Coordinated inauthenticity with a domestic bent. Preinstalled malware in discount phones. Evilnum and the Joker continue to evolve. Incidents at FreddieMac and RMC.


facebook takes down more coordinated authenticity. preinstalled malware is found in discount phones available under the FCC's lifeline program. The Evil Numb abt continues its attacks against Fintech platforms and services, joker, android malware adapts, and overcomes its way back into the play store, Freddie Mac discloses a third party data breach Yohannes over from sands on defending against evil maids with glitter. Our guest is row hit guy from RSA with a preview of his keynote reality, check cybersecurity story, and the Royal Military College of Canada's hack attack remains under investigation. And now a word from our sponsor threat connect designed by analysts, but built for the entire team Brett connects intelligence driven security operations platform is the only solution available today with intelligence, automation analytics and workflows in a single platform every day organizations worldwide US threat connect as the center of their security operations to detect respond, remediate and automate with all of your knowledge in one place, enhanced by intelligence enriched with analytics driven by workflows. You'll dramatically improve the effectiveness of every member of the team. WanNa learn more chuck out their newest book. Sore platforms, everything you need to know about security, orchestration, automation and Response The book talks about intelligence driven orchestration, decreasing time to response and remediation with sore and ends with a checklist for a complete solution downloaded at threat connect dot com slash cyber wire. That's threat connect dot, com slash cyber wire, and we thank threat connect for sponsoring our show. Funding for this cyber wire podcast is made possible in part by McAfee many companies are continuing to support a work from home model while putting a strain on their it resources and security McAfee is helping companies scale their security to work from home employees while optimizing it architecture learn more at McAfee dot com slash work from home. From. The cyber wires studios at data tribe. I'm Dave Bittner with your cyber wire summary for Thursday July ninth twenty twenty. facebook yesterday took action against several networks for violations of social media's policies against foreign interference and coordinated inauthentic behaviour. The networks were based in four countries Brazil, Canada Ecuador Ukraine and the US. The takedown was noteworthy for the prominence of political messaging directed at domestic audiences. The networks in Canada and Ecuador exhibited both in authenticity and foreign interference aimed at audiences in El. Salvador Argentina Uruguay Venezuela. Ecuador and Chile. The messaging here had a political dimension as well, but few obvious political commitments often coming down on opposite sides in matters of electoral politics. FACEBOOK said it was able to connect the activity to political consultants and former government employees in Ecuador, and also to Estra Tara a Canadian public relations firm. They spent about one point three eight million dollars on facebook ADS Estra Tara is no longer welcome on facebook's platform. But the networks in Brazil Ukraine and the US are in some ways more interesting because they were taken down for using coordinated authenticity to engage domestic audiences. The activity in Brazil facebook said was linked to individuals associated with the social liberal. Party including Geijer Bolsonaro, who is of course Brazil's current president. This network also bought facebook ads, but only to the chicken feet amount of fifteen hundred dollars. In Ukraine the coordinated network was particularly active during the two thousand, nineteen presidential and parliamentary elections it posted about various issues of domestic interest, including Russia's occupation of Crimea and Ukraine's relationship with NATO it also appeared to support some candidates. They spent about one point nine three million dollars on facebook and instagram ads. Finally the activity in the US was connected to the already banned proud boys group whose attempts to get back onto facebook. The social network was watching. In the course of that investigation, they identified a number of inauthentic accounts that the Washington Post connected to former political conciliatory role stone, who, until his conviction for lying and witness tampering had been an advisor to president. Trump facebook credits sealed court records in the case of the United. States versus stone released after a petition by several news organizations with helping it recognize the coordinated authenticity. This network also bought adds more than the Brazilians, but less than the others, not quite three hundred eight thousand dollars, according to facebook. Researchers, at security firm malware bytes report pre installed malware on a s that is American network solutions, you L. Forty phones, running android Os seven point one point one. The devices are among those sold by assurance wireless under the US Federal Communications Commission's Lifeline program, which makes budget phones available to low income consumers. This is the second time this year. malware bytes found preinstalled malware and discount lifeline devices. Back in January, the company found similar issues with you. AMX You! Six eighty-three Seattle devices produced by Max. Communications which malware bytes, says officially removed all pre installed malware from its phone in February E said has a report out on the evil numb, a PT, a little disgust group that's been active against financial technology companies since two thousand eighteen at least. The security firms researchers say that the threat group uses a mix of internally developed and commodity attacked tools. They steal financial information from trading and investment platforms, most of evil numbs targets have been in the EU