CyberWire Daily - DPRK returns to bank robbery. Ransomware updates. Patches from Oracle, Lenovo, BlackBerry. Criminal coin miners.
Episode Date: October 18, 2017In today's podcast we hear that the Lazarus Group is back at it with SWIFT. Maniber ransomware hits South Korea. Researchers cast the first KRACK-related stone at IEEE. Oracle, BlackBerry, and Lenov...o patch. A study finds criminals turning to cryptominers. Awais Rashid from Lancaster University on securing critical infrastructure. Aaron Higbee, CTO of PhishMe, on the human factors in phishing. And one cryptominer seems to be tugging on Superman's cape—OPSEC isn't their strong suit, to say the least. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. We read Recorded Future’s free intel daily, and we think you'll find it valuable, too. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. Interested in the latest research in cyber security? Our new Research Saturday podcast highlights research being done in industry, universities, and governments. Hear from people who are discovering threats, uncovering vulnerabilities, and devising the security measures to keep cyberspace as safe as it can be. Check it out. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Remember, you can become more than just a listener of the Cyber Wire podcast.
You can become a supporter.
Visit patreon.com slash thecyberwire and find out how.
The Lazarus Group is back at it with Swift.
Manabar ransomware hit South Korea.
Researchers cast the first crack-related stone at IEEE.
Oracle, BlackBerry, and Lenovo patch.
A study finds criminals turning to crypto miners.
And one crypto miner seems to be tugging on Superman's cape.
Obsec isn't their strong suit, to say the least.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, October 18, 2017.
North Korea, its economy hard-hit by international sanctions,
continues to find income through
cybercrime. BAE researchers attribute a recent theft of $60 million from Taiwan's Far Eastern
International Bank to the DPRK's Lazarus Group, the same outfit thought responsible for 2016's
illicit funds transfer from the Bangladesh Bank. As they did in the 2016 robbery, the thieves exploited the SWIFT
international money transfer system. How they did so isn't yet fully understood,
but it appears that a ransomware attack may have functioned as misdirection.
The Magnitude Exploit Kit is currently active, distributing Manabur ransomware to South Korean
targets. The vector is malvertising. Manabur had until
last month afflicted mostly Taiwanese targets. Trend Micro thinks Manabur is one of the few
language and country-specific ransomware strains out there. Some security researchers argue it's
IEEE's fault that the WPA2 Wi-Fi protocol proved vulnerable to crack attacks.
IEEE standards, they say, aren't generally open to inspection and vetting by security researchers who might be able to discern flaws earlier.
IEEE working groups are a closed industry process,
Johns Hopkins cryptographer Matthew Green told Wired.
Vetting standards is difficult enough,
even for an organization whose technical standards and capabilities are as high as the IEEEs typically are, and the more eyes and testers, the better.
That's the wisdom of crowds critique the outside researchers are offering.
Phishing remains an effective way for bad guys and gals to get their malware on a targeted system or network, taking advantage of the human factor to bypass technical defense measures. What are the most effective phishing techniques? Aaron Higbee is
co-founder and chief technology officer at Phishme, a security company that specializes in these sorts
of things. We have a lot of data on this, especially in the context of an enterprise worker or someone
that works for an organization, the attackers will
swap out specific techniques and either tricky URLs or tricky attachments. But when it comes to
stories, there hasn't been a lot of innovation. Many of the themes that they pick, and we know
why because they're more successful, have to do with office communications. So it could be things like
you've received a file off of a scanner, you've received an electronic fax, someone has left you
an urgent voicemail, click here to listen to it. It could be something like there's an invoice that
I need you to pay that you're overdue on. You were being subpoenaed or asked to be deposed in
some sort of litigation. Those are some themes that aren't new. They have been reused for the
past few years. The malware or the thing that actually infects someone gets swapped out.
