CyberWire Daily - DPRK tried to hit RoK-US military exercises. Australian domain administrator auDA may have been breached. WoofLocker's tech support scam. US warns of cyber threats to space systems.
Episode Date: August 21, 2023The DPRK's Kimsuky attempts to hit joint military exercises. Australian domain administrator auDA (OW-duh) may have been breached. WoofLocker's version of a tech support scam. The US Intelligence Comm...unity warns of cyber threats to space systems. Rick Howard looks at forecasting cyber risk. Deepen Desai from Zscaler shares ransomware trends. And more wartime disinformation out of Russia. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/159 Selected reading. Suspected N. Korean Hackers Target S. Korea-US Drills (SecurityWeek) N. Korean Kimsuky APT targets S. Korea-US military exercises (Security Affairs) North Korean hackers target US-South Korea military drills, police say (The Economic Times Cyber incident update (auDA) Australia’s .au domain administrator denies data breach after ransomware posting (Record) Hackers claim to have breached auDA (iTnews) Catching up with WoofLocker, the most elaborate traffic redirection scheme to tech support scams (Malwarebytes) WoofLocker Toolkit Hides Malicious Codes in Images to Run Tech Support Scams (The Hacker News) US warns space companies about foreign spying (Reuters) Intelligence Agencies Warn Foreign Spies Are Targeting U.S. Space Companies (New York Times) US Warns Space Industry of Growing Risks of Spying and Satellite Attacks (Bloomberg) Foreign countries targeting tech from US space companies, intel agencies warn (The HIll) Pentagon urges US space companies to stay vigilant against foreign intelligence (TechCrunch) Safeguarding the US Space Industry: Keeping Your Intellectual Property in Orbit (DNI) What To Do About The U.S. Intelligence Community Warning on Safeguarding The Space Industry (OODA Loop) Countering disinformation with facts - Russian invasion of Ukraine (Government of Canada) Sergey Lavrov: Throwing Russia off balance is ultimate aim (TASS) Moscow says US unwillingness to end Ukraine conflict (Merh News Agency) Russian invaders sending threats to Kherson region’s residents via social media - watchdog (Ukrinform) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The DPRK's Kim Suu Kyi attempts to hit joint military exercises.
Australian domain administrator AUDA may have been breached.
Wolf Locker's version of a tech support scam.
The U.S. intelligence community warns of cyber threats to space systems.
Rick Howard looks at forecasting cyber risk.
Deepen Desai from Zscaler shares ransomware trends.
And more wartime disinformation out of Russia.
I'm Dave Bittner with your
CyberWire Intel briefing for Monday,
August 21st, 2023.
South Korea's Gyeonggi-Nambu Provincial Police Agency said yesterday that the North Korean threat actor Kim Suk-hee targeted South Korean contractors working for a joint military exercise between
the U.S. and South Korea, Security Week reports. The agency found that an IP address used in the
attack was also used in an alleged Kim Suk-hee hack against a South Korean nuclear reactor operator in 2014. The threat
actor used spear phishing attacks in an attempt to steal information. The police agency stated that
military-related information was not stolen. The No Escape ransomware gang claims to have
breached Australia's.au domain administrator, AUDA, the record reports.
The gang says it's stolen 15 gigabytes of data, including personal information.
On Sunday, AUDA announced that the cybercriminal had presented proof of possessing a limited set of data.
This data compromises screenshots displaying a list of files.
The investigation is still in progress,
aiming to authenticate the assertions made by the cybercriminal
and confirm the origin of the data.
Updates will be given as more information becomes accessible.
Meanwhile, it's advised for everyone to stay cautious
of possible malicious online actions like phishing endeavors and fraudulent schemes
where individuals or groups
may ask for or exploit your personal information. The non-profit said that it's notified the
Australian Cyber Security Centre, the Department of Home Affairs, and the Office of the Australian
Information Commissioner of the potential breach. Malwarebytes has published an update on WoofLocker.
This is a complex traffic redirection scheme used for tech support scams,
and Malwarebytes has been tracking it for some time.
The company says that attribution in this case is murky.
The researchers wrote,
While we still do not know a lot about who is behind this scheme, we believe it may be the work of different threat actors that specialize in their area of expertise. Woof Locker may very well be a
professional toolkit built specifically for advanced web traffic filtering and used exclusively by one
customer. Victims that fall for the scam and call the phone number are then redirected to call centers, presumably in South Asian
countries. Wolf Locker is distributed via compromised websites, most of which are of
an adult nature. The researchers note that Wolf Locker's infrastructure is now more robust than
before to defeat potential takedown attempts. The FBI, the National Counterintelligence and
Security Center, and the Air Force Office of Special Investigations
have issued a bulletin outlining cyber espionage threats targeting the space industry, Reuters reports.
