CyberWire Daily - CryptoCore traced to Pyongyang. Ransomware and risk management. Gangs regroup. A would-be hacker-by-bribery is sentenced in Nevada.
Episode Date: May 25, 2021The CryptoCore campaign that looted cryptocurrency exchanges is said to have been the work of North Korea’s Lazarus Group. Insurers are taking a hard look at ransomware and the cyber insurance polic...ies that might cover it. Managing ransomware risk, and a role for standards bodies. Can there be such a thing as responsible disclosure of decryptors and other remediation tools? Ransomware gangs regroup. Perry Carpenter previews the new 8th Layer Insights podcast. Rick Howard speaks with authors Doug Barth and Evan Gilman. And it’s time served plus deportation in the case of an unsuccessful hacker. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/100 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The CryptoCore campaign that looted cryptocurrency exchanges
is said to have been the work of North Korea's Lazarus Group.
Insurers are taking a hard look at ransomware and the cyber insurance policies that might cover it.
Managing ransomware risk and a role for standards bodies.
Can there be such a thing as responsible disclosure of decryptors and other remediation tools?
Ransomware gangs regroup.
Perry Carpenter previews the new Eighth Layer Insights podcast.
Rick Howard speaks with authors Doug Barth and Evan Gilman.
And it's time served plus deportation in the case of an unsuccessful hacker.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 25th, 2021. Clear Sky yesterday reported its conclusions that the CryptoCore campaign, which hit altcoin
exchanges in Japan, Israel, Europe, and the U.S., was run by North Korea's Lazarus Group,
known for state-directed financial crime. The CryptoCore operation began in 2018 and is
thought to have been responsible for at least five attacks on cryptocurrency exchanges.
and is thought to have been responsible for at least five attacks on cryptocurrency exchanges.
The campaign's total take over its career is believed to have been somewhere north of $200 million.
When CryptoCore first surfaced, it was attributed to a criminal gang thought to be operating from Eastern Europe or perhaps Russia.
But F-Secure published some evidence suggestive of a Pyongyang connection, and Clear Sky has taken a deeper look
and now attributes the campaign with medium to high confidence to the DPRK's Lazarus Group.
CryptoCore has gone by more than one name. Clear Sky lists three others, CryptoMimic,
Dangerous Password, and our favorite around the office, Leary Turtle, whatever the name, it's the same
unwelcome product. Dark Reading says that insurance firms are growing increasingly skittish about
underwriting the risk of ransomware and seem to be moving away from providing the sort of coverage
that might encourage or permit ransomware payments. Bank Info Security points to trending evidence
that suggests both more limited coverage and higher premiums.
The underwriters aren't, as far as anyone can tell,
misreading the risk.
Ransomware attacks continue,
with audio system manufacturer Bose disclosing to authorities
that it had suffered an incident it first detected in March.
The record says the company's statements haven't indicated whether it paid the ransom.
Recovery has sometimes proven protracted,
even after an attack has been detected and contained.
The San Diego Union-Tribune reports that Scripps Health,
which was hit on May 1st, is still in the process of remediation,
but hopes to be back to normal operations by the end of the week.
And the city of Tulsa, Oklahoma, which on May 10th disclosed the attack it sustained,
preventively shut down many city systems to contain the infestation and prevent data loss.
They also hope, according to Security Week, to have recovered by week's end.
Colonial Pipeline's experience with dark-side ransomware
has other sectors looking at their own defenses.
FreightWave sees a similar attack against the trucking industry
as likely but also preventable.
What then should infrastructure operators consider
in the way of risk assessment going forward?
Vikas Bhatia, CEO and co-founder of Just Protect,
wrote us to point out that one of the lessons to be drawn from Colonial Pipeline's experience
is that regular risk assessments should focus on an organization's specific vulnerabilities
and the compliance regime it operates under. Quote, organizations such as the North American
Electricity Council, NERC, the National Institute of Standards and Technology, NIST, the American Petroleum Institute, API, provide standards that critical infrastructure providers and their customers can use to assess the organization's ability to manage the threat end-to-end.
Critical infrastructure and regulated organizations should evaluate how often and to what detail internal or third-party
assessments are performed. Rarely do organizations assess the risks of the threat landscape in as
much detail or at the frequency required to identify or manage the risks. End quote. So,
aim at increased and timely visibility and take advantage of the resources government, industry,
visibility and take advantage of the resources government, industry, and standards bodies can provide. Many standards organizations are private as opposed to governmental, but their work can be
and often is widely adopted. Governments certainly establish important regulatory regimes, but it's
worth noting the role that the private sector has historically played in this regard. The insurance
industry in particular has had a lot to do with establishing standards.
Had the actuaries and underwriters not gotten involved with fire prevention
and personal safety, to take one example,
it's unlikely that fire safety codes in the U.S., at least,
would have evolved as they have.
