MuddyWater shows renewed activity--no zero-days and no exotic malware, just clever approaches and determined social engineering. Spam is serving up payloads that exploit an old Microsoft Office vulnerability. Russian-sponsored disinformation has been romping freely through YouTube. Some back-and-forth over Huawei: Washington isn’t relenting, but some relief for US companies may be forthcoming. And Beijing rumbles about retaliation. United Technologies has agreed to acquire Raytheon. Joe Carrigan from JHU ISI on Apple’s newly announced secure sign-in service and it’s focus on privacy.
Dave Bittner: [00:00:00] Happy Monday, everybody. This is Dave with a quick reminder that if you haven't already, please be sure to listen to our "Hacking Humans" podcast. That's where myself and Joe Carrigan from The Johns Hopkins University Information Security Institute look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. You can stay up to date by following the "Hacking Humans" social pages on Twitter, Facebook and Instagram. You can also find it on our website, thecyberwire.com. It's "Hacking Humans." We hope you'll check it out. Thanks.
Dave Bittner: [00:00:36] MuddyWater shows renewed activity. No zero-days and no exotic malware - just clever approaches and determined social engineering. Spam is serving up payloads that exploit an old Microsoft Office vulnerability. Russian-sponsored disinformation has been romping freely through YouTube. Some back and forth over Huawei. Washington isn't relenting, but some relief for U.S. companies may be forthcoming. And United Technologies has agreed to acquire Raytheon.
Dave Bittner: [00:01:09] And now a word from our sponsor ObserveIT. According to Cisco, over the course of 1 1/2 months, the typical suspicious insider can download 5,200 documents. Unfortunately, many ad hoc insider threat investigations can drag on for weeks or even months since it's tough to know exactly who did what, when and why. Security analysts have to wade through a sea of event logs, many of which are completely irrelevant, to eventually discover the root cause of an incident. What if we told you that there's a way to investigate insider threat incidents faster? With ObserveIT's dedicated Insider Threat Management platform, security teams can quickly find out the context into both the user and data activity behind an alert. Detailed user activity timelines and easily searchable metadata help you know the whole story on insider threats. Visit observeit.com/cyberwire to try out ObserveIT's sandbox environment for yourself, no downloads or configuration required. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:02:21] Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.
Dave Bittner: [00:02:35] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, June 10, 2019. Trend Micro, which increasingly seems to be playing Captain Ahab to Tehran's white whale - but in a good way - has more on the MuddyWater actor. There has been a resurgence in activity by the threat campaign. The latest round of phishing targets appear to have been in the Turkish government and Jordanian universities. The approach in these cases involve the use of compromised credentials, as opposed to the spoofed identities noticed in earlier rounds. There are new technical developments in MuddyWater's activity - a new PowerShell-based multi-stage backdoor, PowerStats version 3 and some new post-exploitation tools, for example. But Trend Micro, in their closing summary, points out that MuddyWater seems to have access to neither zero-days nor advanced malware, yet it manages to compromise its targets and get the job done without needing either. If zero-days are your bugaboo, don't overlook the threat that shifting and clever scheming can present. MuddyWater doesn't.
Dave Bittner: [00:03:46] Microsoft warned late Friday that a wave of spam is carrying malicious .RTF files that exploit CVE-2017-11882, a vulnerability in an older version of Microsoft Office's Equation Editor. That this is worrisome news shows that many users continue to be laggards with respect to patching. The vulnerability in question was fixed back in 2017. All you need to do to be safe is make sure your software is up-to-date.
Dave Bittner: [00:04:16] Speaking of patches, tomorrow is Patch Tuesday, and the industry expects the customary round of fixes from Microsoft and Adobe. Stay tuned.
Dave Bittner: [00:04:26] Russian-operated YouTube channels are freely spreading tabloid-esque disinformation that successfully evades YouTube's content moderation. NTV and Russia-24 were among the sources of stories that Reuters says ranged from lurid accounts of, quote, "a U.S. politician covering up a human organ harvesting ring to the economic collapse of Scandinavian countries," end quote. There are a few things the Reuters story notes.
