Theriault: [00:07:58] Yeah.
Michael Covington: [00:07:58] ...That mobile devices - the operating systems that they utilize are pretty well-built from a security perspective. They still have flaws. I think the vulnerability that we saw with the WhatsApp communication tool just a couple of weeks ago really highlighted how the vulnerabilities and the risk exposure that companies face on mobile is quite high. But at the same time, we see attackers kind of being mindful of that fact as well. It's easier to hack a human than it is to hack a device or a - an application.
Carole Theriault: [00:08:24] I wonder if many companies are just not hiring or getting in the expertise in the mobile arena, so they're basically taking - well, we know how to protect computers. We'll just apply the same logic to mobile. In fact, it's a very different platform and concept, isn't it?
Michael Covington: [00:08:40] It really is. And, you know, it's hard to fault financial services exclusively here because mobile is one of those emerging technologies. Yeah, it's been in the workplace for a number of years now, but we're really hitting a point right now where I think the number of employees that are equipped with mobile and the amount of data that's moved out of a protected data center and into kind of public cloud is at that inflection point now where we really do see more and more of that data being put at risk as it's being pulled out of those data repositories and being utilized by those mobile employees. And I think now's the time to really upscale those employees and get them more focused on mobile because that's the future.
Carole Theriault: [00:09:20] So that would be your big takeaway for - not just for companies in the financial sector, but for all companies. Train your employees to be your - well, effectively, your first line of defense.
Michael Covington: [00:09:31] Absolutely. You know, I think employees - when it comes to mobile, employees are not only the first line of defense, they're a big part of the solution. One of the trends that we've seen within financial services in particular is a really high adoption rate of BYOD. I think Forrester has put the statistic at 64% of devices as a whole in financial services being employee-owned. And if that's the case, you have to rely on your employee to install the tool that will keep them safe and to kind of deal with alerts as they are often raised. And so if the organization is going to make a decision to push that responsibility down to the user, they really have to equip those users with the right tools and the right training to do something with it.
Carole Theriault: [00:10:12] Michael, thanks so much for your time today. This was Carole Theriault for the CyberWire.
Dave Bittner: [00:10:16] Forbes reports that Kaspersky has found new infestations of FinSpy in the wild, suggesting that the spyware continues to find users among governments in many corners of the world. FinSpy, a product of the Gamma Group, belongs to the lawful intercept family of security products. It intercepts messenger traffic, including traffic from such widely used services as Skype, Telegram, WhatsApp, Signal, WeChat and BlackBerry Messenger. The spyware is normally installed either through a malicious SMS message to the targeted device or directly by obtaining physical access to the device itself. Gamma Group insists that it sells only to legitimate government agencies for legitimate law enforcement purposes, so FinSpy would be comparable to other law enforcement tools like wiretap equipment or bugs - the sort of surveillance tool that in the United States, for example, and in many other countries as well, would be used only with a duly authorized search warrant.
Dave Bittner: [00:11:15] But there are some problems with this. First, Gamma Group was hijacked in 2014, and some of its code was leaked. That code has turned up in criminal knockoffs of the original product. And second, not all the governments who buy lawful intercept products use them with due attention to generally accepted notions of human rights. The instances of FinSpy Kaspersky has been recently tracking appear to originate in Myanmar, and that government's human rights track record has been questionable, to say the least.
Dave Bittner: [00:11:45] An unnamed U.S. defense contractor was tricked into sending sensitive, highly classified communications intercept equipment worth about $3 million to an international criminal gang. A search warrant request the U.S. Department of Homeland Security filed with the United States District Court for the District of Maryland revealed the details. Homeland Security Investigations asked for Apple iCloud information pertaining to four email accounts of interest. The incident appears to have been a spear phishing scam executed by hoods posing as a fictional U.S. Navy contracting officer, Daniel Drunz. The criminals were allegedly in email correspondence with a Maryland firm identified in the affidavit only as Company B. They posed as a U.S. naval contracting officer, Daniel Drunz, and used a bogus U.S. Navy email address. It was email@example.com. Do you see the little rift? Navy.mil.us - a genuine U.S. Navy email address would use the domain navy.mil without the .us.
Dave Bittner: [00:12:51] The scammers are being called the Drunz Gang in honor of the catphish they hid behind. The comms intercept gear is the important and worrisome item misappropriated since such equipment is on the United States munitions list and therefore falls under ITAR controls - those are the International Trafficking in Arms Regulations - and of course, the equipment is said to be highly classified. The crooks made off with more than just the comms intercept gear, too. Their take included $6.3 million in televisions and $1.1 million in iPhones and iPads. Those will be a lot easier to fence than the classified equipment, but the Drunz Gang will probably find a buyer for that too. After all, you don't swindle a contractor out of intercept kit just so you can steal Netflix in your she-shed or man cave.