MIT Technology Review early this week complained about the way in which security
firms who provide free decryptors make their tools publicly available, and particularly
exoriated Bitdefender's release of a dark side decryptor earlier this year, saying that the gang
benefited from the announcement to fix issues in their code. As we pointed out yesterday,
that seems strong. After all, a gang
might realize that something was wrong when its victims appeared able to return to normal without
paying for decryption. And while a free decryptor might well make it easier for a gang to find and
fix problems with their malware, the Washington Post reports that Bitdefender has said, with
arguable justice, that publishing a decryptor enabled them
to help a lot more victims a lot faster
than a more discreet, more selective disclosure
would have permitted.
The Wall Street Journal observes
that ransomware gangs appear to be scuttling away
from recent light on their activities,
scrutiny and scorn, as the journal puts it,
but they've remained active
and probably are simply regrouping,
not exiting, still less reforming. It's a kind of unenlightened coarse self-interest. If the gangs
hit a target that attracts a lot of attention from the police, that's no good. It's not the
reputational risk that concerns them, but rather tugging on Superman's cape, tickling the sleeping dragons of law enforcement.
It would be unwise to accept the avowals of the likes of the dark side when they say they're
determined to avoid social damage. That's what they say when they're caught clobbering a hospital or
doing something else that will really motivate the authorities to bring the hammer down.
So this is a temporary pause at best, and the gangs are unlikely to cease and desist
this side of the slammer.
And finally, remember that guy
who copped a plea in Nevada to federal charges
related to his unsuccessful attempts
to bribe a Tesla employee with half a million bucks
to install malware on Mr. Musk's battery factory's computers.
The AP reports that yesterday, U.S. District Judge Miranda Du passed sentence on him.
She gave Yegor Igorech Kriuchkov 10 months.
Since he's already been in custody for nine months, and that detention counts,
the sentence amounts to time served.
He'll be deported back to Russia soon. Judge Du said
she took into account both Mr. Kryuchkov's plea agreement with the U.S. attorney and the fact that,
after all, his attempt to hack the Reno area battery plant failed. The attack was supposed
to be a two-stage attack, denial of service as misdirection for the second stage installation of malware designed to exfiltrate sensitive information.
I'm sorry for my decision. I regret it, Mr. Kriuchkov said,
adding that his time at Club Fed had given him an opportunity to reflect
on the damage he'd done to his reputation and the pain he'd caused his family.
It's worth noting that U.S. authorities have not alleged
the Russian government had anything to do with Mr. Kriuchkov's crime.
He seems to have been just a crook on the lookout for the main chance.
Happy trails.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. throughout this week we're featuring rick howard's exclusive interviews with renowned
authors of cyber security books books so good they've been inducted into the cyber security
canon here's rick it's cyber security canon week here at the cyber wire and unofficially
all the cyber wire staff members are referring to this week as Shark Week for cybersecurity books.
Because the Cybersecurity Canon Project has announced the author selectees for the Hall of Fame Awards for 2021.
And I'm interviewing all the winning authors.
Each day this week, you will get a taste of the winning author interviews here in this daily podcast segment.
this week, you will get a taste of the winning author interviews here in this daily podcast segment. But you can listen to the entire long-form interviews as special episodes in my
CSO Perspectives podcast, only available to the CyberWire Pro subscribers. Today's interview is
with Doug Barth and Evan Gilman, the authors of Zero Trust Networks, Building Secure Systems
in Untrusted Networks. I started out by asking Doug, why did he feel compelled to write this book?
I guess I'll start since I'm the troublemaker that incited all this crazy stuff.
It was actually after a conference talk I gave where one of the questions at the end
was, where can I go to read more about this?
And I was like, well, I don't know.
I don't think there's anything out there, really.
I mean, I've looked, I haven't found anything, come talk to me afterwards.
And I felt passionate about the topic and I felt that it was important
and that nobody else is talking about it.
People should at least be considering it.
A lot of people had written about these types of problems,
but nobody had really written about them all being kind of related to each other
and this bigger picture, zero trust type thing.
There was some prior art, but it wasn't like super duper cohesive.
And certainly it wasn't laid out like, okay, if I wanted to do this exactly, what are the things I should be thinking about and how could I accomplish it?
I asked Doug about how Evan convinced him to join this book writing journey.
I think my exact comment to him was,
oh, the book people came by your talk.
I understand.
I like working with Evan.
Evan's super smart.
Like he mentioned, we had only scratched the surface
of the topic because we were building for a startup's needs
and solving problems as they came to us.
I thought it would be interesting to continue
the thought exercise of,
well, if we're going to build systems here
under this assumption
that our networks are untrustworthy,
how would we continue to design
and iterate on that architecture?
That was basically the year and a half
that we spent researching and digging into it,
just trying to figure out
what would our answer be
if we had to deal with this problem? What would our answer be if we had to deal with this problem?
What would our answer be if we had to deal with that problem?
And trying to educate ourselves on what the broader industry was thinking here.
So we weren't just like making it up in a vacuum.
The book is called Zero Trust Networks, Building Secure Systems in Untrusted Networks.
The authors are Doug Barth and Evan Gilman, and they are the newest additions to the Cybersecurity Canon Hall of Fame.
and Evan Gilman, and they are the newest additions to the Cybersecurity Canon Hall of Fame.
And if you are interested in the collection
of Cybersecurity Canon Hall of Fame books,
plus all the candidate books and even the best novels
with a cybersecurity theme,
check out the Cybersecurity Canon website
sponsored by Ohio State University
at icdt.osu.edu slash cybercanon, all one word.