The bulletin states,
Foreign intelligence entities recognize the importance of the commercial space industry to the U.S. economy and national security,
including the growing dependence of
critical infrastructure on space-based assets. They see U.S. space-related innovation and assets
as potential threats as well as valuable opportunities to acquire vital technologies
and expertise. Foreign intelligence entities use cyberattacks, strategic investment including
joint ventures and acquisitions,
the targeting of key supply chain nodes, and other techniques to gain access to the U.S. space
industry. The warning is heavy on the threat to intellectual property, but it also warns against
direct threats to space systems themselves. The New York Times points out that China and Russia
represent the serious adversaries in this field,
and that the U.S. intelligence community thinks it likely that any future war will open with a cyberattack against satellite systems.
Russia's invasion of Ukraine provides the template.
The warning about space systems arrived without a lot of explicit discussion of Russia's successful, albeit short-lived, cyber attack against Vyassat modems in the opening hours of its invasion.
That disruption, which Ukraine was able to overcome in a matter of about a week, still represents one of the few tactically significant cyber actions of Russia's war against Ukraine. It hasn't really been repeated, with most cyber action declining
into hacktivist demonstrations
and conventional cyber espionage.
So, the cyber front in Russia's war
has been quiet of late,
with few cyber attacks or significant instances
of cyber espionage reported over the past several days.
But disinformation continues.
Recent themes in Russian influence operations have sought to
portray Poland as avid to recover territories the Soviet Union annexed to the Ukrainian Republic
at the end of the Second World War. The overarching theme of Russian influence operations,
represented in a very long interview task conducted with Russian Foreign Minister Lavrov,
is that Russia is the victim of aggression,
with Ukraine's government serving as a cat's paw for the United States,
which seeks Russia's reduction to a permanent state as an impoverished minor power.
The theme is repeated by Iran's semi-official mayor news agency.
There's also some retail disinformation
in progress. Ukrinform reports that Russian bot operators are sending residents of Kherson
threatening texts over social media, warning them of physical harm. The recipients are told they'll
be spared if they report on the Nazis to the Russians, that is, if they reveal information about Ukrainian forces.
What effect, if any, the threats will have remains unclear. Time will tell.
Coming up after the break, Rick Howard looks at forecasting cyber risk.
Deepen Desai from Zscaler shares ransomware trends. Stay with us. Coming up after the break, Rick Howard looks at forecasting cyber risk.
Deepen Desai from Zscaler shares ransomware trends.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for
cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home? Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with
Black Cloak. Learn more at blackcloak.io. And it's always my pleasure to welcome back to the show,
Rick Howard. He is the CyberWire's Chief Security Officer and also our Chief Analyst.
Rick, welcome back.
Hey, Dave.
So on this week's CSO Perspectives podcast, you are providing an update on the current state of risk forecasting.
What do you have in store for us?
Well, Dave, you know, fans of the show know that I've been going on and on over the last three years about finding a practical way to forecast risk for the business.
And I want to emphasize the word practical here because, you know, I've read all the best books on the subject.
You know, there's Super Forecasting, The Art and Science of Prediction by Tetlock and Gardner, which I highly recommend.
There's How to Measure Anything in Cyber Risk by Hubbard and Syerson.
And Measuring and Managing Information Risk, a Fair Approach, one of the originals.
It's probably the original book back in the day by Freund and Jones, all Cybersecurity Canon Hall of Fame inductees, by the way.
And I've interviewed most of the authors, either for the Canon project or for the Cyber Wire, and some of them are friends of mine.
the Cyber Wire, and some of them are friends of mine. Cyrus and I even presented together on the subject at the RSA conference a few years back, and Jack Freund reviewed the chapter on risk in
my book, Cybersecurity First Principles. So up to now, I felt like we were all just a bunch of
rebels shouting into the wind and not getting much traction, like we were a bunch of crazies. You
know those people, Dave. But I think that's beginning to change.
How come? I mean, has there been some event you can point to, any kind of
turning point that represents this change in mindset?
Well, admittedly, my indicator is maybe anecdotal, but I'm starting to see security vendors
incorporate some of these ideas into their products to make it easier for people like
us to incorporate them into their InfoSec programs.
So for this show, I talked to two security vendor founders and discussed why these things, these changes are happening now and what's driving the change.
All right. We'll look forward to that.
It's CSO Perspectives.
It is part of CyberWire Pro.
You can find out all about that on our website, thecyberwire.com.
Rick Howard, thanks for joining us.
Thank you, sir.
And it is my pleasure to welcome back to the show Deepan Desai.
He is the Global CISO and Head of Security Research and Operations at Zscaler.
Deepan, always great to have you back on the show.
I want to touch today on the ransomware report that you and your colleagues have recently published.
This is your 2023 ransomware report.
Bring us up to date here. What did you all find?
