News Wrap: AWS Cryptojacking Worm, IBM Privacy Lawsuit and More

Lindsey O’Donnell-Welch: Welcome back to the Threatpost podcast. This is Lindsey O’Donnell-Welch and I am joined here by Tara Seals. We’ll be talking about the top news stories of the week ended August 21. Tara, how is your week been?

Tara Seals: It’s been pretty good. Lindsey. As far as things go, all things considered. What about you?

LO: Good, good. Just a bit busy with all the news stories happening. I literally just finished up writing an article on IBM and some of the data privacy policies and issues that they’re having there regarding the Weather Channel mobile app, which they own, so that’s kind of an interesting story this week.

TS: Yeah, I was interested actually to see that because I use the Weather Channel app quite a bit and especially lately, because the weather we’ve been having in New England has been a little crazy. So my ears perked up at that kind of big brand name. But yeah, so what’s going on, were they selling data?

LO: Yeah, so it’s it’s an interesting story. And if you remember back to last year, the Weather Channel mobile app got into a little bit of trouble. The New York Times wrote an article about how a ton of mobile apps, including The Weather Channel app, were misleading consumers about data collection and selling location data to advertisers. So on the heels of that the LA city attorney’s office filed a lawsuit against the Weather Channel mobile app, and basically alleged that the app was deceiving its users in how it was using their geolocation data. So what was happening was that when you use the app, as you know, because you use it, Tara, you get permission prompt that basically says, if you share your geolocation data, this will help us give you personalized forecasts and alerts and things like that. The issue here was that the app was not telling users that it was also taking that data and selling it to third party companies – allegedly not saying that – in this prompt. So that was what the issue was, The Weather Channel for its part, or IBM, argued that it did disclose this information in its online privacy policy. But the argument of the LA City Attorney was that the average user is not going to go sift through, you know, a privacy policy which could be 100 pages or something to figure that out, and it should be more upfront. So in the ensuing settlement, what’s going to happen is that the Weather Channel is going to be more clear in how it presents how it’s going to be using data. So it’s an interesting story. I think that we see these types of issues come up with privacy, data privacy, and how transparent companies are being in terms of how they’re using and collecting data. And I think this is a good reminder that this is something that’s still happening, and that companies are trying to figure out.

TS: yeah, for sure. And I mean, that, you know, this is just sort of a rinse and repeat kind of story at this point, because so many of these apps do this type of thing. And I remember I wrote a story a few months ago, actually about a whole bevy of different dating apps that collected all of this personal information. And you know, when you’re talking about something like a dating app, some of that can be pretty sensitive, and they were basically you know, selling it off to advertisers and others. And it was just kind of gross, to be honest. It seems as though there are a lot of apps out there that still think they can get away with it by burying some boilerplate type of language in a privacy policy somewhere. But if consumers don’t take the time to read that, that’s not really, really fair. So, so this is interesting. And again, being such a big name, I wonder if it’s going to have any sort of impact going forward on other apps that might be put on notice.

LO: Right. It’s a good point. And, I talked to a couple of security researchers to ask kind of their opinion on this. And they were saying that, to your point, this probably will have an impact. And also, it does go to show how, with more kind of regulations or regulatory efforts around data collection and things like that. This is showing that there are there are consequences to these types of things. And it’s showing that to other companies because we hear a lot about Facebook, we hear a lot about Google. But this is just a mobile app like, like you were saying, Tara, like dating apps and other apps are also being kind of pulled into the mix here. So it’s interesting, and we’ll see what happens. But, you know, looking at other stories that were pretty big this week, you had a really cool story about a cryptojacking worm that was affecting AWS, I believe, what was that all about?

TS: Yes, so so it’s kind of interesting. So cryptomining, and cloud resources has become kind of a trend lately. You hear a lot about Docker containers, for example, and Kubernetes getting compromised and being used by nefarious types to mine for Monero and Bitcoin and other types of cryptocurrencies. In this case, this is a cryptomining worm that attacked Amazon Web Services. And as far as the researchers know, it might be the very first incident of a malware that targets Amazon specifically for cryptomining. Kind of a first in the malware wear world. And then also on top of that, it’s a worm so itself propagates through the cloud. And that’s also kind of an unusual aspect to a lot of this. So it was a really interesting piece of malware. Not particularly advanced necessarily, but the fact that they’re starting to go after Amazon AWS is certainly notable.

