CyberWire Daily - Australia warns of a large-scale espionage campaign. China indicts two long-detained Canadians. And the Lazarus Group may be about to undertake a widespread COVID-19-themed fraud effort.
Episode Date: June 19, 2020A look at the “state-based cyber actor” the Australian government is concerned about. Some signs of Chinese retaliation for Five Eyes’ skepticism of Huawei. Johannes Ullrich explains malware tri...ggering multiple signatures in anti-malware products. Our guest is Geoff White, author of Crime Dot Com, on how he tracked down the creator of the Love Bug. And an alert about the possibility of some COVID-19-themed fraud from the Lazarus Group. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/119 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
Your business
needs AI solutions that are
not only ambitious, but also practical
and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.
A look at the state-based cyber actor the Australian government is concerned about,
some signs of Chinese retaliation for Five Eyes' skepticism of Huawei,
Johannes Ulrich explains malware triggering multiple signatures in anti-malware products,
our guest is Jeff White, author of Crime.com, on how he tracked down the creator of the love bug,
and an alert about the possibility of some COVID-19-themed fraud
from the Lazarus Group.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, June 19, 2020.
Australia's Prime Minister Morrison has said that Australia is under massive and sustained cyber attack.
The Wall Street Journal quotes the Prime Minister as saying,
We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used.
He added that all levels of government in most economic sectors are among the targets.
He added that all levels of government in most economic sectors are among the targets.
The actor may be sophisticated, but most observers aren't moving from that to a conclusion that the attacks themselves are advanced or complicated.
To judge from yesterday's Australian Signals Directorate advisory,
the attacks, for the most part, hit known vulnerabilities
with copy-and-paste open-source proof-of-concept exploit code
used against public-facing sections of the infrastructure.
For the most part, the state-based cyber actors are going after a remote code execution vulnerability
in unpatched versions of Telerik UI.
In other cases, they are chasing a deserialization vulnerability
in Microsoft Internet Information Services,
a 2019 SharePoint vulnerability, or a 2019 Citrix vulnerability.
When that approach fails, the attackers resort to familiar spear phishing.
The ASD warned that the spear phishing has taken several familiar forms, including links to credential harvesting websites,
emails with links to malicious files or with a malicious file directly attached,
links prompting users to grant Office 365 with the malicious file directly attached,
links prompting users to grant Office 365 OAuth tokens to the actor,
use of email tracking services to identify the email opening and lure click-through events.
The state-based actor has shown some talent for conducting reconnaissance of target networks to identify vulnerable services,
and ASD thinks the actor may be
assembling and maintaining a list of public-facing services so it can hit them quickly after new
vulnerabilities are released and before the targets get around to patching them.
They're also pretty good at identifying development, test, and orphaned services
that tend to be overlooked or even forgotten by the organizations that own them.
These activities do argue for a good degree of intelligence and sound management.
If we understand sophisticated to refer to a solid understanding of how to service targets,
as opposed to the more usual connotation of exotically crafted, never-before-seen malware,
then perhaps the Prime Minister has a point.
In that sense, the state-based group can indeed be called sophisticated.
So, okay, we keep saying state-based group because that's what Mr. Morrison calls them,
but straight-up friends, we're obviously talking about China.
The Prime Minister has refused to be drawn on attribution,
but he's generally believed to be describing a Chinese government campaign.
ZDNet quotes think tank sources to the effect that this particular frog has been boiling for years,
which raises the question of why the Prime Minister would choose this moment to issue his
warning. Other sources, for the most part former officials, are telling the Australian Broadcasting
Corporation that the campaign may represent payback for Australia's hard line on Huawei. So there seems to be a mutual dance of deniable accusation going on here.
China hasn't yet commented on Prime Minister Morrison's press conference, but it's denied
involvement in recent high-profile attacks on Australian institutions, including Parliament.
Those denials haven't been generally believed. Perhaps they're not intended to be believed. The operations walk and quack like Chinese
operations, and as the Wall Street Journal points out, you can hide your footprints,
but sometimes it's useful to leave the tracks out there for the world to see.
