The CyberWire Daily Podcast 9.12.19
Ep 926 | 9.12.19

The StingRays that were in DC. Old-school file formats and attack code. Ransomware becomes spyware. Joker apps ejected from the Play store. Multifaceted deterrence. Advice on BEC.

Transcript

Dave Bittner: [00:00:03] D.C. StingRays are alleged to be Israeli devices. North Korea is slipping past malware defenses by putting it into old, obscure file formats. Ryuk ransomware gets some spyware functionality. Google has purged Joker-infested apps from the Play store. The U.S. Defense Department explains its multifaceted approach to cyber deterrence, and the FBI warns that business email compromise is on the upswing and offers some advice on staying safe. 

Dave Bittner: [00:00:37]  It's time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff, and we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web, identifying new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire, and we thank Recorded Future for sponsoring our show. 

Dave Bittner: [00:01:44]  Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at bugcrowd.com. 

Dave Bittner: [00:02:11]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 12, 2019. Politico says that three former senior officials with knowledge of the matter have told the publication that the U.S. government has concluded that StingRay cell monitoring devices found in Washington, D.C., were probably placed by Israeli operators. StingRays, which have been used by various law enforcement organizations, are more formally known as international mobile subscriber identity-catchers - IMSI-catchers. They can be used to intercept calls and monitor data use. Official U.S. response to the story has been muted. Politico dutifully reports the official Israeli denials of involvement. 

Dave Bittner: [00:02:59]  Researchers at the security firm Prevailion have disclosed a cyber scoop that North Korean hackers are turning to more obscure file formats like Kodak FlashPix in the hope that these will slide past antivirus screens. Prevailion's report calls the campaign Autumn Aperture. They view it as a move in the faltering nuclear talks the DPRK is conducting with the United States and its allies. Prevailion says, quote, "we hypothesize that these documents, sent via a socially engineered email, would have likely been anticipated by the intended victims, thus increasing the threat actor's chance of success," end quote. 

Dave Bittner: [00:03:38]  They offer examples of some of the documents being used in the campaign - Trojanized speaker's notes for a nuclear deterrence summit presentation, a similarly Trojanized report on North Korean ballistic missile submarine capabilities and a document impersonating a U.S. Department of the Treasury renewal notice for a sanctions license. The researchers associate the campaign with the Kimsuky or Smoke Screen threat group in turn associated with Pyongyang. They note that Autumn Aperture is part of a trend in which malicious code is hidden in image files. 

Dave Bittner: [00:04:12]  There seems to be a convergence between spyware and ransomware, as some ransomware may be acquiring information-stealing functionality. Bleeping Computer reports that MalwareHunterTeam has found that a strain of the widely used Ryuk ransomware appears to be exfiltrating files of interest to an FTP site. The malware is particularly interested in military, intelligence and law enforcement data. 

Dave Bittner: [00:04:38]  Back in 2017, the Spectre and Meltdown side-channel attacks gained notoriety for their ability to exploit vulnerabilities in modern CPUs to break down the isolation between programs running in the OS or between different applications running on the same processor. Since then, mitigations have been developed, as well as methods for detection. SonicWall is one of the companies who've been researching and providing mitigations to these types of side-channel attacks, and we checked in with Bill Conner, president and CEO at SonicWall, for an update. 

Bill Conner: [00:05:11]  It is very sophisticated. It actually goes right at the architecture of how memory and processing works, and basically, by side-channel, what it's talking about is - the malware comes in and it uses the cache of the processing. And it's a time sequence, so it takes those 256 bits, if you will, and turns them all off, and it looks to see which ones go to cache because if it goes to cache, guess what? It's repeatable one or zero. And that's how they decode what's happening on that chip, so whether it's encrypted or not, it doesn't matter. And so that becomes the real focus of a side-channel attack, so that is why it will be one of those big moments if and when they take a shot at that - either critical infrastructure or certain types of information. 

Dave Bittner: [00:06:11]  Now, to be clear, have you seen any cases of people using these attacks out there in the wild? 

Bill Conner: [00:06:19]  Really important - we have not seen it weaponized yet, Dave. That's the important part. Certainly, the researchers are increasingly showing how it can be used. Even knowing that, it's going to be - my view, our view, is it will be a country-state that has the expertise and resources to weaponize this exploit vector. 

