CyberWire Daily - Diplomatic Backdoor targets charities, embassies, and telcos in Europe, Africa, and Southwest Asia. Fancy Lazarus and DDoS extortion. Slilpp credential market takedown. A data gap? Cyber regulation.
Episode Date: June 11, 2021Diplomatic Backdoor afflicts Africa, Europe, and Southwest Asia. Electronic Arts source code stolen. “Fancy Lazarus” is back: despite the name, it’s an extortion gang, not an espionage service. ...An international law enforcement action takes down a credential market. Making good data available for AI research. There’s a growing appetite for cyber regulation in Washington. Thomas Etheridge from CrowdStrike looks at protecting cloud data, and Matt Chiodi of Palo Alto Networks' Unit 42 has highlights from their Cloud Threat report. And hold that side order of fries - a McBreach is disclosed. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/112 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Diplomatic backdoor afflicts Africa, Europe, and Southwest Asia.
Electronic arts source code has been stolen.
Fancy Lazarus is back, despite the name. It's an extortion gang, not an espionage service.
An international law enforcement action takes down a credential market,
making good data available for AI research. There's a growing appetite for cyber regulation
in Washington. Thomas Etheridge from CrowdStrike looks at protecting cloud data.
And Matt Chiodi of Palo Alto Network's Unit 42 has highlights from their cloud threat report.
And hold that side order of fries. A McBreach is disclosed.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, June 11, 2021.
Music Researchers at ESET, the Bratislava-based security company,
have issued a report on a cyber espionage operation targeting charitable groups,
diplomatic organizations, telcos, and others in Africa, Europe, and the Middle East.
The threat actor is being called backdoor diplomacy for its use of the Turian backdoor
and its preference for diplomatic targets.
Turian appears to be a derivative of the Quarian backdoor seen in earlier operations against
targets in Asia. Backdoor diplomacy is a cross-platform threat afflicting both Windows
and Linux systems. Electronic Arts, the popular game and e-sports company,
disclosed yesterday that it had been breached.
CNN reports that on June 6th,
cybercriminals claimed to have taken 780 gigabytes of data from EA and that their haul included Frostbite source code.
Frostbite is the game engine behind the widely played
FIFA, Madden, and Battlefield franchises,
as well as other
less well-known titles. EA is confident that no player data was accessed and that the incident
doesn't represent a threat to user privacy. The incident seems to be an IP hack and not an attempt
to steal personal data. The criminal's motivation appears to be the sale of the code in various hacker markets.
In posts on underground forums, the hackers hawked their stolen code with a big dose of
marketing bravado. Quote, you have full capability of exploiting on all EA services,
Motherboard quotes them as writing. They posted screenshots to provide some evidence that they
have what they claim to have, but they're releasing
the source code only to paying customers. Don't bother contacting them unless you're actually
interested in buying. Only Sirius and rep members, all other would be ignored, they wrote. So if you
would be interested in buying, not of course that you would be, but if you were, remember to be serious and rep. But hey, that's good advice
anytime, right? Security firm Proofpoint yesterday released a study of a criminal group that styles
itself a Fancy Lazarus and that specializes in extortion by distributed denial of service.
One might think Fancy Lazarus was either a Russian or a North Korean operator, but it's not.
Its chosen name is an apparent homage to Fancy Bear and the Lazarus Group,
but Proofpoint discerns no connection whatsoever to either group.
Instead, Fancy Lazarus seems to be an ordinary criminal operation.
In the past, it's borrowed the popular names of well-known state-run actors, including Fancy Bear, Lazarus, Lazarus Group, and Armada Collective.
But that's all apparently either misdirection or, more probably, an attempt to look more menacing than in fact they are.
Fancy Lazarus, Proofpoint says, is taking aim at an increasing number of industries,
including the energy, financial, insurance, manufacturing,
public utilities, and retail sectors.
They threaten a crippling DDoS attack,
but as often as not, if they're ignored,
they're simply not heard from again.
Some victims report demonstration DDoS attacks,
and a few of them say they've experienced some degree of disruption,
but in general, Fancy Lazarus seems to be more talk than action.
The U.S. Justice Department announced yesterday afternoon that an international law enforcement
operation had taken down Slilp, that's S-L-I-L-P-P, an underground marketplace where
stolen login credentials were sold. The joint action by police in Germany, the Netherlands, Romania, and the United States
seized the servers that Slilp used and the domains those servers hosted.
Justice explained in the seizure warrant under which it acted,
Since 2012, the Slilp marketplace has been selling stolen logon credentials,
including usernames and passwords
for bank accounts, online payment accounts, mobile phone accounts, retailer accounts,
and other online accounts. Its customers use the credentials they stole to conduct
unauthorized transactions, such as wire transfers, from the related accounts.
The U.S. alone has arrested more than a dozen people connected to Slilp.
The U.S. alone has arrested more than a dozen people connected to SLILP.
A good set of training data are to the AI race what LOX and kerosene were to the early space race.
Artificial intelligence needs data to train on, and the sources of such data must be reliable and as reasonably free of bias as any human product can be.