The Prime Minister appears to have two motivations in making his statement.
First, he's offering China a veiled warning.
Second, he's also interested in changing behavior in his own government agencies.
After all, for crying out loud,
will you please get serious about keeping your systems patched and under control?
There's a state-based panda pawing at you.
There may be some other Chinese payback for Five Eyes' treatment of Huawei.
There may be some other Chinese payback for Five Eyes' treatment of Huawei.
Two Canadians, Michael Kovrig and Michael Spavor, were arrested 18 months ago,
shortly after Huawei CFO Meng Wanzhou was detained in Vancouver on an American bank fraud beef.
The Wall Street Journal reports that the two have now been formally charged with espionage.
Michael Kovrig, a Canadian diplomat on leave to work with the International Crisis Group,
was charged with probing into state secrets and intelligence
on behalf of foreign actors.
Michael Spavor, an entrepreneur,
was accused of probing into and illegally providing
state secrets to foreign actors,
according to municipal prosecutors in Beijing and Dandong.
Both of the Canadian men were in China in connection with their interest in North Korea. according to municipal prosecutors in Beijing and Dandong.
Both of the Canadian men were in China in connection with their interest in North Korea.
Mr. Kovrig was preparing a report on the DPRK,
and Mr. Spavor ran the not-for-profit Pactu Cultural Exchange,
which facilitated travel to North Korea.
Ms. Meng, currently out on bail in Vancouver,
is facing the slow process of extradition to the U.S.
A recent Canadian court decision made it more likely that she'll be sent stateside,
but her American court date, if it should ever arrive, still lies in the indefinite future.
North Korea's Lazarus Group is said to be preparing a large-scale fishing campaign against targets in South Korea, Singapore, Japan, India, the United Kingdom, and the United States.
The countries all have put large COVID-19 economic relief programs in place,
and ZDNet reports that Pyongyang's COVID-19 fish bait is expected to serve financial fraud.
ZDNet credits Cypherma with the relevant threat research.
SingCert today posted a warning for Singapore businesses.
North Korean cyber operations in general, and those of the Lazarus Group in particular,
have tended to concentrate on either espionage or financial gain,
with an occasional attempt at influence.
The influence attempts generally haven't proceeded very happily,
but Pyongyang has shown that it has the chops to conduct both espionage and fraud.
So businesses, beware.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request based on identity and context, Thank you. Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say,
Delete.me is a game changer. Within days of signing up, they started removing my personal
information from hundreds of data brokers. I finally have peace of mind knowing my data
privacy is protected. Delete.me's team does
all the work for you with detailed reports so you know exactly what's been done. Take control of
your data and keep your private life private by signing up for Delete.me. Now at a special
discount for our listeners, today get 20% off your Delete.me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code N2K at checkout.
That's joindeleteme.com slash N2K, code N2K.
My guest today is Jeff White.
He's an investigative journalist based in the UK and author of the book Crime.com, which will be published in August.
Our conversation centers on his globetrotting investigation
to find the creator of the love bug computer virus,
20 years after its initial release.
The Lovebug virus was unleashed in 2000, May 2000.
It went around the world and infected tens of millions of computers, it's estimated.
And the person behind it, the person who did all of this, was never actually convicted.
It was never settled who unleashed it, who created it, and so on.
There were some suspicions at the time,
but the whole thing was a big question mark.
So I thought that was worth looking into.
And also the other thing is, for me,
the love bug kind of sums up the big thing about cybersecurity.
It's not necessarily about computers and code and hardware and software and so on.
It's about people.
The reason the love bug worked was because everybody wants
love. And so when they received an email that looked like a love letter, which is what the
love bug did, they answered it. So for me, it was the perfect sort of social engineering,
psychological people-focused attack. And I just thought it was a great place to start
talking about cybersecurity. Can you take us back, remind us,
back around the year 2000, what sorts of protections would people typically have in place in terms of backups and, you know, the things that we think of as being routine these days?
