CyberWire Daily - Cybercrime pays, criminal tools are commodities, and some cyber gangs get sophisticated. The skid market for booters. Pyongyang unleashes the BeagleBoyz.
Episode Date: August 27, 2020Several Magecart campaigns turn out to be the work of one gang. The unfortunate persistence of DDoS-for-hire services. Ransomware’s growing sophistication as a class of criminal enterprise. Andrea L...ittle Limbago from Interos on supply chain attacks & risks. Our guest is Mark Testoni from SAP's NS2 on how Covid-19 reshaped classified work. And hey kids: the BeagleBoyz are on a crime spree. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/167 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Attention to detail and good graphic design make commodity attacks pay.
Several mage cart campaigns turn out to be the work of one gang.
The unfortunate persistence of DDoS for hire services.
Ransomware's growing sophistication as a class of criminal enterprise.
Andrea Little Limbago from Interos on supply chain attacks and risks.
Our guest is Mark Testoni from SAP's NS2 on how COVID-19 has shaped classified work.
And hey, kids, the Beagle Boys are on a crime spree.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 27th, 2020.
Group IB says it's been able to link three Magecart JavaScript sniffer campaigns to a single group, which they call UltraRank.
UltraRank compromised over 700 sites over five years,
selling its take in the ValidCC card shop,
a well-known criminal market.
Group IB threat intelligence analyst Viktor Okorokov said,
quote,
said, quote, the cyber criminal market is offering better quality of service, fine-tuning and simplifying the instruments for solving specific tasks. In the coming years, we will definitely
see the growth in the use of this malicious instrument since many online shops and service
providers still neglect their cyber security using outdated CMSs that have vulnerabilities, end quote.
We've heard over the past week about cyber mercenaries, hackers for hire.
These groups or individuals have apparently been hired
to collect commercial information on businesses,
with law firms and financial services outfits commonly targeted.
There are other kinds of illicit services on offer too,
like booters or distributed denial of service attacks
delivered to paying customers. Security company Radware this morning published a look at the last
two years of action in the booter criminal market, and their conclusions aren't particularly happy
ones. Over that period, law enforcement agencies and companies have worked to take down DDoS for
hire operations, and they've succeeded in doing so and in making a number of arrests.
But unfortunately, these make only a momentary dent in the DDoS for Hire market,
and the trend has been consistently upward.
Radware points out that people offering booters used to advertise their services by stunt hacking,
taking down a site or service to do some arch chest thumping and Bob's your
uncle.
That's no longer the case, and it's not so much that booter services have grown more
professional, but rather that they've sunk to their own level.
For one thing, they now infest the gaming subculture, the way half-witted trades in
skins and loot boxes do.
For another, DDoS code and the IoT botnets are now thoroughly commodified,
cheap, available, and with their use adapted to the meanest understanding.
There's more.
Search engines commonly turn up results for booter services,
and they also occupy what many perceive or actually misperceive as a legal gray area.
After all, who's to say that you wouldn't want to use a
stressor to test your own resilience? Could happen, right? This, of course, is playground
lawyering on the level of the widespread opinion that if you took your boat beyond the 12-mile
limit, anything would be legal. And anyway, if it popped up in your Google results, how illegal
could it be, right? Britain's NCSC has tried to educate people to the fact that using a booter, even, say,
against your rivals in Fortnite or Grand Theft Auto, is against the law.
But while Radware applauds the NCSC's intentions, there's little sign that denizens of parental
basements are really paying attention.
It's worth mentioning that it's not just the gaming world that's afflicted by DDoS.
Computing reports that New Zealand's NZX Stock Exchange
continues to deal with disruption inflicted from overseas booters.
Attacks yesterday made the third day in a row that the exchange had to shut down services.
So the booters for hires are the criminal equivalents of delinquents hanging out on street corners,
sniping butts and throwing rocks at cars.
But ransomware operators?
They're more like the mob.
Wired takes a look at the dark side ransomware and its operators,
whom it sees as corporate and cruel,
a distillation of underworld trends toward careful target selection,
careful calibration of demands to offer painful but tempting options to pay,
and with ruthless reprisal against victims who refuse them.
And hey, kids, I mean kids of a certain age, I guess ex-kids, if you will.
Remember the Beagle Boys?
They were a crew of hoodlums, gonifs, and no-goodniks
who served as villains in the Mickey Mouse comic books, those old gold key editions.
And you remember those. Anywho, the Beagle Boys are back, at least in homophonic form.
CISA, NSA, and the FBI have issued a joint warning against a North Korean hacking group they're calling the Beagle Boys.
