CyberWire Daily - A new Lazarus backdoor. Malvertising for a bogus Clubhouse app. Cryptojacking the academy. When is a cartel not a cartel? Strategic competition between the US and China. Choking Twitter.
Episode Date: April 9, 2021Lazarus Group has a new backdoor. Bogus Clubhouse app advertised on Facebook. Cryptojacking goes to school. A ransomware cartel is forming, but so far apparently without much profit-sharing. The US Se...nate is preparing to make strategic competition with China the law of the land. Dinah Davis from Arctic Wolf looks at phony COVID sites. Our guest is Jaclyn Miller from NTT on the importance of mentoring the next generation. And Russia remains displeased with a lot of Twitter’s content. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/68 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Lazarus Group has a new backdoor.
Bogus Clubhouse apps are advertised on Facebook.
Crypto jacking goes to school.
A ransomware cartel is forming, but so far apparently without much profit sharing.
The U.S. Senate is preparing to make strategic competition with China the law of the land.
Dinah Davis from Arctic Wolf looks at phony COVID sites.
Our guest is Jacqueline Miller from NTT on the importance of mentoring the next generation.
And Russia remains displeased with a lot of Twitter's content.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 9th, 2021.
Researchers at ESET have discovered a hitherto unremarked backdoor North Korea's Lazarus Group
deployed against a South African freight company. The
backdoor, Vivera, has been in use since December of 2018. Its initial compromise vector is still
unknown. Code similarities and the reuse of familiar techniques lead ESET to attribute
Vivera to Lazarus with high confidence. As they put it, quote, However, the similarities do not end there.
The use of fake TLS in network communication, command line execution chains,
and the way of using encryption and Tor services all point towards Lazarus.
TechCrunch reports that criminals have taken out a number of ads in Facebook to hawk what
they misrepresent as a clubhouse app for PCs.
Facebook has removed the ads, several of which stopped attempting to communicate with their
command and control servers in Russia after they were sandboxed. At least some of the malicious ads appear to have been intended to deliver ransomware.
As much commentary has noted, educational institutions are increasingly attractive
targets for cyber attack. Avast points to a large and vulnerable attack surface poorly defended by
under-resourced security
programs. While ransomware attacks have drawn considerable attention, Halo Auto Network's Unit
42 has found that other forms of crime, notably cryptojacking, are also causing problems. Recent
cryptojacking incidents in Washington state seem to have been incentivized by rising altcoin prices.
Their conclusion is a glum one.
Quote, cryptojacking is always going to be around,
and so are the network attacks that make cryptojacking possible.
End quote.
The word cartel is one that raises the antenna, sometimes hackles.
It sounds menacing, evoking either fat cat profiteers under Mussolini or lethal drug lords,
the kind of people who made you sort of almost root for Gus Fring
and Los Pollos Hermanos when you watched Breaking Bad.
So, when there was talk of the Maze Gang establishing a ransomware cartel,
that sounded pretty no bueno.
How did it all work out for them?
Well, ransomware as a service and other
similar features of the criminal-to-criminal market are well-established and well-known,
but a cartel in the narrower sense, the kind that might gather around Don Eladio's pool to
arrange cooperation and divvy up turf, did that work? Analyst One this week published its study of the aspiring cartel lords,
and they found that they fell somewhat short of their aspirations and others' fears.
Analyst One not unreasonably took profit sharing as one of the essential features of cartelization,
and it's precisely such sharing that seems to be missing.
The cartel Maze apparently aspired to organize would have brought
in operators of not only Maize but also Ragnar Locker, Suncrypt, Lockbit, and Conti-Ryuk as well.
The formation of such a cartel was announced in a communique by the Ukrainian gang Twisted Spider.
Analyst One notes, if this involved in the cartel, as distinct from the ransomware strains they deploy,
are Twisted Spider, Viking Spider, Wizard Spider, and the Lockbit Gang.
Suncrypt, now defunct, also claimed to be part of the cartel,
but in any case, they're now out of business.
These gangs are russophone, and they operate out of Eastern Europe.
They also avoid hitting Russian targets,
taking steps to ensure that their payloads don't execute against Russian victims.
There's some division of labor and some sharing of tips and infrastructure.
They're looking into automation,
and several of the gangs do offer ransomware as a service to less-skilled hoods.
But profit sharing?
Not so much, at least not so far.
The report concludes,
Analyst One assesses that the cartel is not an authentic entity,
but instead a collective of criminal gangs who, at times,
work together in ransom operations. There needs to be more than cooperation, resource,
and tactic sharing between gangs for their partnership to qualify as a true cartel.
Profit sharing is the primary element missing in the coalition of ransomware attackers discussed.