Bill Conner: [00:06:49]  The problem is it will happen. If you think about - you know, when Meltdown and Spectre came in, they came in January of '18, so we're a year and a half of public available data. Clearly, China had it before that because it was Intel and they were working in China on their manufacturing and their architectures to do that. But, you know, it will happen at some point. The target will probably be public-private cloud - you know, data centers or, you know, virtualized data centers in a targeted company that could be a carrier provider or a high-net target to kind of - to disrupt. 

Dave Bittner: [00:07:35]  And so why the emphasis on artificial intelligence and machine learning? What does that bring to the table? 

Bill Conner: [00:07:42]  Really important question. Machine learning - deep learning, in our case - is really important because think about it. Just this year - and we'll release in a couple of weeks the first pass statistics. But last year, we had over 10 billion malware attacks. This year, it's down a little bit, but, you know, think of 5 billion. If you just take half of the year, 5 billion attacks - you have to find a way to process that very quickly and very effectively, and those things are really combining, as I said, in malware cocktails. People can't process that fast. Now, we use it - all machine learning is not equal. For those that are listening that understand deep learning and machine learning, it's about the amount of data you get. Well, we got lots of that, since we've been doing it for, you know, over 20 years, and we've just been doing it on network security. 

Bill Conner: [00:08:38]  The other thing - besides lots of data to improve your algorithm - you need is focus so you don't have as many false positives. As these guys recombine malware into different data structures, you need to really use not file-based but artifact-based machine learning. And just like we talked about this - these were never seen before, but in weeks or months, we're able to characterize the artifacts of all these attacks that they're attacking on the process or side-channel. Even on traditional technology - forget side-channel for a moment - this real-time deep memory inspection is a new mousetrap to catch some robo-mouses that are powering through traditional security techniques. 

Dave Bittner: [00:09:26]  Yeah. 

Bill Conner: [00:09:27]  And what was powering it in Q1 was Russia, and it was a financial spam. So that's when this becomes important because once you find a new attack vector, how you weaponize it and what you weaponize it with becomes kind of a choice of a country or a bad guy. 

Dave Bittner: [00:09:46]  That's Bill Conner from SonicWall. 

Dave Bittner: [00:09:50]  Google has now purged 24 apps infected with the Joker Trojan from the Play store. The Joker was discovered in the apps by researchers at the security firm CSIS Security Group. They describe the Trojan as both a spy that collects data and as software that subscribes you to unwanted premium subscription services. It does so silently, and you may not notice what's going on until the bill arrives - or, actually, when you realize that you've paid the bill. CSIS offers some good general advice. Pay close attention to the permissions apps ask for, and be stingy in granting them. 

Dave Bittner: [00:10:28]  U.S. federal agencies are working out roles and responsibilities in cyberspace during the course of war games. Breaking Defense describes the exercises as bringing together organizations from the Departments of Defense and Homeland Security. The U.S. Defense Department has also offered Congress a look at some of its current thinking on cyber deterrence. Deterrence is commonly thought of as involving the credible threat of retaliation, but the department calls its approach to deterrence multifaceted, with denial playing a significant part. An adversary can be deterred if they became convinced that their attacks would be futile. So sure, enemy state, maybe Cyber Command will go medieval on your networks if you, say, fiddle with an election, but on the other hand, it might be the case that you won't be able to accomplish what you'd hoped to do with your attack, so it might be better if you just forgot the whole thing. 

Dave Bittner: [00:11:22]  In the wake of the arrests made internationally in Operation reWired, the U.S. FBI reiterates warnings that business email compromise attacks remain a persistent danger. Much of the advice the bureau is distributing is a matter of generally applicable cyber hygiene - things like keeping your systems patched and up-to-date. Some of them are good advice for any form of social engineering, like ensure the URLs in emails is associated with the business it claims to be from, or be alert to hyperlinks that may contain misspellings of the actual domain name and, of course, refrain from supplying login credentials or PII in response to any emails. Business emails compromise is, at its core, a form of social engineering, and wise organizations take measures to harden themselves against online con jobs. 

