Research Saturday

Researchers at Symantec have been tracking a wide-ranging espionage operation that's targeting satellite, telecom and defense companies. Jon DiMaggio is a senior cyber intelligence analyst at Symantec, and he takes us through what they've discovered. The research can be found here: https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at McAfee recently discovered code execution vulnerabilities in the default settings of the Cortana voice-activated digital assistant in Windows 10 systems. Steve Povolny is head of advanced threat research at McAfee and he shares their findings. The research can be found here: https://securingtomorrow.mcafee.com/mcafee-labs/want-to-break-into-a-locked-windows-10-device-ask-cortana-cve-2018-8140 Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Defiant recently analyzed a malware family they named "BabaYaga," which has the curious behavior of clearing out other malware and keeping infected sites up to date. Brad Hass is a senior security analyst at Defiant, and he guides us through their findings. The research can be found here: https://www.wordfence.com/blog/2018/06/babayaga-wordpress-malware/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers Gang Wang and Hang Hu from Virginia Tech recently conducted an end-to-end measurement on 35 popular email providers and examining user reactions to spoofing through a real-world spoofing/phishing test. Gang Wang joins us to share the sobering results. End-to-End Measurements of Email Spoofing Attacks https://people.cs.vt.edu/gangwang/usenix-draft.pdf Learn more about your ad choices. Visit megaphone.fm/adchoices

Andy Bochman is senior grid strategist for Idaho National Lab’s National and Homeland Security directorate. Today we’re discussing the research the INL has been doing, developing new approaches to protecting mission critical systems. Learn more about your ad choices. Visit megaphone.fm/adchoices

Sellers of malware on Dark Web forums often use No Distribute malware scanning tools to help verify the effectiveness of their wares, while preventing legitimate virus scanning tools from adding the malware to their database. Daniel Hatheway is a Senior Security Analyst at Recorded Future, and he takes us through their recently published research, Uncover Unseen Malware Samples with No Distribute Scanners. Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers from Cisco Talos continue to track malware they've named VPNFilter, a multi-stage infection with multiple capabilities, targeting consumer-grade routers. Craig Williams is head of Cisco Talos Outreach, and he joins us with the details. Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Check Point Research recently discovered vulnerabilities in some LG smartphone keyboards, vulnerabilities that could have been used to remotely execute code with elevated privileges, act as a keylogger and thereby compromise the users’ privacy and authentication details. Learn more about your ad choices. Visit megaphone.fm/adchoices

Carbon Black's Chief Cybersecurity Officer Tom Kellerman shares the results of their recent report, Modern Bank Heists: Cyberattacks & Lateral Movement in the Financial Sector. For the report, they interviewed CISOs at 40 major financial institutions, revealing attack and mitigation trends. Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers from ProtectWise's 401TRG team recently published research linking a variety of new and previously reported Chinese cyber threat groups. Tom Hegel is a Senior Threat Researcher with the 401TRG, and he joins us to share their findings. Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers from Flashpoint recently explored ISIS' ability to distribute propaganda across the internet, and their use of major internet service providers to help them achieve persistence. Ken Wolf is a Senior Analyst at Flashpoint, and he describes what they learned. Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Akamai recently published a white paper titled UPnProxy: Blackhat proxies via NAT Injections. In it, they describe vulnerabilities with Universal Plug and Play capabilities in home routers, and how malicious actors could take advantage of them. Chad Seaman is a senior CERT engineer at Akamai, and he's our guide. Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers from Arbor Networks' ASERT Threat Intelligence Team recently published a report titled, "Lojack Becomes a Double Agent." It outlines how threat actors are altering legitimate recovery utility software and simulating its command and control servers to gain access to target machines. Richard Hummel is manager of the ASERT Threat Research Team, and he joins us to describe their work. Learn more about your ad choices. Visit megaphone.fm/adchoices

Bobby Filar is a Principal Data Scientist at Endgame, and coauthor of the research paper, The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation. The report surveys the landscape of potential security threats from malicious uses of AI, and proposes ways to better forecast, prevent, and mitigate these threats. Bobby Filar joins us to discuss the paper, and his views on the evolving role of AI in cybersecurity. The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation Learn more about your ad choices. Visit megaphone.fm/adchoices