Cartels are dangerous due to the large financial resources that profit-sharing provides. Bloomberg reports that the U.S. Senate Foreign Relations Committee has prepared a
comprehensive bill, 283 pages long, that would establish a policy of strategic competition with
China. The measure, which the Senate Majority Leader hopes to bring to a vote with bipartisan support this spring, would increase U.S. investment in technologies deemed strategically important, seek to foster a joint approach to China with U.S. allies, and would extend the jurisdiction of the Committee on Foreign Investment in the United States to colleges and universities that receive more than $1 million in gifts from a foreign source.
universities that receive more than $1 million in gifts from a foreign source.
That last measure is designed to close off the relatively unfettered access Senators see China having enjoyed to the relatively freewheeling U.S. academic research system.
That access has been regarded as a threat to intellectual property by FBI Director Wray and others.
And finally, the Russian government is still displeased with Twitter,
which isn't knuckling under fast enough to suit Moscow
and the social platform's compliant removal of content
that Russian law and policy regard as illegal.
TechDirt has an account of how Russian authorities
have extended the slowdown they've imposed by way of reprisal.
They're using middle
boxes to run Twitter traffic through for deep packet inspection. Because there are workarounds
available to avoid this, Russian authorities are responding to those workarounds with what
TechDirt calls the more collateral damage-prone IP-level block lists. The writer suggests that
being forced to use block lists, quote,
might act as a deterrent for censorship-obsessed governments that don't want a whole lot of attention focused on the fact they are massive cowards afraid of the free exchange of information that might challenge their hegemony.
But, you know, probably not.
A government whose predecessor classified roadmaps and severely restricted access to photocopiers
is unlikely to worry too much about that form of reputational damage.
Now, depicting them as a cute bear spilling his Halloween candy,
that will make them crazy.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Jacqueline Miller is Chief Information Security Officer for Global Managed Services and Platforms Divisions for NTT Limited. Her day-to-day includes overseeing security and compliance programs,
but in addition to that, she spends time mentoring young women, making sure they know there's a place
for them in the industry. Here's my conversation with Jacqueline Miller. Any woman who has grown her
career in technology and in cybersecurity has had to overcome some of the very common challenges,
which is, you know, on the way up, there were very few, if no, mentors that looked and sounded like me, right? I've had
fantastic mentors over the years and do today, but a lot of them are men, and just to be frank,
white men, and they have incredible skill strengths and experience that I draw from
when I have questions or I'm working through something that I need a mentor for. But the
challenging part is it's lonely.
That rise to the top is lonely, and it doesn't have to be that way. So I think one of the most
important things for me, looking back over how I grew, is helping others that are looking to make
that journey into leadership in technology and cybersecurity, make sure that they have forums where they can
find like-minded women who are going through the same process as themselves and also women that
have been through it. And finding those resources can be challenging, although I will say it is
getting considerably easier and there's just more out there in the world right now, which is fantastic.
there's just more out there in the world right now, which is fantastic.
When you're out and about, you know, mentoring younger women who are considering coming up into the industry, what's your message? What sorts of inspiration do you share with them?
So I pull from, you know, my background as much as possible, which is it's more important to get started than it is to know
all the things that there is to know about cybersecurity. Certainly, if young women have
the opportunity to go through an associate's or a bachelor's program before they enter the
workforce, that's fantastic. But only about 50% of women that are in the workforce and even lower with men actually
have a degree before getting into cybersecurity.
And I think that's really interesting.
And it identifies the fact that there are multiple paths into the industry.
So when I'm talking with women that are thinking about that, it is to recognize that there
are multiple channels in and not to keep your blinders on and
think that there's only one path forward or one way to succeed in terms of developing a career
in cybersecurity. There's a lot of really great certification programs that can help women if
college is not something that is affordable or just from a timing perspective is not something
that's achievable. And I think cybersecurity benefits from a really diverse
background. So having people that come in from very different experiences is incredibly important
to making sure that we have full line of sight of the types of threats and scenarios we need to be
aware of going into the future. And how do you spread that message from the top down,
getting that word out to the folks who are doing the hiring? Yeah. One thing I can't stress enough,
whether it's cybersecurity or any other type of technical field, is making sure that you have a
diverse hiring panel. So one of the key indicators and studies or key success factors and studies that have been done over the last 15
years is making sure that there's women and other diverse hiring managers or even just advisors on
that hiring panel. It'll help identify resources that don't look so male and don't look so white.