Hey, thank you, Dave. So yeah, ransomware report, this is our annual Threat Labs report that we
published based on the findings from the year 2022. And it does cover some of the trends that
we're seeing in 2023 as well. What the team does behind the scene is look at ransomware attacks that were observed across the globe.
This is where we take into account the telemetry that Zscaler, Zero Trust Exchange, our product provides,
as well as the tracking effort that the team does globally where we're tracking various threat actor groups and their infrastructure.
So some of the key findings from the report. globally, where we're tracking various threat actor groups and their infrastructure.
So some of the key findings from the report.
Number one, ransomware impact actually was fairly high in terms of region on United States. In fact, the number that we saw was nearly half of the ransomware campaigns over the last 12 months
were targeting U.S. organizations in the United States.
In terms of industry vertical, we saw arts, entertainment, recreation industries experiencing
the biggest surge year over year.
When you compare it to 2021, in 2023, these industries saw almost a 400% increase in the number of attacks.
Manufacturing sector remained the most targeted industry vertical.
This is consistent with the annual report that we published a year before.
It's actually accounting for almost 15% of the total ransomware attacks that we track.
And it's followed by services sector,
which experienced almost 12% of the total ransomware attacks last year.
And then the final insight that I'll call out is,
in terms of there are more and more ransomware families that keep coming up.
There were 25 new families that the team discovered.
And these were all ransomware families that were using double extortion
or a new phenomena that we will discuss more
that we are calling encryption-less extortion attacks this year.
Well, let's dig into that.
I mean, when we say encryption-less,
I mean, it sounds self-evident,
but can you describe that for us?
Yeah, so what we're seeing,
and I have my reasons to believe
why these threat operators are going that route,
but what we're starting to see
is more and more of these prolific ransomware gangs, and I can name a few like Dark Angels.
More recently, we've seen Klopp ransomware gang as well.
What they're starting to do is they will not encrypt the files.
They will not cause business disruption to these victim organizations.
to these victim organizations.
And the goal over there is they're potentially trying to stay under the radar,
both from their perspective as well as the organization that is being targeted.
Instead, they will exfiltrate large volumes of data,
like lots and lots of data,
and that's where they are holding the organization hostage.
The data is held hostage.
If ransom is not paid, yes, they will make it public and they will make it known to everyone
that this organization fell for a ransomware attack.
But if the ransom is paid out,
in many of the cases, the information does not become public.
Is the notion here that perhaps they're trying to avoid
the organizations getting in touch with law enforcement?
I would say it's multiple things, yes.
Number one is they are trying to stay under the radar from law enforcement crackdowns.
So the less they are in the news, the better it is for them.
it is for them. Number two is, yes, it's also a signal to the organization to not involve law enforcement in some of these attacks where the whole negotiation piece and the ransom payment
piece happens under the radar. Having said that, one of the discussions I was having with a large
CISO was, you need to disclose these
attacks. That's the right thing to do. You have to. And you need to do that if you were to claim
your insurance, your cyber insurance for these type of attacks. So there are pros and cons.
I mean, every organization has their approach in how they would do it. I would absolutely be in the favor of doing the proper disclosure,
going the right route.
Law enforcement and other stuff may or may not happen in each of these attacks.
Yeah.
What are we seeing in terms of the trends?
Is there any sense that organizations are doing a better job of defending themselves?
Or where do we stand?
Yeah, so there is definitely progress in terms of where the organization's
security posture is when it comes to, say, five years ago.
Especially after the pandemic,
we have seen fast tracking of the digital transformation.
I'm going to use the term zero trust,
but I know that term has been heavily used and abused.
The term zero trust is where you're actually
implementing fundamental zero trust principles
like always verify or zoom breach, and never trust.
So this is where you're not bringing the users
on the same network as applications,
proper segmentation, identity-based verification.
What I'm trying to make is, yes, organizations,
almost all organizations have embarked on the path
to that zero-trust transformation journey,
but the maturity level is different across the board.
There's also certain areas that are further along.
When I say certain areas, certain industry verticals
are further along than the others
because of regulations and other stuff.
These attackers are very, very opportunistic.
Wherever they see an opportunity,
whether it's a vulnerable host,
whether it's a pre-existing infection inside the environment,
any organization where they're still having
a relatively flat network, leveraging things like VPN,
it's a juicy attack surface for these guys.
So it makes their life easier to move laterally in those environments,
steal large volume of data without being noticed,
and then demand these ransoms.
All right.
Well, it's the 2023 ransomware report from Zscaler.
Deepan Desai is the global CISO there.
Deepan, thank you so much for joining us.
Cyber threats are evolving
every second, and staying ahead
is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I join Jason and Brian on their show for a lively discussion of the latest news every week.
And find Grumpy Old Geeks, where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead
in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team
while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin
and senior producer Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff. Our executive editor is Peter Kilby,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.