The Wall Street Journal reports that the U.S.
government is considering ways of making suitably sanitized data available to AI researchers.
The National Artificial Intelligence Research Task Force, a 12-member body operating under
the White House Office of Science and Technology, is working toward a strategy for doing just that.
Much of the motivation for the program
is economic. The U.S. seems to be anticipating a Sputnik moment in AI, with China taking the role
of Russia as principal strategic competitor. The Voice of America says that Chris Inglis and
Jen Easterly, nominated respectively for the posts of U.S. National Cyber Director
and Director of the U.S. Cybersecurity and Infrastructure Security Agency,
both said yesterday during confirmation hearings before the U.S. Senate Homeland Security and
Government Affairs Committee that they favored a more active role for government in private
sector cybersecurity. Neither markets nor voluntary standards nor enlightened self-interest
strike the nominees as sufficient, and they both favor more regulation. They're likely to find
sympathetic ears on Capitol Hill, where, Reuters reports, the U.S. Senate is considering whether
legislation is necessary to address the risk of cyberattacks, and particularly the ransomware
threat. One sign of that sympathy
is a letter the chair and ranking member of the Senate Homeland Security and Governmental Affairs
Committee sent yesterday to the acting director of the Office of Management and Budget and the
assistant to the president for National Security Affairs. The letter opens, quote,
We write you today with serious concern about the state of our nation's cybersecurity
and the threat of ransomware attacks directed at our critical infrastructure, end quote,
and goes on to say they want information that can inform anti-ransomware legislation
they're in the process of drafting.
They have three specific information requirements that suggest the lines along which they're thinking.
First, information on strategies
that relevant federal agencies are developing and implementing to combat ransomware attacks.
Second, any new authorities or revisions to existing authorities that would further empower
relevant federal agencies to combat ransomware attacks and respond when they do occur. And third,
suggestions for Congress to consider
as we develop legislation and oversight plans to combat ransomware attacks.
End quote.
And finally, the Wall Street Journal reports that McDonald's operations
in South Korea and Taiwan have sustained a data breach.
The hackers stole customer emails, phone numbers, and addresses for
delivery customers in South Korea and Taiwan, the journal says. McDonald's says that some employee
data in the U.S. was also accessed, but none of it was either sensitive or personal. The incident
wasn't a ransomware attack. The burger giant has engaged the services of cybersecurity firms and
notified the appropriate authorities.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak.
Learn more at blackcloak.io.
Palo Alto Network's Unit 42 recently released the latest edition of their Cloud Threat Report.
And as you might expect, COVID-19 played a big part in cloud security over the past few months.
I checked in with Matt Chiodi from Unit 42 for details on the report.
Well, we do cloud threat reports about every six months.
And whenever we do them, we typically choose a different topic.
But this time around, we're obviously still in the throes of the COVID-19
pandemic. And what we wanted to do this time was something a little bit different. We wanted to see
how has COVID-19 impacted security in the cloud. And so what we did was we looked at data pre-COVID-19
discovery and then post-COVID-19 discovery.
And really to see what's changed and how did,
for example, Pew Research found that employees
working remotely pre-pandemic was about 20%.
And then after, within a matter of months,
that number jumped to 71%.
That's Pew Research data.
So whenever you have a massive shift in a workforce like that,
there is bound to be security impacts. And that's really what we wanted to see. What's changed? How
did things like that impact cloud security? And that's exactly what we focused on throughout this
report. Well, let's go through it together. What were some of the highlights here? What are some
of the things that really drew your attention?
Sure. The first one, and this is really what I would say probably shocked me, was that we actually saw cloud security incidents, they nearly tripled in the second quarter of 2020, so April to June.
They increased by almost 188%.
Now, to be clear, we define a security incident as events that caused violations in security policies that put sensitive data at risk.
in security policies that put sensitive data at risk. So again, cloud security incidents,
they nearly doubled at 188% increase
in that second quarter of 2020.
So just massive change in terms of security incidents.
That's kind of probably one of the big high-level items
that came out of the report.
What sort of insights do you have on the why?
What are the actual changes in people's behavior
or opportunities or desires that triggered the shift?
So when organizations,
when the COVID really first started to unfold,
this really caused many organizations,
yes, because of work from home types of things, they needed that rapid spin up was a massive increase in that. So for example,
when we look at certain industries, that was very different in terms of how they scaled their cloud
usage. But overall, we saw that most industries across the board rapidly scaled their actual
cloud usage. And one of the things that we dive into in the report is we don't just look at it globally.
We actually dove into how did it impact cloud security by region?
How did it impact it by industry?
What we saw was that as they scaled their workloads, unfortunately,
their cloud security incidents disproportionately increased as well.
And really the why behind that is that without automation,
sudden increases in cloud workloads lead to a dramatic growth in security incidents.
And unfortunately, that often leads to overwhelmed security teams.
Overall, are we at a state where the message is hopeful,
that we feel like folks are getting on top of this,
or do you feel like we're slipping behind,
or are we treading water?
Well, certainly in response to the pandemic,
we were barely treading water.
And again, and this was probably some of the other interesting findings,
was that COVID-19 critical industries,
they actually suffered a spike in security incidents.