Dave Bittner: [00:04:54] First, contrary to YouTube's stated policies, the content was not labeled as state-sponsored. It is now, but that's after some media-on-media nudging. And second, the 26 channels drew about 9 billion views between January 2017 and December 2018, which is certainly a respectable number of views and a dispiriting suggestion of the worldwide appetite for this sort of thing. Finally, there was a commercial dimension to all those views. Omelas, the online research firm that sourced the Reuters story, estimates that the Moscow baloney may have pulled in as much as $58 million from ads, some of that from Western advertisers who are innocently trying to reach a news-downloading audience.
Dave Bittner: [00:05:40] What does that mean under standard YouTube ad revenue sharing rates? The Russians would have got between $7 million and $32 million, with between $6 million and $26 million going to YouTube itself. From the Russian point of view, that's probably just gravy on the side of an information operations main course, but still, it's enough to keep a couple of decent-sized front businesses up and running.
Dave Bittner: [00:06:06] A spokesperson for YouTube explained matters to Reuters as follows - quote, "We don't treat state-funded media channels differently than other channels when it comes to monetization as long as they comply with all of our other policies. And we give users context for news-related content, including by labeling government-funded news sources," end quote. Reuters glosses this as saying that, quote, "YouTube said it welcomes governments in its revenue-sharing program and does not bar disinformation," end quote. We mention this not to bash YouTube but to offer a kind of reality check concerning the state of content moderation.
Dave Bittner: [00:06:43] YouTube and other social media have been on a bit of an algorithmic high horse for the last couple of months about the content they would and would not tolerate and the measures they put in place to clean the Internet's cognitive house. Apparently, that high horse is shrinking a bit, down from deplatforming to a promise of compliance plus context. In fairness to social media, they've been getting a fair bit of stick from various governments, including the governments of relatively free states, about the stuff they allow to transit their platforms. And it's also true that content moderation is difficult, expensive and quite possibly impossible to automate.
Dave Bittner: [00:07:24] There's been some backing and filling over Huawei blacklisting since late last week; it continued over the weekend. The GSM Association, a major mobile communications industry group, estimates that the cost of ejecting Huawei from 5G infrastructure could cost EU mobile carriers perhaps as much as 52 billion euros and might delay the fielding of 5G service by as much as 18 months.
Dave Bittner: [00:07:49] For their own part, U.S. tech companies, especially semiconductor manufacturers, have expressed concern over the ban's hit on exports. This is, in some circles, being pitched as a security matter, with the economic health of the export market being tied to the economic health of the defense industrial base. Some of those companies may have found sympathetic ears in both the Office of Management and Budget and the Commerce Department, who have suggested that it might be worth giving U.S. companies a bit more time to arrange coping mechanisms for the effects the entity listing of Huawei will have on them.
Dave Bittner: [00:08:25] The Department of Defense hasn't softened its own opinion of Huawei, nor has the U.S. let up on the diplomatic offensive against Huawei, urging South Korea to take a similar stock of the risk the Chinese device manufacturer may pose to supply chains. Russia has taken notice, too, and has publicly aligned itself with Huawei. This probably represents an opportunistic shot at the American main enemy than it does any deep convergence of Sino-Russian strategic objectives.
Dave Bittner: [00:08:54] China's government is warning tech companies - specifically Microsoft, Dell and Huawei - of the consequences of cooperating with Washington as opposed to Beijing in the Huawei affair. Those consequences will be, Beijing points out, very bad for their business, indeed. Not everyone got the memo - Facebook won't be offering its products pre-installed in new Huawei phones.