LO: Yeah, definitely, what kind of information did they talk about regarding the the group TeamTNT that was spreading the cryptomining worm, did they have any further interesting points there?

TS: Well, I mean, basically, nobody really knows exactly who TeamTNT are, other than the fact that they sort of make reference to themselves inside the code for their malware. And then they also have a website that claims to be red team pen testing, but of course, it’s nothing like that, that I believe is TeamTNT dot com or something along those lines. So they have self branded, but in terms of who they actually are, we’re not we’re not really sure. It’s a very prolific campaign that they’re running though, with cryptomining malware. And again, you know, the Amazon part is new but they’ve been around actually, since at least April, when they started attacking Docker containers, which again, wasn’t so notable. But now they’ve switched and added Amazon to the mix.

LO: Right, really interesting and I feel like we hear a lot about cryptomining malware or cryptojacking. And we hear a lot about, you know, the malware as it affects browsers and things like that. But I definitely feel as though kind of this trend of targeting the cloud and what that means and kind of the impact there, is also something that has been written about a lot over the past year. So that’s something that we will I’m sure continue to see.

TS: Yeah, and it’s kind of interesting because what it really highlights too is that misconfigurations can happen so easily because basically, the cloud instances that are at risk here are misconfigured Docker containers and Kubernetes. And then AWS instances that store credentials and unencrypted files. So the worm basically can go they can sniff out those credentials in plain text that are being stored there, and it’s very easy for them to compromise Bitcoin in their efforts. And so you know, it’s interesting because it’s just a reminder once again that a lot of these attacks are entirely preventable. It’s just a question of making sure that you have your ducks in a row when you when you stand up a cloud instance.

LO: Yeah, so another cool story that we covered this week was an IoT – Internet of Things – security issue. So basically, the there was a vulnerability in a widely used module, which you know, is a small device that’s embedded into IoT devices, and that works to connect wireless networks and send and receive data. So the module was connected it was manufactured by Thales, which is a French company. But researchers with IBM X-Force Threat Intelligence discovered the vulnerability in this module and what it could allow is it could allow any sort of kind of broad level of impact from knocking out a city’s electricity to overdosing a medical patient – And that’s speculation by the researchers. But that’s basically at the high end what they said it could do. So because this module is used by so many critical IoT devices, whether they’re in the medical field or in power and utility plants, researchers were urging IoT manufacturers to make sure that their devices were updated. So that the researchers discovered the flaw in the device, I believe it was back last September, and then the fix was issued actually in early 2020. But while patches are available right now, researchers were warning that it will take a while for many manufacturers, especially those critical infrastructure ones to apply them to their devices, which I just thought was like a unique part of the story. It shows that this is an issue for IoT device manufacturers because if there’s one bug in the supply chain, it’s not that easy just to go apply in Over the Air (OTA) update. It really depends on the manufacturer and kind of who they are and also especially with these connected medical devices or industrial control gear a lot of the manufacturers have a ton of difficulty applying patches, and it might require recertification, and it might be timing intensive. And so I think that was what really stuck out to me about this story was just how difficult the patching process is for these types of IoT devices.

TS: Yeah, absolutely. That’s a really fascinating story. And again, just kind of a new wrinkle in the IoT ecosystem.

LO: Yeah, definitely. And I feel like we run into IoT security issues almost monthly at this point. I mean, it’s no surprise because I think there was they’re predicting, like the number of IoT devices globally to grow to 55.9 billion by 2025. So like, the threat surface for attackers is certainly lucrative. And it’s, you know, it comes down to whether manufacturer IoT manufacturers can keep up and you know, how they can keep up with security measures and and what they can do. So So we’ll see there. But, Tara, thank you so much for coming on to the threat posts podcast to talk about some of the bigger stories that we covered this week.

TS: Thanks so much for having me. Lindsey. Have a great weekend.

LO: You too. And to all of our listeners. Thanks for listening in to the news wrap. If you liked what you heard or have any further comments or questions, be sure to follow us on Twitter at threat post and post whatever comments you may have. We’re always looking for feedback and to keep the conversation going.

It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary Threatpost eBook, 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine “secure” in a work-from-home world and offer compelling real-world best practices. Click here to download our eBook now.