Kevin Epstein is Vice President of Proofpoint's Threat Operations Center. We’re discussing two bits of research with him today. The first is about BlackTDS, a traffic distribution tool for sale in dark web markets. A little later in the show, he’ll tell us about ThreadKit, a document exploit builder. Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Trend Micro recently discovered a backdoor targeting MacOS users that they believe is the work of the OceanLotus threat group, an organization previously thought to have launched targeted attacks against human rights organizations, media organizations, research institutes, and maritime construction firms. Mark Nunnikhoven is VP of Cloud Research at Trend Micro, and he explains what they've learned. https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers with Arbor Networks ASERT team have been tracking a malware campaign targeting commercial manufacturing, and have uncovered various samples dating back to at least 2016. Richard Hummel is Threat Intelligence Manager for Arbor Networks' ASERT Team, and he takes us through what they've discovered. https://www.arbornetworks.com/blog/asert/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Cylance recently uncovered the malicious use of a core router in a campaign aimed at critical infrastructure around the world. Kevin Levelli is Director of Threat Intelligence at Cylance, and he takes us through what they've discovered. Learn more about your ad choices. Visit megaphone.fm/adchoices

In their recently published paper, "Crypto Crumple Zones: Enabling Limited Access Without Mass Surveillance," coauthors Charles Wright and Mayank Varia make their case for an alternative approach to the encryption debate, one based on economics as a limiting factor on government overreach and surveillance. Crypto Crumple Zones: Enabling Limited Access Without Mass Surveillance Learn more about your ad choices. Visit megaphone.fm/adchoices

FlawedAMMYY is a newly discovered remote access trojan (RAT) that’s been used in malicious email campaigns, as far back as 2016. Ryan Kalember is Senior Vice President of Cyber Security Strategy at Proofpoint, and he takes us through their research. Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Duo Security recently unearthed a new vulnerability class that affects SAML-based single sign-on (SSO) systems. This vulnerability can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim user’s password. Kelby Ludwig is a Senior Application Security Engineer at Duo security, and he takes us through his discoveries. Learn more about your ad choices. Visit megaphone.fm/adchoices

There's been an epidemic of cryptojacking code injections recently, as bad actors attempt to cash in on the cryptocurrency craze through unauthorized cryptomining operations on unsuspecting users. Marcelle Lee is a threat researcher at LookingGlass, and she takes us through her recently published research, Cryptojacking — Coming to a Server Near You. Learn more about your ad choices. Visit megaphone.fm/adchoices

Researcher from Lookout and the EFF have discovered an APT group operating out of Lebanon they've named Dark Caracal. The group is running a global espionage campaign, targeting journalists, military personnel, activists, lawyers, medical professionals and educational institutions. Mike Murray is VP of Security Intelligence at Lookout, and he's our guide through their research. Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Comodo Security Solutions have been tracking a recently discovered strain of malware named Lebal. The malware uses several clever techniques to attempt to hide itself, and once installed targets credentials and cryptocurrency wallets. Fatih Orhan is VP of Threat Labs at Comodo, and he takes us through their research. Learn more about your ad choices. Visit megaphone.fm/adchoices

Or Katz is principal lead security researcher for Akamai's Enterprise Security Business Unit, and the research he’s sharing today is a widespread phishing campaign targeting users using an advertising tactic. The research is titled, “Gone Phishing for the Holidays." Learn more about your ad choices. Visit megaphone.fm/adchoices

The research we’re discussing today is called, “Beware the Hex Men”, and it tracks multiple attack campaigns conducted by a Chinese threat actor. The GuardiCore Labs team identified three attack variants that they named Hex, Hanako and Taylor, targeting SQL servers. Learn more about your ad choices. Visit megaphone.fm/adchoices

IcedID is a banking trojan recently discovered and tracked by IBM's X-Force research team, targeting banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Limor Kessem is an executive security advisor with IBM Security. She returns to Research Saturday to describe what she and her team found. Learn more about your ad choices. Visit megaphone.fm/adchoices

