CyberWire Daily - Developments in cyber gangland, and the increasingly complicated entanglement of crooks and spies. Selling confiscated alt-coin to compensate fraud victims.
Episode Date: November 18, 2021Red Curl is a Russophone gang with an unusual target list. North Korea’s TA406 is having a busy year, hacking for intelligence and for profit. Wicked Panda’s getting good at code-signing, and soft...ware supply chain attacks are in Beijing’s long-term plans. A spearphishing campaign abuses legitimate collaboration tools. Kevin Magee from Microsoft has an insider’s look at Windows 11 security. Our guest is Kevin Bocek of Venafi to discuss Security Software Build Environments. And selling confiscated cryptocurrency to compensate victims of scams. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/222 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Red Curl is a russophone gang with an unusual target list.
North Korea's TA-406 is having a busy year hacking for intelligence and for profit.
Wicked Panda's getting good at code signing,
and software supply chain attacks are in Beijing's long-term plans.
A spear phishing campaign abuses legitimate collaboration tools.
Kevin McGee from Microsoft has an insider's look at Windows 11 security.
Our guest is Kevin Bocek from Venify to discuss security software build environments
and selling confiscated cryptocurrency to compensate victims of scams.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, November 18th, 2021.
Security firms today have issued reports on several criminal and state-directed actors.
Group IB has published an update on the activities of Red Kernel,
a Russian-speaking threat group that casts an unusually wide net,
wide enough to include North American firms and Russian banks.
The group, active since 2018, is principally engaged in industrial espionage,
interested in trade secrets and employee personal data. The goal would appear to be financial,
and it's unusual that a Russophone criminal gang would be bold enough to hit Russian targets.
Those are normally off-limits to the Russian-speaking gangs.
According to Proofpoint, 2021 has been a big year for Pyongyang's hackers.
The group that security firm tracks as TA-406 has been active against a wide range of targets.
It's a North Korean state threat group associated with the activity against Western diplomatic and intelligence targets,
Western diplomatic and intelligence targets,
familiarly tracked as Kimsuki and Thallium,
and also associated with the Kony family of remote-access Trojans.
TA406 has engaged, according to the researchers,
in espionage, cybercrime, and sextortion during 2021.
It's proceeded from criminal theft to attacks that involve distribution of malware.
So, like other DPRK threat groups, TA-406 engages in a mix of spying and financially motivated cybercrime.
That mixed motive is also visible in recent activities of another threat group, this one out of China. Security firm Venify today published research on how Chinese
threat actor APT41, also known as Barium, Winti, and Wicked Panda, has perfected code signing
techniques, the better to hack software supply chains. The key points the security firm makes
are these. First, they use bespoke tools. Quote, APT41 is unique among China-based threat groups
as they leverage specially crafted non-public malware
typically reserved for espionage activities for financial gain,
likely outside the scope of state-sponsored missions.
End quote.
Second, Wicked Panda is very much interested in the value of code-signing keys.
Quote,
Critical to the success of this attack method,
APT41 has made code-signing keys and certificates,
which serve as machine identities that authenticate code, a primary target.
End quote.
This is important because such certificates are useful for cooperation among attack groups,
and they make success all the likelier. As Venify puts it, Finally, APT41 is patient in its pursuit of strategic objectives.
This strategic long-term focus is a primary factor in APT41's ability to successfully compromise a wide range of high-value targets
across multiple industries including healthcare, foreign governments, pharmaceuticals, airlines, telecommunications, and software providers.
This patience is visible even in training.
APT 41 has for more than a decade run what Venify calls a boot camp on the technique.
The strategy pays off in at least two ways.
As Venify puts it,
The cyber espionage activity of APT 41 is mostly focused on the theft of source code,
software code signing certificates, intellectual property, customer data,
internal technology documentation, and valuable business information.
These same set of activities also facilitate financially motivated schemes,
including ransomware, cryptojacking, and virtual currencies manipulation.
This is close to a page from Pyongyang's playbook, although in this case the financial aspects may amount to an APT side hustle
as opposed to privateering or direct enrichment of the national treasury.
Domain Tools has identified a quiet spear-phishing campaign in progress since the end of July,
in which an email address belonging to an employee of a firm operating in the UAE
was used in an apparent credential harvesting campaign directed against other companies in
the region. The documents in the emails each contained distinctive domains hosted on Glitch,
a legitimate web-based code collaboration tool, whose ephemeral nature the attackers seem to have
used to render their operations quieter and less susceptible to detection. Apps are accessible
on Glitch for a matter of a few minutes. Domain Tools writes, quote,
This ephemeral nature makes Glitch shared spaces perfect for serving up malicious content,
especially because Glitch's domains are trusted and often allow listed on many networks already.