or the UK with a few in both Canada and Australia the commodity tools they use are for the most part purchased on the criminal, the criminal market from the Golden Chickens malware as a service vendor, whose other customers include fin, six and the cobalt group. The information evil number has taken include spreadsheets and documents, holding customer lists, investments, and trading operations, internal presentations, software, licenses, and credentials for trading software platforms, cookies, browser, session, information, e, mail, credentials and customer credit card information, including proof of address and identity documents. The group has also been interested in information that could prove useful in subsequent attacks like VPN configurations. They identify the group as an AP t that is an advanced persistent threat, but he said doesn't connect evil number with any particular government, and while it notes that evil numb by some of its tools from the same vendor as Finn Six and the cobalt group. It says it found no other connections among those threat actors. Security firm checkpoint today outlined a new variant of joker. ANDROID malware, hiding inside apparently legitimate apps some of which circulate in the play store Forbes summarizes the findings as more evidence of jokers, dangerous sophistication, it hides itself in the manifest file of infected. APPs which checkpoint explained is the file. Every android APP must have where the developer declares. Permissions needed usage of servers and so on. The actor pushed encoded militias payload into Meta data fields in that file only to be decoded and loaded when on victims, device that way, no configuration or payload needs to be pulled from the Internet. Google has objected the militia APPs from the play store, but the joker operators are adaptive, and once they're detected. They return. Continuing our media partnership with our say and their upcoming Asia Pacific and Japan Conference. Our guest today is Rsa. President Roh a guy with a preview of his conference keynote. Reality Check Cyber Security's story. The theme for the conference this year is the human element and I'd afflicted on what it is. That makes Suman you know I think the unique trade that humans have is that a storytelling species and as such I reflected on what the story of the cybersecurity industry is, and what impact it has in terms of the future of the industry, so that's sort of the thought process that led me do taking a storytelling perspective to the industry and the domain of cyber security. Can. You give us a little bit of a preview of some of the things you're planning to talk about. Absolutely the framing of the all talk. A story ARC equals to use the word. Is I talk about? I set it up I in terms of. Human Element being a theme for Cybersecurity, and why the human element is important, and the net of it is that while we obsess so much about the technology infrastructure that we are looking to protect in the cyber world. Intrinsically this is a very human john or we protect at the end of the day is the trust that we as humans have on technology and data. That's the end of the day will on our mission. So I. Think just framing the mission from a humanistic glance is the first thing that that I hit on? Next what I sit you know. The story on comprises of three episodes of will talk about the story. Be had in the industry. The story we have in terms of how we are, we are story today and close out with staying the story. We want germs hall. We should tell our story because way in my view the way you'd change. The few fugitive changed the world. Is, to, tell the story that you want to. I don the story. The story comes first the future. You Know I. IT strikes me that many of us together for the conference in San Francisco earlier this year, and and for imagine most of us. That was the last big. Get together that many of us had that was the last opportunity for the industry to really get together, and so much has changed in just a few months, since then I imagine that that must have played into your your thoughts. Here's. You were putting this presentation. Presentation together, absolutely indeed, it was top of mind, and you know the way I needed into. The story is like a block to a every great story has a blocked to as boy. We have a block to us in the last few months. Who would have thought at right on the heels of the San Francisco show the conference? We would all be Gordon. Dean shuttered ablaze, and and and of the world going through what has gone through. What I've reflected on my talk is some key learnings. What have we learnt through this global Amick that we've all been living through? And I've tried to draw inspiration you know in terms of those learnings into field of Cybersecurity, so that's sort of the overall flow of the talk that I. Intend to give. That's RSA President Rohit Guy. The RSA Asia Pacific and Japan Conference Kicks Off July Fifteenth. Freddie Mac the US Federal Home Loan Mortgage Corporation has disclosed data-breach. It's apparently a third party incident. Borrowers whose loans were serviced by one of Freddie Mac's due diligence. Vendors have received letters warning them of the breach. And Canada's Department of National Defence is continuing its investigation of last week's hacking incident. RMC The Royal Military College of Canada the Kingston Ontario College. That's the equivalent of the US. Military Academy at West Point or Britain's Royal Military College. At Sandhurst, the department of National Defence has said all early indications suggest this incident resulted from a mass phishing campaign. The financial, Post cites sources at the college is saying it was a ransomware attack. MC. Soft told the financial post that assuming it was ransomware. The gangs responsible were probably either d'appel payment or net walker, both of which steal data before they encrypt drives and submit their ransom demand net walker tends to add its victims to its public list, and then remove them