CyberWire Daily - Daily: Operation Dust Storm vs Japan. Operation Blockbuster vs. The Lazarus Group. Venture capital gets tight.
Episode Date: February 24, 2016Daily: Operation Dust Storm vs Japan. Operation Blockbuster vs. The Lazarus Group. Apple vs the FBI. Venture capital gets tight. Parents may want to monitor kids' smartphones. Learn more about your ad... choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Operation Duststorm kicks up a ruckus in Japan's critical infrastructure.
The Lazarus Group, said to be working on behalf of North Korea,
is described by an industry consortium working as Operation Blockbuster. Malware is increasingly industrialized
and professionalized. Apple returns the FBI's CERV, releasing a list of other requests pending
under the All Writs Act. Venture capital may be getting tighter and acquisitions more attractive.
And finally, parents, your kid's smartphone isn't just a pricier library card.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, February 24, 2016.
Some news on major threat actors breaks today.
Silance reports that Operation Duststorm, a multi-year complex campaign,
is systematically pursuing data from electric utility, oil and gas, finance, transportation,
and construction companies. The point of entry is Japan, but the companies targeted have operations
or connections that extend throughout Europe, Asia, and North America. Following its normal
caution about attribution, Silance says indications are that the actor is a nation-state, but it explicitly declines to name
one. Silance has told us on more than one occasion that it believes attribution is difficult, that
evidence is too easily spoofed, and that there's a hasty rush to judgment, and that, after all,
attribution is best left to people who, quote, wear badges and carry guns, end quote, that is, to law enforcement authorities.
Their commendable reticence, of course,
hasn't stopped general speculation about China and North Korea,
as the usual suspects.
Some of the more interesting features of Operation Dust Storm
include its complex attack modes.
Spear phishing, water holes, back doors, and zero days
have all been used to compromise corporate networks and Android devices,
and its use of attack code that appears to have been customized to particular targets.
You can find details at silence.com.
Such customization is not confined to Operation Duststorm, either.
WebRoot, in its 2016 threat brief, concludes that malware's increased tailoring to specific endpoints
is now effectively, quote, rendering signature-based security virtually useless, end quote.
The other big threat actor news comes from the industry consortium that's been working on the so-called Lazarus Group.
Led by Novetta with participation from Symantec, Kaspersky, AlienVault, Invincia, ThreatConnect,
Valexity, and PunchCyber, Operation Blockbuster has published its results.
The researchers find that the Lazarus Group has been active in cyber espionage since 2009, and Punch Cyber, Operation Blockbuster has published its results.
The researchers find that the Lazarus Group has been active in cyber espionage since 2009 and that it participated in the Sony hack of November 2014.
They trace the group to North Korea, no reticence here,
and cite reused code and common passwords among the principal pieces of evidence.
Much malware is now being open-sourced in criminal markets,
various precincts of the dark web functioning effectively as an R&D shop for cyber gangs. principle pieces of evidence. Much malware is now being open-sourced in criminal markets,
various precincts of the dark web functioning effectively as an R&D shop for cyber gangs.
The same collaboration and intelligence sharing that benefits legitimate work,
like that done by Operation Blockbuster, can also be turned to illicit purposes.
BAE's head of cyber threat intelligence sees an increasing professionalization of cybercritte, we can see two big groups.
One is a group of very professional, dedicated criminals who owns what they do,
meaning they own the malware itself, malware that are not sold on forums to anyone.
And then you have another group where you have this set of criminals creating malware and selling
the toolkit to other users in forums. But at the same time, they are also using it for themselves.
And then you have the third set of people who are just the users, people buying toolkits and
services around. So at the end of the day, if you have the means, you can have your whole botnet
set up without any intervention from you. I don't think we talk enough about it and about this
new community coming into this business.
We already know the ones that are into this business for a long time.
The scary part is the ones coming because there are so many and it's so open.
There are so many services that are not necessarily expensive that for a few hundred bucks,
you can have a botnet set up and running, probably even for less.