That's boys with a Z, which we're morally certain is an homage to the old Disney villains.
The Beagle Boys, the agencies assess, are a subgroup of Pyongyang's Hidden Cobra threat group,
which itself overlaps to a large extent the bad actors industry tends to call the Lazarus
group. The Beagle Boys, like their Disney originals, are bank robbers, but they're not a
freelancing criminal gang. No, they steal on behalf of the great successor, the dear respected
marshal Kim Jong-un, his very own self. Unlike their Disney originals, however, they don't drill,
blast, or safe-crack their way
into vaults, but they loot the banks through hacking. They're responsible for the fast-cash
ATM looting campaign and other assaults on bank payment systems. Their principal motive is
financial gain for a regime that's been unable to deliver economically and that labors under
the international sanctions and odium appropriate to a rogue state.
But CISA, NSA, and the Bureau point out that the Beagle Boys pose risks that go beyond obvious financial loss.
There's also reputational damage, the opportunity costs of increased security,
and above all, erosion of the confidence on which the international financial system depends.
So far, the Beagle Boys have been fairly successful,
but we hope they turn out to be as dim-witted
and prone to failure as their Disney originals.
But so far at least,
Fast Cash doesn't look like a Mickey Mouse operation.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Those of us who are a certain age grew up laughing at the bumbling antics of a certain Agent 86,
Maxwell Smart, on the TV show Get Smart.
Pretty sure by the time I was watching it, it was in reruns.
Maxwell Smart was a secret agent for the fictional intelligence agency Control,
and a running gag on the show came up whenever classified information was under discussion.
Now, here is my plan.
And I'm glad we're not in my office or you would insist on our using the cone of silence.
Oh, I've already taken measures for that, Chief.
I brought along the portable cone of silence. It was in my car.
Max, we don't need that. Besides, it doesn't work. Look, Chief, according to the handbook,
you've got to take some security measures if you're going to talk about a plan away from control headquarters. All right, Max. Funny stuff, for sure, but of course,
in the real world, secure communications are no laughing matter, a fact that's been brought into
focus as the global pandemic has made it more difficult for people who need to discuss classified information to get together face-to-face in secure facilities.
Mark Testoni is CEO of SAP's NS2 National Security Arm, and he shares how COVID-19 has reshaped classified work.
has reshaped classified work.
Obviously, like everyone else,
people that are employed in the intelligence community and parts of defense have been deployed to home.
And because of the nature of the current classification
of some of the work,
it's presented challenges for them to work,
and not only them, but even the supporting contractors.
We have a number of people who operate
either in government facilities
or in skips that we own, and because of the pandemic,
it's changed the whole dynamic.
So much like in many office buildings across business
where people are very small numbers are going to work,
the same thing has happened in some of these other areas.
So it's required some adjustments.
And we're still working through some of that.
In the work that you're doing with folks inside the intelligence community,
are you finding that they're open to these sorts of evolutions?
Or are these conversations that you see happening?
We are starting to have them. And we've had a couple of cases where we've actually been able to work, you know, a very small practical way to move some work into the unclass environment, some pieces of it. when we get through this pandemic, although given what we're witnessing right now, I'm not sure it
may be as fast as some people have thought, that we don't just kind of fall back into our own
operational reasons. Because beyond the pandemic and kind of the productivity issues, there are
really longer term issues, as I said earlier, with recruiting, with leveraging commercial technology,
that's the business that we're in that could very much more
be enabled if we had a much more collaborative open environment to do a lot of this versus
everything being or many things being done behind walls so i mean there's also second and third
order factors you and you and i have heard for years about the backlog of clearances and
reinvestigations and there's some work going on there.
But we have over 4 million clearances in this country, which is a shocking number to me.
And if that's more than 1% of the U.S. population, that's a rather large number.
Do we really need all that?
Do all these organizations need these?
And how do we drive change?
To me, that's really what's going to be critical.
need these and how do we drive change? To me, that's really what's going to be critical.
Things like security clearances and skiffs are what I would consider to be basically symptoms of a larger challenge, which is what do we really need to hide behind walls today and secure? What
is really important? If we go back to sources and methods and human and those things that are
really, or some of the technical things that are really, really important, let's get those and secure the Liven Dickens out of those.
Let's look at some of these other business operations and even the approaches that we use to solve some of the vision operations.
And can we do some of the work, 70, 80 percent of the work outside?
If we can do that, we're going to provide better capabilities
to the intelligence community.
They're going to get them faster.
And when we have work disruptions like this,
we won't be suffering.