Domain Tools research reached out to Glitch about this,
but have yet to hear back as of the publishing time of this document.
End quote.
Again, we note that Glitch is not a criminal enterprise, but a legitimate service.
Domain Tools offers no further attribution of the activity,
nor do they give the unknown operator a catchy name.
They do call the operation Seeing Red because of the frequency with which the links ran to a named page,
red.htm, and they note that the techniques on display show some of the cunning ways in which
criminals have evolved to evade traditional security measures. As the report says in its
conclusion, quote, spaces where code can run and be hosted for free are a goldmine for attackers,
especially considering many of the base domains are implicitly trusted by the block lists corporations ingest.
This delegation of trust allows for attackers to utilize a seemingly innocuous PDF
with only a link to a trusted base domain to maneuver past defenses and lure in user trust.
By coupling that with exfiltrating captured credentials to compromised WordPress sites, And finally, what happens to cryptocurrency seized by authorities during investigation of crime and fraud. In the case of the BitConnect Ponzi scheme, the Justice Department
is selling $56 million in altcoin. CNBC reports that the funds will be used to compensate victims.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass
your company's defenses is by targeting your executives and their families at home? Black
Cloak's award-winning digital executive protection platform secures their personal devices, home Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The folks at security firm Venify recently surveyed more than a thousand IT development pros and executives
to get a sense for where
things stand when it comes to securing the software development pipeline. Kevin Bocek
is Vice President of Security Strategy and Threat Intelligence at Venify, and he joins
us with insights from their survey. I think we're in this period of uncertainty
where security teams and engineering teams are not certain who's
responsible for securing software development, software development pipelines, and also why
have businesses not really made a dramatic change following the SolarWinds breaches?
And I have to say it all starts with boards, CEO, managing director. It has to be the clear prerogative
and demand, and also they have to have accountability and responsibility,
that we are in a new age where everyone is under attack and it's not business as usual.
And that starts at the board.
It starts at the CAO about being accountable.
And then that accountability, of course, cascading down.
So we're not going to see that change, that tidal wave, I believe, until that is.
That may require boards.
That may require regulation, whether you're in the U.S., U.K., or elsewhere around the world.
Your regulators may also drive that change.
So, in other words, best be prepared.
And then that cascades down where, hey, security teams, should we be responsible for, ultimately responsible for what engineers build?
Or engineers saying, hey, we're the ones building it
we're going to be responsible or hey it's it's you guys security you know what we'll just go
continue building features and making releases it's this uncertainty and i think that again that
has to change from the top but in the meantime though I see a path of change. One, hey, when it comes to software
that we're consuming, whether that be SaaS or that your business is licensing, you know, I see a world
today where, you know, we ask security questions as part of the procurement process. Procurement teams have certain prerequisites that they want to see.
But what we have to change is actually the buyers.
At the same time that they're learning about the features or what value a software or software as a service is going to be provided, your business should be saying, how are you going to secure the data that we use? How are you going to protect that we don't become the victim of a software supply chain attack?
At the same time, you're asking about questions, again, that are going to drive revenue or create some efficiency.
That's a change that we have to make today because, again, we're in this world where we're all under attack, no matter who we are.
And that's a first change. We have to move, again, software supply questions from procurement
all the way to the beginning. And that's something that security teams can make a change.
I really believe they can start doing that today. Second of all, when it comes to, hey,
who's responsible for securing software development pipelines and the software that we build?
Again, your business is a software development company.
That's actually, I might sound a bit controversial.
That's actually where engineering teams need to have more and more accountability and responsibility.
You know what?
They're architecting the build pipelines.
They are engineers. Engineers are building the software. Engineering teams have to have accountability and responsibility. So I actually believe they're the ones that should be accountable, responsible for securing the software development pipelines. can help, but technology is changing so quickly. I mean, just ask a security architect about the
latest in build pipeline technology, whether that's Azure DevOps, what GitLab has released, or
I'm sure there's even more. That's not their specialty. And so, engineers then need to be
accountable and responsible. And I think that's a great opportunity then for the VP of engineering, the CTOs to step up too.
