CyberWire Daily - Cyber espionage vs. the RoK MoD. Fancy Bear’s old Lojax tricks. US rumored to be prepping another case against Huawei. Database exposure in Oklahoma. Yes Men prank Post.
Episode Date: January 17, 2019In today’s podcast, we hear that South Korea’s Defense Ministry has disclosed a cyber espionage incident. Fancy Bear sticks to its old tricks with Lojax. The US Justice Department is rumored not ...to be done with Huawei—this time an IP theft beef is believed to be coming. A big database exposure case in Oklahoma. And an update on yesterday's bogus Washington Post edition: it was a prank by the Yes Men. Mike Benjamin from Century Link with an update on the Mylobot botnet. Guest is Angie White from Iovation on PSD2, the payment services directive update. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/January/CyberWire_2019_01_17.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
South Korea's defense ministry discloses a cyber espionage incident.
Fancy Bear sticks to its old tricks with Lojax.
The U.S. Justice Department
is rumored not to be done with Huawei, there's a big database exposure case in Oklahoma,
and an update on yesterday's bogus Washington Post edition.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Thursday, January 17th, 2019.
Unnamed attackers have breached a South Korean National Defense Ministry organization.
The Defense Acquisition Program Administration, which oversees military procurement, was successfully attacked.
The attackers compromised, ironically enough,
a data protection app, the Data Storage Prevention Solution. They obtained administrative access to
the application's server and used it to spirit away sensitive material pertaining to Republic
of Korea military systems. The breach occurred in October. The National Intelligence Service,
which was in charge of the investigation,
disclosed the incident this week.
Seoul hasn't blamed Pyongyang for the attack, but as ZDNet notes,
it wouldn't surprise anyone if they did.
Security firm Netscout has published an updated report on Lojax,
the espionage tool deployed by Fancy Bear,
that is to say Russia's GRU military
intelligence service. Netscout notes that Fancy Bear has kept its Lojax command and control
servers online, even after its activities were exposed by ESET, Netscout, and others.
They draw one lesson from this. Here's a case where indications of compromise are well worth
paying attention to. If the old bear is using old tricks, it's good to be aware of them.
How secure are industrial radio controllers?
Apparently less secure than a garage door opener, a trend micro-study suggests.
The RF controllers are also connected to far more consequential systems than a garage,
and interface with significant safety measures.
Its creator may be behind bars,
but ZDNet notes that the NanoCore remote-access Trojan
continues to circulate in the wild.
Fortinet researchers say they're observing the rat's propagation
via malicious Word documents.
The malware is proving unusually resistant to eradication from infected
systems. Contractors and civil servants warn that the ongoing U.S. federal government shutdown
exposes the country to growing cyber risk. That's not, of course, exactly an admission
against interest, but the concerns being expressed aren't idle either.
but the concerns being expressed aren't idle either.
The U.S. Department of Justice is apparently not done with Huawei.
Sources tell the Wall Street Journal that the DOJ is said to be preparing a case of IP theft against the Chinese device manufacturer.
Specifically, suspicion centers on alleged theft of robotic phone testing technology from T-Mobile.
The investigation emerged from a civil judgment in which the U.S. District Court for the Western
District of Washington at Seattle found that Huawei had, quote, abused its relationship
as a phone handset supplier for T-Mobile to obtain access to T-Mobile's robot and, in
violation of several confidentiality and nondisclosure agreements, copied the robot's specifications, and stole parts, software, and other trade secrets.
In 2017, a jury awarded T-Mobile $4.8 million in damages.
Huawei contested the suit,
although it acknowledged some improprieties on the part of two employees.
As organizations in Europe settle in for the long haul with GDPR,
later this year another set of regulations will come into play. PSD2 updates the Payment
Services Directive, which mandates how European merchants handle electronic payments.
Angie White is from authentication and fraud prevention firm Iovation.
Basically what this does is it creates a single marketplace within the European Union,
takes down some of the barriers for open banking.
And with PSD2, there's a lot of added protections for consumers,
making sure that their transactions are done in a secure manner.
So it adds a lot of consumer protections.
And so for the consumers and the merchants, what kind of changes could they expect to see
with this coming online? One of the biggest changes that you're
going to hear about with PSD2 is the need for strong customer authentication or SCA.
With this mandate, SCA will be required on all transactions above 30 euros. There's some
carve-outs for that, but this is a pretty big bar and a pretty big change for merchants.
