CyberWire Daily - DPRK's Lazarus Group exploits ManageEngine issues. SIM swapping as a threat to organizations. Ransomware hits a cloud provider. Spawn of LockBit. Train whistling. Influence laundering.
Episode Date: August 28, 2023The DPRK's Lazarus Group exploits ManageEngine issues. A Data breach at Kroll is traced to SIM swapping. Unusually destructive ransomware hits CloudNordic. Spawn of LockBit. Polish trains are disrupte...d by hacktivists. Rick Howard looks at the MITRE attack framework. Our guests are Andrew Hammond and Erin Dietrick from the International Spy Museum. And Influence laundering as a long-term disinformation tactic. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/163 Selected reading. North Korean APT Hacks Internet Infrastructure Provider via ManageEngine Flaw (SecurityWeek) Lazarus Group exploited ManageEngine vulnerability to target critical infrastructure (Help Net Security) Cyber scams keep North Korean missiles flying (Radio Free Asia) Claimant Data Breached in Genesis, FTX and BlockFi Bankruptcy Cases (Wall Street Journal) Kroll data breach exposes info of FTX, BlockFi, Genesis creditors (BleepingComputer) Crypto investor data exposed by a SIM swapping attack against a Kroll employee (Security Affairs) Kroll Employee SIM-Swapped for Crypto Investor Data (KrebsOnSecurity) Kroll Suffers Data Breach: Employee Falls Victim to SIM Swapping Attack (The Hacker News) FTX bankruptcy handler Kroll discloses data breach (The Stack) CloudNordic Faces Severe Data Loss After Ransomware Attack (Hackread) CloudNordic loses most customer data after ransomware attack | TechTarget (Security) Lockbit leak, research opportunities on tools leaked from TAs (SecureList) LockBit 3.0 Ransomware Builder Leak Gives Rise to Hundreds of New Variants (The Hacker News) Poland investigates cyber-attack on rail network (BBC News) Poland investigates hacking attack on state railway network (Reuters) Hackers bring down Poland’s train network in massive cyber attack (Ticker News) The Cheap Radio Hack That Disrupted Poland's Railway System (WIRED) Russia Pushes Long-Term Influence Operations Aimed at the U.S. and Europe (New York Times) Newly declassified US intel claims Russia is laundering propaganda through unwitting Westerners (CNN Politics) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The DPRK's Lazarus Group exploits manage engine issues.
A data breach at Kroll is traced to SIM swapping.
Unusually destructive ransomware hits Cloud Nordic.
The spawn of Lockbit.
Polish trains are disrupted by hacktivists.
Rick Howard looks at the MITRE attack framework.
Our guests are Andrew Hammond and Aaron Dietrich from the International Spy Museum.
And influence laundering as a long-term disinformation tactic.
I'm Dave Bittner with your CyberWire Intel briefing for Monday, August 28th, 2023.
Researchers at Cisco Talos are closely following DPRK activity and say North capabilities as Lazarus
Group's better-known MagicRat
malware, but its file size
is significantly smaller.
The researchers add,
this substantial difference in size
is due to Lazarus Group incorporating
only a handful of required
QT libraries into
QuiteRat as opposed to MagicRat, in which they embedded the entire QT framework.
So, a little smaller, a little more unobtrusive,
but still out there actively collecting.
Sim swapping is a problem for consumer fraud,
but it also afflicts enterprises.
Security consultancy Kroll,
while serving as a claims
agent in three bankruptcies, has disclosed a data breach affecting information related to
bankruptcy claims by several cryptocurrency trading firms, including FTX. An attacker
gained access to the data after performing a SIM swapping attack via T-Mobile against a Kroll employee. Kroll said in a
statement, specifically, T-Mobile, without any authority from or contact with Kroll or its
employee, transferred that employee's phone number to the threat actor's phone at their request.
As a result, it appears the threat actor gained access to certain files containing personal information of bankruptcy claims in the matters of
BlockFi, FTX, and Genesis. Immediate actions were taken to secure the three affected accounts.
Affected individuals have been notified by email. We are cooperating with the FBI and a full
investigation is underway. We have no evidence to suggest other Kroll systems or accounts were impacted.
Krebs on Security warns that as a result of the breach, people who had financial ties to BlockFi,
FTX, or Genesis now face increased risk of becoming targets of SIM swapping and phishing attacks themselves. So breaches breed opportunities for social engineering.
So breaches breed opportunities for social engineering.
HackRead reports that Danish cloud provider CloudNordic was hit by a ransomware attack on August 18th that caused a complete shutdown of the company's servers and infrastructure
and led to complete data loss for most of its customers.
TechTarget quotes the company as saying,
As we cannot and do not want to meet the financial demands of the criminal hackers for ransom,
CloudNordic's IT team and external experts have been working hard to get an overview of the damage and what was possible to recreate.