So my two takeaways out of what we're seeing,
this uncertainty is A, security teams
can immediately make change,
moving those security questions,
how are you going to stop us being the next victim
of a supply chain attack from procurement questions all the way to when the business is asking feature and value questions.
And then second, engineering executives, CTOs, they need to become accountable, responsible for securing their software development processes.
This is a new world that we're in, and that's why for CEOs and boards, managing directors, as they report to shareholders, they have to be talking about the cybersecurity threats just as much of a business risk as your competition.
So that's the opportunity as well for the leaders in technology and security side.
It's as cybersecurity and protecting our software,
it's just as important to how we're going to outwit the competition.
That's Kevin Bocek from Venify.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant. And joining me once again is Kevin McGee.
He is the Chief Security Officer at Microsoft Canada.
And of course, we note for disclosure, Microsoft is a CyberWire sponsor.
Kevin, always great to have you back.
You know, with great fanfare, you all at Microsoft have released the latest version of Windows. I hear this one goes
to 11. So there's a lot of excitement around that. But I wanted to really dig in with you about
some of the security elements that are in Windows 11 and get a little behind-the-scenes insight onto what you all are
thinking when it comes to security here and how this sort of sets the table for us for the future.
So thanks for having me back, Dave. And you're absolutely right. Most operating systems,
you know, they only go to 10. And where are you going to go from there when you need more security,
right? Nowhere. Windows now goes to 11. So I think Windows 11 is an interesting case study to look at
what's happening in our industry right now. And as vendors and customers are looking and thinking
about security differently, first we want a fully integrated security approach. We can't look at
siloed, best of breed hardware, software operating solutions that we have to allow the consumer or
the organization to figure out how
to work together to protect themselves. They need to become much more integrated. And that's one of
the things we're looking at with Windows 11, how better to do that chip to cloud, we call it.
The second is the integrity of supply chain has become a very important part of every security
discussion recently. And that can't be done in a silo either. You can't have an operating system
supply chain discussion, a hardware to supply chain discussion,
an app security discussion.
So how do we start thinking about integrating those
and protecting the supply chain, again, from chip to cloud?
And then finally, what I'm really pleased with Windows 11
is this approach that we call digital empathy or user empathy,
where we're designing products to take the requirement
away from the user to figure out security
and just making it easy for them.
And that's ultimately reducing the risk for the user
by increasing the experience
or making the experience much better with the product.
Can you give me an example of that?
I mean, how would a Windows 11 user notice a difference
when it comes to their interactions and security?
I think a couple of quick things would be just how we build in security from, I call it, stairs
and guardrail. When you think about any other security or aspect, walking down a broken set
of stairs with a handrail and the user were to fall, it's not the fault of the user in our society.
You know, there is a requirement that the building owner or whoever is maintaining it
make sure the stairs are built properly, that there's a proper handrail and whatnot as well.
The same we put guardrails on highways.
We really expect that the user is going to be using the product
and really shouldn't ultimately be responsible for the entire security.
Now they still have to drive within the lines.
They still have to make sure they're walking safely, but we've taken that approach to designing Windows 11, and we're seeing a lot of undervendors look at this as well too. So that
could be running applications in isolation, including Microsoft Defender Antivirus that
will run from the time of boot, so it's looking at the hardware boot process as well as once it's running as well,
allowing applications to sort of prove
that they're trustworthy,
running user account control
in least privilege mode by default,
and also just building in some applications
so users can have a holistic view.
An application is included with Windows 11
so a user can look at their security posture,
look at a privacy report as well, and familiarize themselves with what's really running on their system in one place instead of having to go hunting across the operating system or multiple applications to find this information.
For the pros in the audience who still want to dig in there and hit that command line and mess things up on their own under their own terms,
they still have the capability to do that, right? Absolutely. And I think that's a matter of choice.
And that's how all of our products are really designed with user choice. If you want to have a granular level access to your security and you want to tune it specifically as a user or as an
organization, you can do that. But what about the family who really doesn't have an IT department
or a security department?
There's no CISO of most households.
They're struggling with these challenges as well too.
So we're not just making products for business users,
but also for the modern home,
which probably has more devices hooked up to the internet now
than most businesses did 10 years ago.
And they're struggling with these challenges as well, too.
So again, how do we take the need to design security
and manage security out of the hands of the user,
make the experience great,
and then build in security by default as well?
All right. Well, Kevin McGee, thanks for joining us.
Thanks, Dave. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter
Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.