But those stories seem to be used over and over again. And is it, I mean, despite the training
that we try to give people, they still seem to fall for these things. They do. And is it, I mean, despite the training that we try to give people, they
still seem to fall for these things. They do. And we have a lot of data about that and why.
We've also studied the different emotional triggers inside of email. And we have some
great telemetry on what seems to work and what doesn't. For instance, phishing emails that try to give you that there's
a sense of award, maybe you've won a trip or you've won a free iPad, things like that, they
are not as successful for the attackers. Another category that's not very successful for the
attackers, which might surprise some cybersecurity professionals, are phishing emails about your
virus scanner is out of date, click
here to update it, or your computer is missing critical patches, click here to update it. Those
are not very effective for attackers. Another thing that we've observed in the wild is that
attackers are trying to make sure that they're phishing emails or hitting the employee's inbox,
sometimes during the workday, preferably during the morning.
That's interesting.
So it's a matter of that's when they're going to get the most attention?
There's a couple different reasons why.
Many of the payloads are tailored to infect a Windows computer, your common enterprise desktop build.
in enterprise desktop build. And so those attackers, they do have to worry about that because they don't necessarily want an employee opening it at night on an iPad or in the morning
on their way to work from an Android phone when they've gone to the work to tailor a Windows
exploit. The other thing that they're taking advantage of is in your morning, it's just part
of normal human behavior to do a quick read through of your inbox to figure out what is spam, who do I need to reply with to organize your day.
And so when we get into that mode of operation, we're more likely to make mistakes.
I see. We're just sort of breezing through our emails, deciding what needs our attention and what doesn't.
So maybe not giving any particular email that much specific attention. That's right. Yeah.
So what are your recommendations? What are the best ways for people to protect themselves? Are
there technical solutions or is it a matter of training? It's really a combination of the two.
The technology can only do so much and we're always improving it. But all the technology is
on a traditional
product release lifecycle. So it's got to be tested, and it's got to before it can
be put into these products. So there's always this gap, this last mile that we have to rely
on training. And one of the things that we've observed over the years is if you think of
training in a very traditional way, which is this is how to dissect a URL.
This is how to read it from right to left.
We haven't seen that to be very effective.
What we recommend is trying to get people to recognize the patterns and emotional triggers that an attacker are going to use in order to get you at that moment of susceptibility when you are overworked
in the morning, when you are going through those emails. So if we can get you to recognize
these triggers like fear, reward, curiosity, urgency, then we can get you better equipped
to deal with that when you get a real phishing email. That's Aaron Higbee from PhishMe.
A number of patches that didn't make it out last week have now been issued.
Oracle's quarterly patch addresses 250 bugs.
And PeopleSoft closed a remote code execution vulnerability.
This patch was one of those included in Oracle's update.
BlackBerry has updated its WorkSpaces server to close two vulnerabilities.
updated its WorkSpaces server to close two vulnerabilities. One of those, CVE-2017-9368,
fixes a file server API that could respond to a specially crafted GET request by allowing an attacker to view file server source code. The other BlackBerry issue, CVE-2017-9367,
is rated crucial. It's a directory transversal that permits a web shell to be
uploaded to the server's web root, where it could be used for code execution.
Lenovo's four patches, ThreatPost says they were quietly rolled out, address Android flaws in the
company's mobile devices, both phones and tablets, that could permit remote code execution.
Cyber criminals usually follow a Willie Sutton-esque path of least resistance to where the money is.
That path right now seems to lead to cryptocurrency mining.
Recorded Future sees this as a trend.
Researchers at their Insict group see it turn to miners as a current criminal trend.
One commodity mining crimeware kit, I'm Sorry Miner Panel, obfuscated with
customary substitution of numeral 1 for letter I and numeral 0 for letter O, can be bought for
between $35 and $850, depending on the model. Some of the criminals installing the miners seem
garrulous and careless, especially if they're using roll-your-own-code.
Thus, they seem likely candidates for a sabbatical at some correctional institution.