Dave Bittner: [00:09:19] And finally, Raytheon has agreed to be acquired by United Technologies. The merged company will be the world's second-largest defense and aerospace integrator behind only Boeing. Raytheon will bring significant cybersecurity capabilities to its new corporate parent, assuming they're retained once the acquisition settles.
Dave Bittner: [00:09:43] Now a moment to tell you about our sponsor, ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms: Everything You Need To Know About Security Orchestration, Automation, And Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:10:59] And joining me once again is Joe Carrigan. He's from The Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Joe, it's great to have you back.
Joe Carrigan: [00:11:08] It's good to be back, Dave.
Dave Bittner: [00:11:09] Apple recently announced at their Worldwide Developers Conference that they were going to be introducing a single sign-on option.
Joe Carrigan: [00:11:20] Right.
Dave Bittner: [00:11:20] They're calling it Sign In with Apple. The folks over at Naked Security, Sophos' blog...
Joe Carrigan: [00:11:26] Right.
Dave Bittner: [00:11:26] ...Have some coverage of that, which is what you and I are looking at here right now.
Joe Carrigan: [00:11:30] Yep.
Dave Bittner: [00:11:30] Danny Bradbury wrote about.
Joe Carrigan: [00:11:32] Yep.
Dave Bittner: [00:11:32] What do you make of this?
Joe Carrigan: [00:11:33] Well, I'll tell you. I'm not a big fan of single sign-ons, and the article talks a lot about Facebook and Google's single sign-on.
Dave Bittner: [00:11:39] Right.
Joe Carrigan: [00:11:40] Now, I have absolutely no reason to trust Facebook on anything with their history and their mission statements, I guess.
Dave Bittner: [00:11:46] Yeah. Let me interject just quickly. I will shamefully admit that there was a time years ago before I had seen the light...
Joe Carrigan: [00:11:55] Right.
Dave Bittner: [00:11:55] ...With using a password manager and before, I think, our opinions had turned on Facebook, before all the revelations that came out about what they were doing with our data.
Joe Carrigan: [00:12:04] Right.
Dave Bittner: [00:12:05] I made use of Facebook single sign-on for several sites because it solved a problem.
Joe Carrigan: [00:12:11] Right.
Dave Bittner: [00:12:11] It made things easier.
Joe Carrigan: [00:12:12] It does solve a problem and make things easier.
Dave Bittner: [00:12:14] Yeah.
Joe Carrigan: [00:12:14] And the same with Google's. I am more inclined to trust Google, although Google still does have the privacy or - the privacy concerns because they are a - essentially a free service, which means you're the product.
Dave Bittner: [00:12:25] Right.
Joe Carrigan: [00:12:26] And now Apple's getting into the game. My solution is I just use a password manager.
Dave Bittner: [00:12:30] Yeah.
Joe Carrigan: [00:12:30] Right? And I have a different account for everything. And it's much more difficult, or they have to go through more math or whatever, to align my accounts across multiple projects, right?
Dave Bittner: [00:12:39] Right.
Joe Carrigan: [00:12:39] Or multiple websites. If I just willingly give up that information by having a single sign-on with either Google or Facebook, that's just been something that's never appealed to me.
Dave Bittner: [00:12:50] Yeah. Now...
Joe Carrigan: [00:12:50] I just don't want them to know who I am from that perspective.
Dave Bittner: [00:12:53] Right. Now, the thing that Apple is doing here, though, is that they say they're coming at this from a privacy direction.
Joe Carrigan: [00:12:59] That's correct. Apple's addressing this from a privacy direction. And one of the things that they're doing is if your app in the App Store offers single sign-on for Facebook or Google, then you are required to offer the Apple option when it becomes available.
Dave Bittner: [00:13:16] A little arm-twisting there, perhaps?
Joe Carrigan: [00:13:18] A little arm-twisting there, yeah. This is nothing new for Apple. Apple's always been, you know, kind of dictatorial in their development process...
Dave Bittner: [00:13:25] Right. Right.