What was the state of things back in 2000?
Well, you know, cybersecurity was on the agenda in 2000.
It wasn't that there hadn't been viruses.
There had been one a couple of years previously to this called the Morris worm,
which again spread from computer to computer.
Companies had antivirus software.
The issue with the love bug, and another reason this highlighted some issues early on in cybersecurity,
was that because of the way the virus was written in those days,
if you got it and downloaded it, yeah, you might get infected, but then you've got a copy of it. So people started deliberately trying to get infected so they could grab a
copy of the virus, reformat it, rework it, and re-release it. And so some of the antivirus
software that was looking out for something like Lovebug would get caught out because the next
iteration of Lovebug that somebody had tweaked very slightly would get through its defenses.
So that was the sort of setup at the time. And in terms of backups of information,
some companies were switched onto that and had sort of disaster recovery, as it's called in the
trade. But a lot of companies wouldn't have had that. They wouldn't have seen the effect of that.
And certainly the idea of an email being able to spread and spread so fast and destroy everything in its path, that came completely out of left field for a lot of people.
So it really was, it's a perfect storm.
So how did you begin your journey now? I mean, decades after it began, where did you begin?
Well, there were lots of rumors about who was behind the love bug.
So the police investigators were looking at where the passwords,
the stolen passwords were being sent to.
And they discovered that it was an email address
that had been registered in the Philippines.
It didn't take them long to work out an apartment
in the Philippines that the email address was registered to.
So they pitched up there
and they found some people living in the apartment.
And they pretty soon discovered
that someone connected to them
was a computer science student
at a nearby university called Onel de Gutzman. Also implicated in this was Onel de Gutzman's classmate, a guy
called Michael Buen. Now, the difficult problem for the investigators in the Philippines at the
time was that there was no law against computer hacking in 2000 in the Philippines, something that
it seems that Michael Buen, Onel de Gutzman and their buddies knew only too well because they were part of a kind of underground community of students who were
creating viruses and experimenting with viruses and in some cases leaking them. So when the
investigators found Onel de Gutzman they couldn't prosecute him. There was a forum, a Filipino
language forum in which somebody said oh yes I saw Onel de Gutzman and this was I think in which somebody said, oh yes, I saw Onel de Gutsman. And this was, I think, in 2016-ish, 2015, working at this particular market on a mobile phone stall. You know,
he's a local hero. And so I thought, well, that's the best lead I've got. Let's go to Manila,
find the market, find the mobile phone stall, and you know, who knows? So I started going around,
I thought, how can I find this guy? And I knew the photo wouldn't be any good
because the photo was 20 years old.
So I wrote his name down on a piece of paper
and I went from stall to stall,
just showing it to people at random.
And sure enough, he turned up and we went for coffee.
And I expected that I'd have to sort of
tease the information out of him
and I'd have to sort of put the evidence to him
to a point where he couldn't deny it.
But actually, he admitted it straight away.
He not only admitted that he wrote the virus and unleashed it,
he said that it was just him
and that his colleague, Michael Buwen,
his classmate, Michael Buwen, was nothing to do with it.
So I was able finally to clear up,
A, who had unleashed the virus,
but B, exonerate the guy over whom a question mark
has hung for the last 20 years.
In the ensuing years, Onel de Gutsman didn't go back to university.
He was at college at the time.
He was a computer science student.
And, you know, I've spoken to some of his colleagues,
people around the same time at the same college,
and they've gone on to really good careers.
Onel de Gutsman didn't.
He didn't go back.
He didn't graduate.
He had to lie low for a couple of years.
He didn't touch a computer for a couple of years.
And the stall that he's working on now has to be said he's not,
I mean, he's in his element.
He's surrounded by voltmeters and screwdrivers and disassembled phones.
And, you know, it's a sort of techie's den that he probably loves.