Bleeping Computer describes one such, a Russian-speaking hood whose nom de hack is Opcoder,
spelled 0PC0D3R, the better-to-fool-nosy people wondering who he might be.
Opcoder is installing Monero miners via Grand Theft Auto and other gaming mods, and he can't seem to shut up about what he's up to. This seems curiously,
if characteristically, self-defeating. But then the idea of the criminal genius is something of
a myth. Lex Luthor is confined to the comic books. The reality is usually closer to Pacino's character in Donnie Brasco,
sawing the tops off parking meters to get the change out.
Our editorial desk once knew a fugitive from U.S. Justice who was caught
because he took an animal act onto The Tonight Show.
It still took the FBI a few weeks before they were able to present him
with an invitation to the Allentown, Pennsylvania, federal joint.
And then there's that other Russian cybercrime lord on the lam in the Black Sea region.
The Bureau fingered him because said crime lord couldn't stop himself from complaining
that he didn't get the rewards his hotel chain platinum rewards card entitled him to.
That's Mr. Yevgeny Boguchov, aka Slavic, recognized for his shaved head and pet ocelot.
Better, he should have invested in Voppercoin,
where at least you cash out in flame-broiled goodness
and not some tiny little mint on your pillow.
So keep it up, Opcoder, and continue counting coups
so the other hackers will appreciate your mad skills.
For sure, that substitution of numerals for letters will make you untrackable.
If you're looking for a password, try P at sign S S W zero R D. The at sign and the zero
really sell it. And that's what we hear, anyway.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold
to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Professor Awais Rashid.
He heads up the Academic Center of Excellence in Cybersecurity Research at Lancaster University.
Professor, welcome back.
You know, you all do a lot of research there at Lancaster University,
and you wanted to address some of the challenges that folks face when doing research when it comes to critical infrastructure.
Indeed. We run a number of projects on security of industrial control system environments, which are widely used in critical infrastructure.
And this is really just our experience of some of the complexity of doing research in this kind of setting.
And this is really just our experience of some of the complexity of doing research in this kind of setting.
And I think one of the big challenges comes from the fact that these environments are, as you note, critical infrastructure.
So there is an innate tendency of those involved in these kind of organizations to not release information, which is very, very good.
And even if, as researchers, we have all the agreements in place, it's actually understanding what goes on in detail in terms of security can often be very, very challenging. Is it also a matter that, you know, with these
systems, it's because they need to be running in real time that it can be challenging to
do tests that perhaps you would prefer to do in an offline situation?
Yes. So you have absolutely hit the nail on the head. So I think
there are two issues. One is, how do you actually understand the security practices in these kind of
organizations when, due to all sorts of concerns about security and safety, you can't actually go
and observe people engaging in their day-to-day work and how do they do security? And secondly,
of course, you can't go and run a penetration test on a nuclear power station because it can have very serious consequences
if you end up disrupting anything. And the way we solve both challenges are in really interesting
ways. In the case of the latter, which is a penetration test, we actually run a testbed in
our lab and there are others around the world who run these testbeds which pretty much replicate on a smaller scale what goes on in these environments in a real setting.
And that way you are actually still working with realistic settings without safety consequences
that might arise from actually working on an operational system. The insights that come from
such testbeds can then be transferred in terms of knowledge and understanding to improve the security of the real infrastructure.
And how do we deal with understanding how people do security?
Certainly in our work, we, for instance, designed a game.
It's a Lego board and people play the game, which represents a critical infrastructure
setting.
And then by observing and hearing their discussion in the
context of that scenario, we can understand as to what are the issues that they face on a regular
basis with regards to security, how do they overcome them, where the gaps are, and so on.
So I think one has to be very creative in terms of creating alternate situations where you can
get good and valuable insights in terms of research
that can then be translated onto the real infrastructure in terms of its protection.
Professor Awais Rashid, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatL are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you.