Adware is generally considered unsophisticated, and because of its low perceived threat level it's often ignored. Researchers at the Booz Allen Dark Labs' Advanced Threat Hunt Team have recently published research describing a more advanced type of adware, using infection techniques usually attributed to nation-state actors. Jay Novak is a threat hunter and tech lead at Booz Allen, and he takes us through their research. Learn more about your ad choices. Visit megaphone.fm/adchoices

This week we’re discussing the a campaign the McAfee Advanced Threat Research team recently discovered, one that’s targeting organizations involved with the upcoming Pyeongchang Winter Olympics. Raj Samani is chief scientist at McAfee, and he shares the campaign's clever details. Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at ThreatConnect have discovered evidence that Fancy Bear, a cyber espionage group generally associated with Russia's military agency GRU, may be spoofing domains belonging to the World Anti-Doping Agency (WADA), the US Anti-Doping Agency (USADA), and the Olympic Council of Asia. Kyle Ehmke is a threat intelligence researcher with ThreatConnect, and he takes us through their work. Learn more about your ad choices. Visit megaphone.fm/adchoices

A group of Russian-speaking hackers have stolen nearly $10 million from banks around the world. Group-IB, a company with expertise in computer forensics, information security and, specifically, Russian‑speaking criminal groups, have named these thieves MoneyTaker. Nicholas Palmer is the director of international business development at Group-IB, and he's joined by their head of threat intelligence, Dmitry Volkob to explain the MoneyTaker group's schemes. Learn more about your ad choices. Visit megaphone.fm/adchoices

Robert M. Lee. is CEO of Dragos Security, a company that specializes in the protection of industrial control systems. He’s describing his team's research on TRISIS, tailored ICS malware infecting safety instrumented systems (SIS), so far found only in the middle east. It's only the fifth known incident of malware targeting ICS systems. Learn more about your ad choices. Visit megaphone.fm/adchoices

Alan Neville is a senior threat intelligence analyst at Symantec located in Dublin. He is responsible for leading and documenting investigations into high priority attacks. He recently published research on the Sowbug cyber espionage group targeting South American and Southeast Asian governments. https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments Learn more about your ad choices. Visit megaphone.fm/adchoices

In this edition of the CyberWire Research Saturday, we'll take a look at a more recent intrusion PwC has uncovered, named KeyBoy and highly likely a China-based threat actor. It uses compromised Word documents to gain access. Bart Parys is a lead researcher in PwC's cyber threat intelligence team, responsible for tracking cyber threat actors, their latest toolsets and methodologies. https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html Learn more about your ad choices. Visit megaphone.fm/adchoices

Online underground markets thrive across the globe, with the Middle East and North Africa being no exception. Researchers at Trend Micro recently too a look inside these digital souks, and while much of what they discovered matches similar online marketplaces, there are unique cultural elements that set these regional trading posts apart. Jon Clay is a cyber security expert from Trend Micro, and he takes us through their research paper, "Digital Souks: A Glimpse into the Middle East and North African Underground." Learn more about your ad choices. Visit megaphone.fm/adchoices

Zberp is a stealthy banking trojan with an unconventional process injection technique. A hybrid of the ZeusVM and Carberp malware, Zberp uses a variety of techniques to prevent detection while it gathers information from infected systems. Limor Kessem is an executive security advisor for IBM, and she's our guide. Learn more about your ad choices. Visit megaphone.fm/adchoices

Bad actors are using Fast Flux Networks with quickly-changing IP addresses and domain names to help hide their activities. Or Katz, Principal Lead Security Researcher at Akamai, takes us through their recently-published white paper, "Digging Deeper — An In-Depth Analysis of a Fast Flux Network." Learn more about your ad choices. Visit megaphone.fm/adchoices

The Terdot Banker Trojan is a descendant of the Zeus family of malware, and has evolved to feature serious espionage capabilities. It can compromise transactions, steal accounts and credit card information, and can eavesdrop on and modify traffic on social media and email platforms. While not yet widely spread, it's a threat to consumers and businesses alike. Bogdan Botezatu is a senior e-threat analyst at Bitdefender, and he takes us through their recently published whitepaper. Learn more about your ad choices. Visit megaphone.fm/adchoices