And so from a practical point of view, what does that mean for the merchants? Is this just a higher
standard they have to meet? Absolutely. So as it currently stands, there are SCA requirements, mostly in the form of 3D secure.
And under the current PSD payment services directive, they're allowed to waive those SCA requirements and take on the liability themselves.
So under PSD 2, they're no longer allowed to waive those requirements.
So what do we expect that to mean to those merchants? Are we likely to
see people dropping out from being able to do this or does it mean more fees that they'll have to pay?
It's kind of an interesting paradigm shift because one of the other things that PSD2 does is it puts
a much bigger emphasis on fraud prevention. So they've actually, the EBA has allowed some carve outs for risk-based
transaction analysis. So basically this kind of details into if payment service providers are able
to hit certain fraud thresholds, then they'll be exempted from a higher level for SCA transactions.
from a higher level for SCA transactions. So if a PSP or payment service provider was able to hit an exemption fraud rate of 0.06 to 1.3, they're able to raise their threshold for SCA to 100
euros. So that's in comparison to the default of 30 euros. So I think that you're likely to see that this is going to
create kind of a tiered market where merchants and PSPs are really going to have to work together
to get those higher threshold reference fraud rates. The ones who aren't able to meet that
are going to have to pay higher processing fees. Now, what's the response been from the merchants
and the providers? Are they
on board with this? Are they pushing back? How are they responding to this mandate?
Yeah, well, I think the transaction risk analysis, that was actually in response to,
you know, merchants and payment service providers pushing back because before there wasn't any type
of exemption for, you exemption for risk analysis.
So as it was first stated, there would have been no type of exemption.
So the EBA came back with that as a concession for merchants and PSPs.
Now, from a consumer's point of view, is there anything noticeable that's going to change for them?
Absolutely.
So, you know, I think this is going to definitely have
a really big impact on e-commerce. The consumer is definitely going to see a change because they're
going to have to go through a lot more authentication than they're used to. You know,
now we're used to having to remember a username and password, whereas with the strong customer authentication guidelines with PSD2 and now mandates, you have to have two factors of knowledge.
So something you know, such as a password, inheritance, something you are, so thumbprint, facial scan, and possession.
So that could be like your device or a Bluetooth device, something along those lines.
So now they're going to have to provide those two separate factors to satisfy SCA requirements.
That's Angie White from Iovation.
Forbes reported yesterday that the exposed data hunting company UpGuard
has disclosed that it found an exposed database belonging to the Oklahoma Securities Commission.
The commission, which is that state's securities regulatory body,
left some three terabytes of information open to the web.
Much of it concerned regulatory and law enforcement matters,
including information on federal investigations of financial crimes,
irregularities, and compliance.
The data go back a long way,
some of them to the 80s. They include emails running back two decades, as well as enforcement
action information extending to 2012. Passwords to state systems were also exposed. The Oklahoma
Securities Commission says it's got the matter under investigation, is reviewing policies,
determining who might need to be notified that their information is at risk, and that, quote, the department intends to make no further comment until the investigation is concluded and pertinent facts are established, end quote.
The commission did suggest that the exposure occurred inadvertently during the installation of a firewall. Citing Department of Justice policy,
the FBI says that the Bureau can neither confirm nor deny anything pertaining to ongoing investigations.
Upgard notes that the sheer quantity of data exposed makes it difficult to characterize in any detail,
but it includes business information, personal data, system credentials, and other sensitive material.
They do say that the silver lining here, such as it is,
would appear to be that the data were exposed for a relatively short period of time.
They detected the exposed database a week after it showed up in Shodan's catalog.
Still, a lot can be taken in a week.
That the exposure happened at a government agency during a period in which
governments are devoting increased scrutiny to corporate data security has not escaped notice.
We heard from Bromium about the matter. Sherban Naum, Senior Vice President for Corporate Strategy
and Technology at the company, said in an emailed statement that, quote, this latest breach shows
the disconnect between what government agencies should be doing with their security and what is actually happening.
Government agencies hold the most sensitive data in the world,
from passwords for network machines containing the details of sensitive investigations to social security numbers.
Despite this, there is a lack of cyber resilience at local, state, and national level
because they are operating with limited resources,
state and national level because they are operating with limited resources,
making it hard to earmark funds for IT and cybersecurity to defend these high-value assets.
He noted that some agencies are either bucketing along with old unsupported systems or that they're simply not following soundly administered security policies.
And some follow-up to yesterday's parody news story. The party responsible for
printing and handing out a bogus issue of the Washington Post turns out to be neither Code Pink
nor Move On, but another progressive group, the Yes Men, a culture-jamming activist group
that engages in such parodies, posing as representatives of prominent institutions.
engages in such parodies posing as representatives of prominent institutions.