Dave Bittner: [00:13:44] And now a few words from our sponsor, Dragos, the leaders in industrial cybersecurity technology. Threats to industrial organizations are proliferating, as Dragos recently identified the most dangerous threat to ICS, Xenotime, the activity group behind TRISIS, has expanded its targeting beyond oil and gas, illustrating a trend that will likely continue for other ICS-targeting adversaries. Learn more about the eight public threat activity groups Dragos tracks at dragos.com/adversaries and how taking an intelligence-driven approach to ICS security is the most comprehensive defensive strategy to combat industrial adversaries. To register for a free 30-day trial of Dragos' ICS threat intelligence, visit dragos.com/worldview. And we thank Dragos for sponsoring our show.
Dave Bittner: [00:14:47] And joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, it's great to have you back. I wanted to touch base with you on some things we've been tracking with GDPR. It seems as though - I guess people have been waiting, and they've sort of been saying, hey, you know, a year has gone by with GDPR. When are we going to start seeing some big fines? And recently, we've started seeing some big fines.
Justin Harvey: [00:15:12] Yeah, Dave. The jury has been out for over a year now. We in the industry have been waiting to see, does the EU have the teeth in order to drill down on GDPR? And as we've seen over the last seven days, the answer is yes, with two organizations being fined a hundred and - over a hundred million, and then the second one over 200 million. And those of us in the industry who have been watching this very closely, we did not know if this was going to go over like a lead zeppelin where we'd see, like, million or $2 million fines or even any fines at all, but it appears that they are very serious about this.
Justin Harvey: [00:15:53] And what's even more curious is that one of the businesses that was singled out was actually based in the United States. I think that should be a very big hallmark of things to come not only with United States businesses and international businesses doing operations in the EU theater of operations, but also, how is this going to change regulations and fines of data breaches around the world, not just in the EU? Since you usually see - for trends like this, it starts - there's, like, a pilot or there's a region that says, we're going to try this. And then it catches on, and then it spreads like wildfire.
Dave Bittner: [00:16:33] Now, in a situation like this - I'm thinking of you advising the folks you work with, the companies that you work with. Is there a sense that this removes - knowing that these - that this is the way the EU is going to come at GDPR fines, I suppose that removes a certain amount of uncertainty, which is a welcome thing. At least companies know where they stand.
Justin Harvey: [00:16:56] Yes. And as an industry veteran, I'm actually excited about the GDPR and their ability to follow through. I think that this is a pivotal or watershed moment in cyber defense. So C-suites and boards are doing a calculus, and they're essentially thinking, if the average fine is - let's pick an average size of a hundred million dollars or a hundred million euros - could they take 20 or 30 of that against a potential loss and essentially invest it into increased cyber defense spending? And Dave, I've got to tell you, if anyone took 20 to $30 million in addition to their normal spend and spent it on cyber defense, that would be like an adrenaline shot to the heart.
Justin Harvey: [00:17:43] I think that, you know, what we're telling businesses is maybe to focus more on detection and response, so get that mean time of detection and mean time to detect and respond shorter. So find stuff faster, respond to it faster - less on prevention, although prevention is not dead - and also still do the basics really well - privileged access monitoring, security operations, doing the log management and the threat intelligence and monitoring, multi-factor authentication and, of course, on top of all of this, proper planning and testing of personnel processes in your technology array. But if you just - even if it's a tenth of what a GDPR fine could be, I think that'll really catapult these organizations that have stood up and are paying attention.
Dave Bittner: [00:18:31] Yeah, it's fascinating. I mean, it's almost like it's a calibration event, you know? This is the zone that we're in now.
Justin Harvey: [00:18:37] Yes. I think that more organizations need to think about the likelihood of attack just as much as the severity. That's what risk management is about. It's about what could happen, what could be the impact and, of course, what's the likelihood. And I - every week and every month that we see more and more incidents, those likelihood numbers are going up and up. And it's just a matter of time before most businesses, if not all businesses and organizations, are hit by a cyberattack at one point or another.
Dave Bittner: [00:19:09] All right. Well, it's certainly interesting to watch this as it proceeds. Justin Harvey, thanks for joining us.
Justin Harvey: [00:19:15] Thank you, Dave.
Dave Bittner: [00:19:20] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:33] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.