once they begin negotiating payment, whereas d'appel paymbers style is not to disclose its victims until they refuse payment. Given that RMC hasn't shown up on anyone's list of victims yet. They're betting its d'appel Palmer. The Department of National Defence said that certain systems of the Canadian Defence Academy the Umbrella Organization for Canadian Military Education were also affected, but the locus of the attack was RMC who's networks have remained offline as a precaution. No classified information. The department says is at risk. Now, a word from our sponsor. Dragos be sure to catch their next Webinar on July twenty second co hosted by Deloitte. It's titled Building and retaining an ICS cybersecurity workforce. Tell you how to address the worldwide cyber security skills shortage, and the impacts of hiring freezes visit Drago's dot com slash webinars. That's dragos dot com slash webinars, and we thank Dragos for sponsoring our show. And joining me once again as Yohannes Rick He is the Dean of research at the Sans Technology Institute and also the host of the. Storm Cast podcast Yohannes. It's always great to have you back. you know we? We've heard a little bit These evil made attacks in the context of the thunder spy of vulnerability You got an interesting angle to this can. Can You UNPACK What's going on here? Yeah, so thunder spy was a technical difficult to pull off a and ability bearer. You essentially have to open up a laptop. You attach a little device to it to flashed thunderbolt a firmer on D'Amato board, but the the effect quite devastating attacker is able to that, because essentially sort of destroyed trust that your system has its hardware. These, attacks are often called Leedle made it, and the reason they're I called tax well back in the old days been able to travel the stated hotels, and of course sometimes had to leave our laptops in a hotel. Say that the all know is not all that great and evil mate that comes not to clean the room, but a to clean. All of our secrets of our laptop may be able to have enough time to roll with the laptop. To pull off an attack like this, so the difficult part is, it's really hard to prevent this attack other than carrying your laptop with you at all times of horrors, them is difficult and really inconvenient. So another approach is free to think about how to detect at these. All right. So what do you? What do you propose here? Well! One simple trick that have read about myself many years ago and I got actually picked it up, but. Is A. You can buy this glitter. National Polisher maybe not. Use, a glittering Al Polish, and then you just put a little Dab of glitter nail Polish on the screws. The attacker has to remove the screws from the laptop and putting this glitter nail Polish on the laptop on his screws. Well, if the open it. They will break that seal so to speak, and it's very difficult of course, even if they happen to have the same brand nail Polish so to get it back. Just a right way, so you would take a picture of these screws after you apply the nail Polish also recommend covering it up a little bit nothing to hide it, but to prevent from being damaged accidentally. Many of us have like a little cases are so be put on our laptops to protect them better. They may also here. But just put a little piece of paper on it. Maybe some tape tool so prevent accidental damage. I could imagine also that if someone were going to break into your laptop. And they flipped it over, and they saw glitter on the screws they would. They might think twice about it because the possibility of them being discovered correct and may also discourage them on the same note the. Hotel safes are known to be not secure. I prefer a like a little backpack Pelican cat case a patch. I can put my own padlock on it again. This is not perfect. Cut The plastic. They can still steal a laptop. That's not you're very. You're very about them modifying the laptop without you knowing so this is really more about adding some temporary evidence than Tampa brew for or theft approving the laptop. Y- always wonder what these sorts of things I. IT strikes me that if you are someone who's risk profile includes the sort of evil made attack. I suspect he would probably know it and have these sorts of protections. Put in place, or you'd be the the person who wouldn't leave a laptop behind. Behind if this was something that that you knew you were perhaps going to fall victim to correct the that's definitely the case here and I've seen companies that for high risk. Individuals have like x Ray Machines but periodically ray laptops to make sure they haven't been tampered with sort of on a on a circuit board level. What I always recommend is have two laptops. One company secrets that you'll even hotel your personal secrets that you keep with you. So that. We nothing important. Get stole. It's a heavy backpack Johan. Backpack. Allows me. Yeah. That's right. That's right. All Right Johanna Sell Rick thanks for joining us. Thank you. And that's the cyber wire. Links to all of today's stories, check out our daily briefing at the cyber wire dot com, and for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field sign up for cyber wire pro. It'll save you time and keep you informed. Listen for us on your Alexa. Smart Speaker to. Thanks to all of our sponsors for making the cyber wire possible, especially are supporting sponsor proof points observed the leading people centric insider threat management solution. Learn more at observant dot, com. The cyber wire podcast is proudly produced and Maryland out of the startup studios of data tribe where they're co building the next generation of Cybersecurity, teams and technologies are amazing. Cyber team is Elliott Peltzman. Peru precaut-, Stefan Missouri Kelsey. Bond Tim, no Dr Joe Kerrigan Carol -Tario Benny Elon Nick Feleti. Tina Johnson Bennett Mo- Chris Russell John Patrick Jennifer Ibon Rick Howard, eater, kilby and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

Coming up next