They also encourage setting up bogus websites, crashing conferences, stuff like that, sort of a merry prankster's light with transgressive hijinks done from the cozy perch of tenured
faculty positions, which is nice work if you can get it.
The Yes Men's idea was to provide a kind of roadmap to impeachment, since they'd like to send President Trump down that road.
And anyway, they like yesterday's scam and say it's all good because it was transparent.
Transparent because it was dated May 1st, and yesterday was January 16th.
And, get this, May 1st is also May Day, an homage to International Workers' Day,
as established by the sixth conference in the Second International.
Get it?
And the motto on the phony Post's front page wasn't Democracy Dies in Darkness, but instead, Democracy Awakens in Action.
And if that don't fetch them, then we don't know Arkansas.
The action hasn't been universally praised.
Wired, for example, is dubious, if not entirely condemnatory.
While acknowledging a place for satire,
Wired seems not entirely convinced that the Yes Men were as entirely transparent as all that,
especially given prevailing sensitivities about information operations.
The Yes Men are content, however,
telling Wired that they're not out there to make friends, but rather to make change.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Mike Benjamin. He's the Senior Director of Threat Research at CenturyLink.
Mike, great to have you back again. Today, I wanted to talk about a particular flavor of botnet, if you will, that you all have been taking a close look at, and that's MyloBot.
What do you have to share with us today?
Yeah, thanks for having me, Dave.
So MyloBot is a malware family we've been tracking that's particularly interesting because, like many other families that we're seeing today, it's dropping secondary payloads. And it's doing that so that
it can remain flexible to allow for future infections if the actor's desires of their
end-state infection changes. So today we're seeing myelobot as an infection dropping the
Kalesi malware family. And so that malware family doesn't get a lot of public press. And so I know
a lot of folks maybe haven't heard of it, but it's an information stealer.
And so we're seeing information stealers being very popular.
And they're out to steal credentials, of course, usernames, passwords, both from enterprises as well as consumers.
They're both valuable in their own ways to a criminal.
But, of course, they're after money as well. So bank account information,
of course, crypto wallets are particularly popular with any information stealer family.
So Kalesi is what is dropping as its secondary payload. And we published some research recently
that outlines one interesting thing from a defender perspective, which is that the
myelobot infection actually uses a DGA. That in and of itself is not
particularly unique. So the domain generation algorithm that it uses actually has hard-coded
domains in it. And so upon spin-up, what you actually see this malware family do is over
60,000 DNS queries. And from a defender perspective, looking at DNS logs would be a particularly
interesting way to see that. That should be really loud. It should be an anomaly in the data set. queries. And from a defender perspective, looking at DNS logs would be a particularly interesting
way to see that. That should be really loud. It should be an anomaly in the data set.
And the reason we call that out is that the binary itself is auto-generated constantly
by the actor. And so the hash is a really poor way to detect the malware,
but the DGA is a really good way. And so we see globally,
best guess, 30,000, 40,000 infections on a given day from this malware family,
targeting a lot of the Middle East, Latin America, Eastern Europe, and Asia.
Yeah, that was my next question, which you led into there, which is, who are they targeting? And do you have any sense for how targeted they are and if there's any specific
information they're trying to get? So one of the things about how we are tracking botnets is we're
doing it from a network perspective. It makes a lot of sense coming from Central. And so that
initial infection, something that we're not often looking at, it changes, new exploits come out
every day. To us, that's a losing battle. And looking at the malware from a network perspective is where we target.
Now, I will guess, based on the regions it's attacking, and saying it's probably poorly
patched software.
You see those parts of the world tend to have out-of-date things, things maybe without up-to-date
licenses and other things.
And they're a really popular target for a variety of malware families.
So those regions aren't unique just to myelobotan,
and I would guess that it's not particularly targeted.
So, but the degree of targeting here itself, I guess, is one of the things I'm curious about.
Do you have any sense for, is this a shotgun approach where they're trying to get to anything they can get their hands on, or does it seem as though they may be after specific people?
No, no, they're very much looking at a broad infection in terms of the size scale numbers and variety of locations we're seeing.
They're not looking at an individual person.
I see. I see.
All right.
Well, Mike Benjamin, thanks for bringing us up to date.
Thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. The Cyber Wire abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep
you informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly
produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Thanks for listening.
We'll see you back here tomorrow. Thank you. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.