But I can't help thinking that his life could have turned out very differently
had that one thing not happened back in the 4th of May 2000,
had he not pressed send on that one thing not happened back in the 4th of May 2000, had he not pressed
send on that one email. Our thanks to Jeff White for joining us. His book Crime.com will be
published in August. There's an extended version of our conversation up on CyberWire Pro in the
interview selects.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And I'm pleased to be joined once again by Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute,
also the host of the ISC Stormcast podcast.
Johannes, it is always great to have you back.
You and your team have been tracking some interesting things with some malware that's been doing some triggering in some
anti-malware software. Fill us in on the details here. Yeah, this is an experiment that one of our
handlers, the Americans, ran. And what he looked at is, hey, what if a malware actually contains more than one malicious signatures?
And what he did here as a test is he used Mimikatz.
If you're not familiar with Mimikatz, it's software that's often used by the bad guys,
but also by penetration testers to steal password hashes from memory.
So it's well known, well recognized.
Pretty much all anti-malware
will flag it as malicious. So he took this tool and then he added a little
string to it called the ACAR string. This is a very specific string that's used to
test antivirus. So whenever a file contains this string, usually in the
beginning, it will flag it as malicious, but say,
hey, this is a test file. So what he did is he added this ACAR string to Mimikatz and then check
what will happen. What will antivirus tell me? Will it tell me this is Mimikatz? Will it tell
me that this is a test file that's harmless? Or will it tell me both? And what he found is that actually much antivirus
or many antivirus tools will flag it now as ACAR,
as a harmless test.
Execution may still get blocked here in this case,
but an analyst looking at the logs,
looking over a system may say,
hey, this is just a harmless test file.
Maybe someone ran a test.
This is not something that will cause any damage,
and they may now ignore this alert. Yeah, that's interesting. So what do we suppose
that the anti-malware tools are? They flag something, and then they stop. They don't look
any further? Correct. That's what's happening, and many of them only have the capability to
flag one alert per file.
This has happened also, for example, with network intrusion detection systems.
If you have an attack, for example, against a web server, the attacker within one session
is launching multiple attacks where only like the first three or four often are being detected.
So if the first three and four are the attacker just probing
and trying to figure out
what the web server is vulnerable for,
but then later the exploit
is actually being sent and successful,
the tool may miss that very important fact.
Sometimes it's configuration of the tools,
but it would be nice if the tool would,
yeah, scan the entire file,
not just stop at the first hit
and maybe rank the signatures where they say,
hey, this is Mimikatz, actually more important than this is ACAR.
So if you can only send one alert, let's send the more severe alerts.
Right, right, exactly, exactly.
So what are your recommendations here in terms of folks protecting themselves?
Well, always second guess your tools.
Tools can be wrong.
And this is a sad truth in this business and something that's often overlooked.
A lot of analysts, a lot of security people do overly rely on their tools.
Understand how your tools work, experiment with them, and know the limitations.
This is so important in this business and something that's often overlooked
where someone just reads a quick blog post to figure out how a tool works
and doesn't really bother to ask the hard questions and dive in deeper.
So should the folks who are making these anti-malware tools,
should they be on alert to maybe up their game as well?
Yeah, definitely. They should be aware that a particular piece of malware may trigger
multiple signatures. And this could even happen sometimes, you know, sort of accidentally where
an attacker will just bundle multiple tools in one file. I've seen this quite often.
As an analyst, I need to know that this is more than one particular piece of malware.
Another sort of problem that I often see is that the analyst then goes back and cleans up the system and only removes the one piece of malware that was actually triggered on.
But that fact of cleaning up is always dangerous and highly discouraged.
But we know life.
You want to get back in the business.
You don't want to restore the system from backups that you may or may not have.
So a lot of folks are a little bit careless there.
And antivirus tools often give them the wrong signals.
Yeah, and the bad guys can take advantage of that.
Correct, yes.
Yeah.
All right, Johannes Ulrich, thanks for joining us.
Thank you.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Thank you. Thanks for listening. We'll see you back here tomorrow. Staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.