You know, we as humans have a natural tendency to be drawn to people that look and
sound like us. That's a natural thing that a natural trend that happens. And by diversifying
our hiring panel, we're opening ourselves up to having a different conversation and seeing
candidates through different lights, which is really hard to do when you're just trying to do
all of that, you know, have all of those world experiences yourself. I don't, I don't think that any one manager is that well-rounded. It takes a team to make those
types of decisions, especially for leadership or middle management, team lead, or senior
architecture roles. I highly recommend having a more of a panel style interview.
Our thanks to Jacqueline Miller from NTT Limited for joining us.
Our thanks to Jacqueline Miller from NTT Limited for joining us There is a lot more to our interview
Don't forget to go listen to extended versions of this and many other interviews at CyberWire Pro
It's on our website, thecyberwire.com
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant. And I am pleased to be joined once again by Dinah Davis.
She is the VP of R&D at Arctic Wolf.
Dinah, great to have you back.
is the VP of R&D at Arctic Wolf.
Diana, great to have you back.
You know, we are being bombarded with information about COVID vaccines as they're being rolled out.
And along with that comes folks
who are trying to lure us to illegitimate sites.
I wanted to check in with you for some tips
on how do you know if a vaccine site is the real deal?
Yeah, I think this is really important, right? You don't want to be giving out your personal information, maybe your
insurance information, or in Canada, like your health card information or things like that,
to sites that are not real. So you can actually follow a very similar path that you would for checking out
if a website is good to shop on or not. So the first thing you want to do is check for spelling
mistakes in the domain name. If it is a statewide vaccine program, you know, you can probably find
it off of the state website instead of, you know, clicking a link that you may have
gotten in an email, right? I know in Canada, every single province has a link to its vaccine program
on their main provincial websites, right? So clicking things that come in an email,
probably not a good idea. Obviously, we always say that. But in this case, these types of sites should be easily found on the internet through sites you trust. But what if you can't check that and you're not really sure? Okay, let's take a look. Is the website secure? Is it using HTTPS instead of HTTP? If it's not, I would not trust that at all.
HTTP. If it's not, I would not trust that at all. Yeah. And then you can use a website. My personal favorite is, is legit site.com. That is, that is the actual thing is legit site.com.
And so I ran through one of, um, I live in Ontario, so I ran through our, um, COVID site for, uh,
the Ontario provincial government and, uh, I had it run the report for me.
And so the report summary was potentially legitimate.
So they're never going to say 100%.
Yes,
it's legitimate because the one time that they were wrong,
they don't want to get sued.
So usually you'll see potentially legitimate or you will see potentially
not legitimate.
And you go from there. So then it
checks about five things for you that, you know, you could go and check on yourself, but it's easier
to do it this way. So it checks the web of trust rating or the WAT rating. And that WAT rating is
crowdsourced and collected website ratings and reviews from over 6 million users.
It's like a nonprofit site that runs.
And so the rating of that particular website
was 93 out of 100,
which is obviously quite good, right?
But if it has a low WOT rating
or it doesn't even have a WOT rating,
bad, very bad, bad, bad.
Yeah.
It then checks a number of website blacklist sites.
So there's a whole bunch of sites that will collect known bad sites.
So this service will check against that to make sure it's not on one of those lists.
Cool. Good. It's not.
Domain creation date.
So if it's off of a state site or a local know a local health site that thing should have been created
quite a while ago so for example ontario.ca was created 18 years ago um if it was created in the
last four months uh it doesn't necessarily mean it's completely bad because it's possible that a
vaccine site could have been created then but it's not a good indicator because usually it'll be just a page off of a
more stable site, right?
Obviously the HTTPS it checks and then it also checks the website popularity.
So how much traffic does the site get?
So if it's legitimate, it should be a lot of traffic.
And they use the Alexa traffic ranking. So for Ontario.ca, it's ranked like 5,000th among the world's most busy websites.
Any rank below 500K, that's lots.
So it's probably a pretty legit site.
And then it goes into even like 10 more things you can go check out on your own.
But in my experience, if the five things above checked out,
you're probably good to go.
If any of those are bad,
you're going to want to really take a second look
or try and get to the site from a formal like state site
or hospital site or something like that.
Yeah.
So islegitsite.com.
That's a good one.
I'll have to check that out.
As you say, it's a convenience to have all of these different tests run.
Any one you could do on your own, but to have them all in one place
saves everybody a bit of time.
Yeah, and I run it all the time on all kinds of sites,
shopping sites and anything where I'm like,
not really sure if that's legit.
Yeah.
All right.
Well, good information.
Diana Davis, thanks for joining us.
You're welcome.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
It keeps working even after 30 minutes.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Falecki, Gina Johnson, Bennett Moe, Chris
Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
I'll see you back here next week. Thank you. where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.