That's Mark Testoni from SAP's NS2 National Security Arm. Thank you. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Andrea Little-Limbago.
She is the Vice President of Research and Analysis at Interos.
Andrea, it's always great to have you back.
I want to touch today on supply chain risks,
some of the things that you've been tracking when it comes to that.
What sort of things are on your radar these days?
So there are a couple of different areas when it comes to supply chains.
And supply chains is one of those areas that for so long no one really cared that much about. And now it's front page headlines. And
whether it's from the food supply chain to more of the manufacturing side, the digital supply
chain is something that also is starting to garner a lot of attention. And so that's really the area
I'm looking at is that intersection of both the physical supply chain and the digital supply chain
since there's just so interwoven right now.
And when we think about the supply chains, we think more so about the lack of toilet paper or flour in our food markets,
but we don't necessarily, and rightly so, by the way, right now.
I mean, that's obviously what hits us on a daily basis.
But the broader issues that have manifest in light of COVID and even well before
that as well, we're just the notion of third-party risk and extending that risk modeling into the
supply chains as well. If you think about financial institutions, their supply chains are more so on
the digital supply chain aspect of it. And so we're seeing that the digital supply chain
intersection with physical supply chains and really really looking at, you know, what the range of vulnerabilities are and how to
think about risk in that regard. And, you know, I think, you know, in our industry for a while,
we've talked about the perimeter being gone. And, you know, we've understood what that meant. And,
you know, a lot of it, especially now with the distributed workforce and cloud-based systems,
you know, that's where most of that discussion goes. But when you think about expanding the
perimeter, you know, it's also really important to think about, you know, that's where most of that discussion goes. But when you think about expanding the perimeter,
it's also really important to think about, you know,
who your partners are and who you're collaborating with,
and not just your immediate suppliers and those companies,
but who are their suppliers and who are their supplier suppliers.
And that's where I think a lot of, you know,
that's where I'm keeping an eye on and doing, you know,
a lot of my research is really looking at that extended supply chain
and how to mitigate those risks that may come along with it.
The example that I think is unfortunately always given,
I think unfairly to Target,
but it's Target and the HVAC system, right,
as far as that kind of attack.
They're by no means a loan or an anomaly.
They're just the ones that happen to be a well-known brand.
So that's the example that always gets used.
But supply chain attacks continue to be on the rise.
And the reason for that is because you have these companies
that do have the resources, spend the resources,
they've created very robust security systems.
So that makes it, if you're an attacker,
you're not going to be going there,
you're going to be going to the easier route,
which might be either a small company
that's not even their initial supplier,
but the small company that's applying a supplier
that then feeds into the larger company.
And that might be the easiest pathway to go.
And especially during these times now
where with a distributed workforce
and not all companies lessening up
on some of the security standards,
those might be the ways to get in.
And so that's why we're continuing to see a rise of supply chain attacks.
And so that's one big area of it.
And the other one that gets into the software and hardware
that's used by the companies and where those come from
would be another area.
And thinking about ensuring trusted applications
and technologies are within your system.
Yeah, you know, you and I have talked about
the touchy situation that some companies find themselves in,
in particular with China.
And I can't help thinking about Apple,
who, unlike some other companies
who are mostly running in the software world,
it strikes me that Apple has this situation
where so much of their business is dependent on hardware that is manufactured in China.
And surely, obviously, that affects their relationship, the types of ways that they feel as though they can push back.
We hear a lot about, on the physical side, the reshoring or onshoring.
And again, this is especially over the last few months
given the supply chain disruptions that we've seen.
And so I think that's one of those things
that's going to continue to be a boardroom discussion
that sort of in the past it was,
you know, it doesn't make sense financially,
but as geopolitical tensions continue to rise
and as other countries start to step up
and provide some of those same,
the same environments for reshoring and as governments begin to incentivize that movement.
I think Japan is a really good example.
Japan has invested billions of dollars to reshore companies from China
back to Japan or to another trusted country.
So governments are stepping in to help switch that incentive and risk calculus
for the companies themselves. And even Apple has been moving away in some aspects from China.
They've been moving largely to Vietnam. But then in many cases, they're still working with Chinese
companies just in Vietnam. So it's not necessarily avoiding the exact same problem. Yeah. All right.
Well, Andrea, a little embargo. Thanks for joining us. Yeah. All right. Well, Andrea Little-Limbago, thanks for joining us.
Great, thank you.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time, keep you informed, and it's kid-tested and mother-approved.
Listen for us on your Alexa smart speaker, too.
approved. Listen for us on your Alexa smart speaker too. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Harold Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.