Cybercriminals offer all sorts of illicit goods for sale on Deep and Dark Web markets. In this episode, Liv Rowley, cybercrime intelligence analyst at Flashpoint, takes us through her team's research into the pricing of certain illegal goods online, including "Fullz", exploit kits, DDoS for hire, RDP servers, card data, bank logs and passports. Supply meets demand in this shady underground ecosystem. Learn more about your ad choices. Visit megaphone.fm/adchoices

Dr. Adrian Nish is head of cyber threat intelligence at BAE Systems. His team has been tracking a new cyber-enabled bank heist in Asia. Some of the tools used are reminiscent of the Bangladesh Bank attack from February 2016. The full report can be found here. Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode of the CyberWire’s Research Saturday we are joined by Jordan Wright, Senior Research and Development Engineer at Duo Security. He’s the author of the research report, “Phish in a Barrel,” which describes his work gathering and examining thousands of phishing kits from around the web. Learn more about your ad choices. Visit megaphone.fm/adchoices

The moniker KHRAT came about because of the identification of a Remote Access Trojan (RAT) with command and control infrastructure found in Cambodia (KH). In the most recent episode of the CyberWire's Research Saturday, Ryan Olson, Director of Threat Intelligence at Palo Alto Networks, talks with us about the capabilities of KHRAT and shares details the feature set it provides to threat actors that use it. https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/ Learn more about your ad choices. Visit megaphone.fm/adchoices

In August 2017, multiple Content Delivery Networks (CDNs) and content providers were subject to significant attacks from a botnet dubbed WireX. (The botnet is named for an anagram for one of the delimiter strings in its command and control protocol.) The WireX botnet is primarily made up of Android devices running malicious applications and is designed to create DDoS traffic. The botnet is sometimes associated with ransom notes to targets. Justin Paine is Head of Trust and Safety at Cloudflare, and he joins us to share the WireX story. https://blog.cloudflare.com/the-wirex-botnet/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Peter Ney is a PhD candidate in the Allen School of Computer Science and Engineering at the University of Washington where he is advised by Professor Tadayoshi Kohno. His current research is focused on understanding computer security risks in emerging technologies like DNA synthesis and sequencing and the new threats posed by maliciously crafted, synthetic DNA. He and his team found that security of DNA processing programs is poor and show with a proof-of-concept that it is possible to attack computer systems with adversarial synthetic DNA. Learn more about your ad choices. Visit megaphone.fm/adchoices

Android Toast Overlay enables attackers to trick Android users into enabling permissions on infected devices by making them think they are clicking on benign buttons superimposed over the user interface. Ryan Olson is Director of Threat Intelligence at Palo Alto Networks' Unity 42, and he joins us to share their research. Learn more about your ad choices. Visit megaphone.fm/adchoices

APT 33 is an Iranian cyber espionage group that targets aerospace and energy sectors and has ties to destructive malware. John Hultquist is Director of Intelligence Analysis at FireEye, and he takes us through their research. Learn more about your ad choices. Visit megaphone.fm/adchoices

In 2016 Bitdefender uncovered a new advanced persistent threat dubbed Pacifier, targeting government institutions starting in 2014. Using malicious .doc documents and .zip files distributed via spear phishing e-mails, attackers would lure victims with invitations to social functions or conferences into executing the attachments. It’s capable of dropping multi-stage backdoors. Liviu Arsene is a senior e-threat analyst at BitDefender, and he's our guide to the complex components of Pacifier APT. Learn more about your ad choices. Visit megaphone.fm/adchoices

Deepen Desai, senior director of security research and operations at Zscaler, describes research he and his team have been doing since discovered a clever bit of malware they’ve named Cobian RAT. (RAT stands for Remote Access Trojan.) It’s available for free, but contains a back door that allows the original author to access and control the RAT remotely. Learn more about your ad choices. Visit megaphone.fm/adchoices