We looked at from October of 2019 through February of 2021.
It's a long period of time.
We actually found that cloud security incidents
for the retail, manufacturing, and government industries rose by
402% for retail, 230% for manufacturing, and 205% for the government. These are those same
industries that were among those facing the greatest pressures to adapt and scale in the
face of the pandemic. Retailers for basing necessities and manufacturing and government for COVID-19 supplies and aid.
So the question I would be asking is, if I was an attacker, which industry poses the best risk reward?
And the answer is, unfortunately, retail, manufacturing, and government.
They had huge spikes in cloud growth,
but they also saw their incidents spike.
And this takes us back to kind of where we started.
If you don't automate security,
security teams will be overwhelmed
and they will be barely treading water.
That's Matt Chiodi from Palo Alto Networks Unit 42.
You can find the latest version
of their cloud threat report on their website.
There's a lot more to this conversation. If you want to hear the full interview,
head on over to CyberWire Pro and sign up for Interview Selects,
where you'll get access to this and many more extended interviews.
Thank you. by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And I'm pleased to be joined once again by Thomas Etheridge.
He is Senior Vice President Services at CrowdStrike.
Thomas, it's great to have you back. I want to touch today on data protection in the cloud and how folks can best
go about making sure that they're covered there. What can you share with us? Thanks, Dave. It's
great to be back. Well, everybody's talking about transformational projects and the push to the
cloud. We've seen a tremendous amount of organizations
move applications and infrastructure from traditional on-premise model to cloud infrastructure.
A lot of that's due to things like COVID, moving workforces to work from home or work from
anywhere models, telemedicine, online purchasing, all those things are driving
bigger infrastructure and the need for scale. And that's pushing a lot of organizations to the cloud.
One of the things we are talking to our customers about, and I preach in many of the talks that I
give, are the three Ms around the security challenges. Those three M's being misconfiguration
of cloud infrastructure, mismanagement of cloud infrastructure, and mistakes. And those things are
typically at the root or heart of most cloud breaches that CrowdStrike responds to.
Well, how do folks go at making sure that they're covered with those three M's?
Well, how do folks go at making sure that they're covered with those 3Ms?
There are a number of things that organizations can do.
Technologies such as cloud posture management technology provides for capabilities to help automate the identification of issues and understand how to remediate those risks across many different types of cloud infrastructures,
including infrastructure as a service, software as a service, including infrastructure as a service,
software as a service, and platform as a service infrastructures. Cloud security posture management provides for being able to visualize risk and do assessments, provide improved incident response
capability and monitoring for compliance purposes, as well as provide capabilities around DevOps integration.
And if implemented properly and monitored properly, it can help reduce false positive
and uncover hidden threats.
How much do you find that when handling this transition to the cloud that folks sometimes
don't have a good handle for everything they've got in their network.
I'm thinking about everything we've seen recently
with the Microsoft Exchange Server incident
where there were folks out there who had Exchange Servers running
and in the course of their cloud transition
may have lost track of that.
Absolutely.
So we recognize that skills are a big challenge,
especially for organizations that are moving very rapidly to the cloud.
In addition to cloud posture management, which I talked about, there's additional capabilities that can provide some increased visibility and fidelity around what might be happening in your cloud environment.
be happening in your cloud environment. Increasing and having index-free cloud log management capabilities implemented are key to being able to capture the necessary data to respond instantly
or more effectively to an incident when it does occur. It allows for the ability to pinpoint
areas of concern and to potentially recover from incidents when they happen.
Another big focus for us in talking to our clients is around identity management and zero trust.
Zero trust architectures can help organizations verify the users in their environment,
provide for segmentation and enforcement of the least privileged principles.
It also can help analyze the IT stack, including what users you have in your environment, what
are those users doing, what workloads are they working from, and what endpoints exist
in that infrastructure as well.
endpoints exist in that infrastructure as well.
Are you seeing more and more organizations having, as new organizations are spun up,
are they doing business almost exclusively in the cloud?
I mean, seeing less of these sort of hybrid solutions, kind of legacy things that are holding on from the past?
I think it's a mix, Dave.
A lot of organizations aren't able to forklift everything they do today
with their on-premise infrastructure and move it into the cloud.
We talked about some of the resource constraints in terms of skills and expertise
and the speed at which the business is moving.
So we still see a hybrid approach where there's certainly on-premise
infrastructure that still requires management and expertise at that level. But as more organizations
shift to cloud workloads, the skills in some cases don't translate and the same policies,
procedures, and controls are different and require a thoughtful approach to monitoring those,
to assessing the risk of those configurations and settings.
And as I said, the 3Ms continue to be a problem for most organizations that we're called in to support
from a breach perspective, misconfigurations, mismanagement and mistakes.
All right. Well, Thomas Etheridge, thanks for joining us.
Thanks, Dave.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing
at thecyberwire.com.
Be sure to check out this weekend's edition of Research Saturday and my conversation with Adam Taggart from the National Security Agency.
We're going to be discussing NSA's most recent science of security report. That's Research Saturday. Check it out.
Saturday, check it out. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and
technologies. Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com That's ai.domo.com