An ESET-sponsored study in the UK suggests that the average age at which children first get their smartphone,
and with the ability to surf and download pretty freely, is 10.
Parents, it seems, are coming to regard a phone as a more expensive library card.
That it's more than a library card and probably deserves to be managed with considerably more circumspection
may be seen in the continuing story of YouKnowKids, a firm that offers online child safety monitoring.
YouKnowKids has accused MacKeeper researcher Chris Vickery with breaching its networks.
Vickery says he found an exposed database and that YouKnowKids security is at fault.
In any case, some 1,700 kids' data seem caught in the middle.
In patch news, Microsoft updates its EMET security software, and the old familiar Drupal 6 content
management framework reaches the end of its life today. It will no longer be patched or upgraded.
In industry news, some analysts see a slowdown in the rate at which venture capital is flowing
into cybersecurity startups. The immediate effects of the slowdown are being seen in startups cutting operating budgets
and in a spike of M&A interest.
There is indeed a spike in M&A news and rumor this week.
BlackBerry has brought British cybersecurity consultancy Encryption,
and Thycotic is reported to have picked up Windows endpoint security
and application control software shop Aurelia.
The biggest news in this area, however, is still in the realm of rumor.
IBM is thought to be about to buy Resilient for a reported $100 million.
Resilient is best known as the corporate home of security guru Bruce Schneier.
In the U.S., the standoff between Apple and the FBI continues,
with Apple getting in the latest volleys in their public exchange.
The company's lawyers have released a list of 12 devices for which Apple has received requests for assistance under the All Writs Act,
which suggests that there may be more at stake here in terms of precedent than the Justice Department has been wont to indicate.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Joining me is John Petrick, editor of the Cyber Wire.
John, it seems like we're seeing more and more stories that are sort of wrapped around social media and how that affects information ops. We certainly are. One of the things that's
been striking about ISIS has been that it is not so much operated on a traditional command and
control model where people are being formally tasked and given orders and so on and so forth,
but rather it's been organized on a cellular basis and it's relied on inspiration. So this
is concerning people and this is the kind of thing
that people are groping for an answer to.
And this leads us to Twitter.
Twitter's taken some heat lately
for how they've handled removing accounts.
Right.
For one thing,
Twitter is one of the companies
that's been asked by the government
in the government's general push
to help us do something about the ISIS narrative,
about extremist narratives.
And so Twitter has
been blocking accounts that are associated with ISIS. In fact, there was some news earlier this
week that actually came out of the program at George Washington University, the program on
extremism, that said that Twitter had successfully suspended about 125,000 accounts linked to
terrorists. So what Twitter is interested in doing is shutting down
what it takes to be certain kinds of obnoxious behavior. And so it formed, and the name of this
has been unfortunately received by people, what it calls a Trust and Safety Council, in which it's
assembled a group of various activists, stakeholders, and so on and so forth, and they've assembled that
earlier this month, to go through and look for accounts that are abusive.
So the complaint and the stick that Twitter is getting from the blogosphere generally is that it seems that the members of the Trust and Safety Council are probably disproportionately
going after ideological disagreement at least as much as they're going after things that
any fair-minded person would recognize as trolling or threats of violence and so forth.
Is there a sense that Twitter is having any success in eliminating these accounts?
Is it making a difference?
Well, I mean, the George Washington University program thinks that they did a good job
in getting rid of those 100,000-plus accounts that were associated with ISIS.
And George Washington has also said publicly that they think that there are fewer
accounts and there's less of this kind of inspiration traffic coming out of Syria.
On the other hand, there were two groups in Baghdad that just swore allegiance to the
local affiliate of Al-Qaeda. Where was this announced? In the Al-Qaeda official Twitter feed.
And that doesn't mean that Twitter is ill-willed or
incompetent or that it's been subverted. It just shows that this is not an easy task.
John Petrick, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver
measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.