Joe Carrigan: [00:13:26] ...Which is one of the reasons I've not kind of liked them, but I understand why they do it. They do it because their users are the priority. And I have a genuine appreciation for that, and I like what Tim Cook is doing here. And I like the idea that, if you're going to offer single sign-on, then you have to offer the Apple single sign-on. And then Apple's going to say, we're going to try to protect our customers' data. Now, you're still faced with the same underlying problem. You are trusting one entity with all your login information, right? I'm not saying that this is a high-probability event, but if Apple gets compromised, a lot of bad things can happen.
Dave Bittner: [00:14:02] Yeah.
Joe Carrigan: [00:14:03] Right?
Dave Bittner: [00:14:03] It's interesting they're allowing you to spin up randomly generated email addresses.
Joe Carrigan: [00:14:08] Yeah. They'll let you (laughter)...
Dave Bittner: [00:14:09] Disposable email addresses.
Joe Carrigan: [00:14:10] Disposable email addresses to sign up for these websites. They are definitely going at this with a privacy-focused message, which appeals to me a lot. If it weren't for all the other things I dislike about Apple, this kind of makes me want to go, hmm.
Dave Bittner: [00:14:22] (Laughter) Can't help you out. I can see the turmoil within you, Joe.
Joe Carrigan: [00:14:25] Right. Yes.
Dave Bittner: [00:14:28] I wonder if this could really be disruptive. I mean, Apple has a lot of devices out there.
Joe Carrigan: [00:14:32] They do.
Dave Bittner: [00:14:33] And by requiring folks to include this in their software, first of all...
Joe Carrigan: [00:14:38] If - they don't require you to include it in your software. They only require it if you offer single sign-on from other vendors.
Dave Bittner: [00:14:43] Right, right. I wonder if there's enough incentive, first of all, to get folks to switch over. If you're already using Facebook or Google...
Joe Carrigan: [00:14:50] Right.
Dave Bittner: [00:14:50] ...Chances are - that's a bigger thing for you to get someone to switch from something they're already using. It's a bigger effort, I guess - the momentum there.
Joe Carrigan: [00:14:58] I think if Apple users see that it's available from Apple, they'll start using it because Apple users generally tend to love Apple.
Dave Bittner: [00:15:03] Yeah, that's true.
Joe Carrigan: [00:15:04] Yep.
Dave Bittner: [00:15:04] That's true. Yeah. Well, again, it's going to be interesting to see how this plays out. I think there's the potential here for some disruption in a good direction...
Joe Carrigan: [00:15:13] Yeah.
Dave Bittner: [00:15:13] ...But I think it also points to this focus on privacy. I think there's a recognition that people are hungry for this.
Joe Carrigan: [00:15:20] Yeah. Yeah. And like I say, with password managers, you run the same risk with a password manager, to be fair. If you use one of the ones you pay for, even the private one, they're - those are all targeted by malware. And if those get compromised, they've got the keys to the kingdom.
Dave Bittner: [00:15:33] Yeah.
Joe Carrigan: [00:15:34] So, you know, you're probably at the same risk that way for using Apple single sign-on versus a password manager, but I just prefer using a password manager.
Dave Bittner: [00:15:44] All right. Well, we'll keep an eye on it. It'll be interesting to see how it plays out. Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:15:49] My pleasure, Dave.
Dave Bittner: [00:15:54] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:16:07] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the Recorded Future podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:16:35] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik; social media editor, Jennifer Eiben; technical editor, Chris, Russell. Our staff writer is Tim Nodar; executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
ObserveIT is the leading Insider Threat Management solution with approximately 1,700 customers across 87 countries. ObserveIT is the only solution that empowers security teams to detect insider threats, streamline the investigation process, and prevent data exfiltration. Start your free trial of ObserveIT today.
Designed by analysts but built for the entire team, ThreatConnect’s intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics, and workflows in a single platform. Start Using ThreatConnect Today for Free.