Dave Bittner: [00:12:11]  But some of the FBI's advice is more specific to the risk of business email compromise, like use secondary channels or two-factor authentication to verify requests for changes in account information. And this one is really important, so for heaven's sake, don't wire a million dollars to some account just because you got an email from your CEO telling you to do so. And CEOs, don't do things that will accustom your people to responding to your bizarre whims. Maybe an email asking someone to go by your house to check on your pet iguana seems very far away from an email directing finance to send a quarter million to a vendor no one's ever heard of. But remember, a journey of a thousand miles begins with a single step. 

Dave Bittner: [00:13:01]  And now a word from our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. 

Dave Bittner: [00:13:57]  And joining me once again is professor Awais Rashid. He's a professor of cybersecurity at University of Bristol. Awais, it's great to have you back. We wanted to chat today about default features that come from manufacturers of devices and some of the cautions that folks should have when it comes to that. 

Awais Rashid: [00:14:15]  Absolutely. So, you know, we all bought that new mobile phone and new electronic device and are keen to use and enjoy the features of this new device. But you have to go through the setup phase where you have to basically enable or disable some settings as you're starting up your new device. And the natural tendency of a lot of people is to, you know, just skip, skip, skip and then move on so that they can actually start utilizing their new device. 

Awais Rashid: [00:14:42]  But implicitly, there are a number of the features that manufacturers provide that can potentially collect data on the users or encourage users potentially to participate in particular services that the manufacturers provide. And recent work that we have done actually shows that users have actually not a very good understanding of what these default features are and how they make up the data about the user. 

Dave Bittner: [00:15:06]  Is this on the manufacturers of the devices to revisit these sorts of things? Should there be nag screens that come on to remind folks to take a look at it? 

Awais Rashid: [00:15:17]  There is a lot of focus around third-party apps. So let's take mobile phones as an example. There has been a lot of work recently done on making users more aware as to what permissions those apps are requesting. This used to be a common feature on Apple's iOS, and Android now has a similar mechanism where it can show you what are the permissions the app is requesting and whether you are willing to give them or not - this is called Dynamic Permission setting - and so on. 

Awais Rashid: [00:15:45]  But manufacturer-provided features are a little bit different from that. And this is where, you know, the examples that I'm thinking of here are things like, you know, location services which come as part of the operating system on the device that you get or smart assistants like Siri and the Google smart assistant as well as other things like, you know, where - by the photo apps that come as default with the phone from the manufacturer but actually tag your location with the photos. 

Awais Rashid: [00:16:11]  And users actually often see them as part of the phone rather than as an application that comes from the manufacturer that is built into the phone. And as a result, they are much more likely to ignore the privacy implications of actually leaving some of these features enabled that they may not need in the first instance. There is perhaps some need for manufacturers to make users more aware that these applications actually collect their data in particular ways and utilize that data. 

Dave Bittner: [00:16:41]  Yeah. It seems to me like there's also a balance here between the ease of use and the amount of granularity that the providers give to the user. 

Awais Rashid: [00:16:53]  Yes. And there is always that balance because if you make things too complicated for users to configure, then, again, you know, the risk is that they would actually go on to ignoring those settings in the first instance. But equally, users often do not really see them as features that collect their data. So the awareness about applications tends to be there compared to what the manufacturers provide. And, of course, from a manufacturer perspective, they do want people to use Siri and the Google assistant and so on and so forth. They do want people to sign in to cloud services and so on. But implicit within that is the user then giving up data and information to the manufacturer, which users are not always fully aware that that's what's happening. 

Dave Bittner: [00:17:35]  Yeah. It seems like there's a lot of different forces that are sort of in tension with each other when it comes to these things. 

Awais Rashid: [00:17:42]  Yeah. And the key here is that, of course, you know, sharing drives, this kind of data-based economy in which we live, the question we have to ask is - and then it's not a simple answer here as to how to what extent users are really empowered to decide what they shared and what they don't share and to what extent, you know, there is this sort of tendency that is perhaps encouraged by the design of the various products and services for users to just quickly skip the setting that would get them to use the feature. Because ultimately, nobody wants to spend lots and lots of time configuring a lot of different settings. And in many cases, users do not really have a full understanding of what those settings mean. 

Dave Bittner: [00:18:21]  Well, professor Awais Rashid, thanks for joining us. 

Dave Bittner: [00:18:28]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:18:40]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.