And with one N for canon of literature,
not two Ns for machines that blow things up.
And if that's all too hard,
go to your preferred search engine
and type cybersecurity canon
and Ohio State University.
And congratulations to Doug Barth and Evan Gilman
for their induction into the
Cybersecurity Canon Hall of Fame.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of Thank you. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me today is Perry Carpenter.
I've spoken to him many times before as the Chief Evangelist and Strategy Officer at KnowBefore.
He's also a well-known published author.
But today, Perry, we are talking about something different.
You have a new podcast coming out.
Yeah, I do. It's called Eighth Layer Insights, and it's really all about the psychology and the behavior behind why we think the things that we think and why we do the things that we do.
And I try to relate that to security, but I also broaden it out into the general areas of life as well.
What prompted you to dip your toe into the podcasting forum here?
Yeah, that's a great question. It really
came about by loving some really great podcasts out there like Freakonomics and Radiolab and
Planet Money and others, this narrative nonfiction style. And there's not been a lot of representation of that in the cybersecurity
field yet. I think that there have been a few really good examples like that, but catering
to a slightly different audience. Something like the Darknet Diaries podcast, I think, is a standout.
McAfee's Hackable podcast that's been discontinued recently is another standout.
But they're really still even catering to a slightly different audience than what I was hoping for.
And really just because it didn't emerge on its own, I tried to go ahead and create the thing that I was looking for and then see where it goes.
And who is the audience that you're targeting here?
where it goes. And who is the audience that you're targeting here? It's primarily, I'd say that the core set is cybersecurity professionals that are interested in influencing behavior. So CISOs,
security managers, and security practitioners that are trying to help people make better decisions.
But then also because any study on human psychology and human behavior is a study
about ourselves, I'm trying to keep this general enough that it can also have a fuzzy edge to where
if you're interested in it, this is something that you could share with your family and they would
enjoy hopefully just as much. Yeah, it strikes me that one of the things that we fall into in cybersecurity is
by its nature, the technical nature of it, the ones and zeros. We fall into a bit of absolutes.
And that means that sometimes that human side gets underemphasized or undervalued.
It's interesting to me that part of what you're doing here is shining a light on the importance
of that side of things.
Yeah, absolutely.
One of the things that comes out
when you study the data about our industry,
the cybersecurity industry,
is that we have an over-fixation
on the technology side of things.
And so we talk about,
if you're in the security field, you've heard of this thing called the OS side of things. And so we talk about, you know, if you're in the security field,
you've heard of this thing called the OSI security model.
It talks about seven different layers of security,
starting at the data and ending at the application.
And that's what we really focus on the security pieces for,
is building that technical defense across those seven layers.
But when we look at the breaches and a lot of the
hacks out there, they're focusing not necessarily on those seven layers, but they're using an eighth
layer to get in. And so I really want to bring a spotlight to this human side of things because
it has been under-emphasized for decades. And luckily, we are now starting to see more of an
understanding of the fact that this human piece will never go away, that the technology piece
will never be 100% effective, and that to under-emphasize the human is to be not as effective
in our security and risk management as we could be. Can you give us a preview of what
we might expect to hear in the first episode? Yeah, the first episode really comes out of my book,
Transformational Security Awareness, where I talk about this concept of Trojan horses for the mind.
So the idea that there are messages and there's information that we want to get to people,
but we're in a very noisy world.
The signal-to-noise ratio does not favor us as security practitioners trying to get information to people.
And so what we need is a Trojan horse.
And this gets into the use of emotion, sound, visuals, and then words and story
in order to contain that message, move past a lot of our mental defenses,
and then embed that message within somebody's mind.
And then over the course of the series, we're going to be tackling a lot of other,
even non-security awareness-related things like disinformation, conspiracy theories,
behavior change, behavior design, psychology, social engineering, and so on.
You've got an impressive list of guests lined up for this show. Who are we going to hear from?
There are too many to list in a format like this, but needless to say,
since I'm taking that narrative nonfiction type of route,
within one episode, you're going to hear multiple voices,
the vast majority of the time.
So I don't want to box myself in too much,
but the vast majority of time,
you'll hear two or three different experts per episode.
And we've, episodes that are already in the bag,
we've got folks like Bruce Schneier, Chris Hadnacki.
We've got Kevin Mitnick lined up, Rachel Toback, BJ Fogg, Matt Wallard.
So BJ and Matt are both behavior scientists that are fairly well-known and many, many more.
And so that's really the kind of the gist here is that we want to start with security and then move increasingly outward into all these other professions and disciplines that should be listened to by our industry.
Well, I've had the pleasure of listening to a preview of the first episode, and I have to say I enjoyed it very much.
Highly recommend it. The title of the show episode. And I have to say, I enjoyed it very much. Highly recommend it.
The title of the show is Eighth Layer Insights.
It is part of the Cyber Wire Podcast Network.
You can find it on our website
and also wherever you get your podcasts.
Perry Carpenter, thanks so much for joining us.
Yeah, thank you so much for having me. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.