Unfortunately, it has proved impossible to recreate more data, and the majority of our customers have thus lost all data with us. This applies to
everyone we have not contacted at this time. Cloud Nordic notes that while the attackers attempted
to steal customer data, there is no evidence that they were successful in doing so, but the loss of
data has been extensive. Kaspersky has published an updated analysis of the LockBit ransomware builder that leaked in September 2022.
The leaked builder allowed many different threat actors to create their own flavors of ransomware based on LockBit.
Various gangs have used their versions of the builder to develop or at least propose new ransomware strains.
new ransomware strains. Over Friday night and into Saturday morning, a cyber attack halted trains near the Polish city of Szczecin. An emergency radio signal was compromised and used to stop
about 20 trains. Service was restored within a matter of hours. Both freight and passenger trains
were affected. The BBC reports that Poland's internal security service, ABW, is investigating the incident.
There's widespread speculation that the incident was the work of Russian hacktivist auxiliaries.
Evidence for that attribution is circumstantial but compelling.
Polish officials note that the signals were interspersed with recordings of Russia's national anthem and a speech by President Vladimir Putin.
Reuters reports that a senior Polish security official said,
For the moment, we are ruling nothing out.
We know that for some months there have been attempts to destabilize the Polish state.
Such attempts have been undertaken by the Russian Federation in conjunction with Belarus.
According to Wired, the emergency stop signal was transmitted over a legacy radio frequency system
that lacks either authentication or encryption.
Anyone with the right equipment can trigger an emergency stop
by sending a series of three acoustic tones at the right frequency.
The biggest difficulty such a
hacker might face is getting physically close enough for their signal to be in range. Some
have poo-pooed the notion that this is a cyber attack, but it might be useful to think of it as
a very old-school kind of cyber attack. In fact, it's a throwback hack of a throwback system.
Among the original hackers, before people thought of hacking or talked about cybersecurity, were the phone freaks.
Starting in the late 1960s, they discovered that sending the right tone into a telephone let them make free long-distance phone calls, which back then were pricey.
You needed a 2600 hertz tone to engage the old bell system's long-distance service,
and you could use cheap musical toys to do that. A whistle offered as a prize in boxes of Cap'n
Crunch cereal did it, if you covered up the right hole before blowing. Some people can even sing
that high. Or so I've been told. Finally, you've heard of money laundering, taking cash and disguising where it came from.
The same kind of thing can be done with disinformation. Call it influence laundering.
The New York Times describes the organization of a Russian influence campaign that concentrates on
the use of front groups to cultivate Western influencers who can be counted on to disseminate
and amplify the Russian
government's chosen narratives. The Russian services are playing a long game. According to
The Times, the newly declassified U.S. analysis looks at how Russian intelligence services,
in particularly the Federal Security Service or FSB, have been secretly using allies inside
nominally independent organizations to spread
propaganda and cultivate ties with rising leaders, efforts that are intended to play out over long
periods of time. It's in some respects a familiar exercise in public diplomacy, but it differs from
most of these in its use of front organizations and the cultivation of co-optees and what used to be
called during the Cold War, useful idiots. A representative front organization is a
non-governmental organization, Creative Diplomacy. The organization bills itself as a public
diplomacy program for aspiring leaders to facilitate dialogue with Russia. Creative
Diplomacy denies any association with the
Russian government. The U.S. government thinks otherwise. CNN notes that the narratives prominently
feature the official Russian line on the war against Ukraine. The Ukrainians are Nazis,
NATO is behind the war, Russia is defending its interests and protecting oppressed ethnic Russians,
war, Russia is defending its interests and protecting oppressed ethnic Russians, and so on.
But they also extend to other areas of Russian interest, notably the ongoing civil conflict in Syria. One of the lines pushed about Syria accuses the White Helmets, a volunteer humanitarian relief
organization operating in opposition-controlled Syrian territory, of trafficking in human organs,
and of faking chemical attacks by the Assad regime's armed forces.
All of this is hooey, of course,
but it's less obviously hooey if it's washed through someone
who's not an employee of the FSB, or RT for that matter.
It's an old tactic and goes back long before cyberspace
was so much as a gleam in DARPA's eye.
Coming up after the break,
Rick Howard looks at the MITRE ATT&CK framework.
Our guests are Andrew Hammond
and Aaron Dietrich
from the International Spy Museum.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Washington, D.C. is known for its world-class museums, and one of my favorites is the
International Spy Museum. Andrew Hammond is a historian and curator at the Spy Museum
and host of their podcast, Spycast,
which is part of the N2K and CyberWire family of shows.
Andrew Hammond joins me along with his producer, Aaron Dietrich.
They're celebrating 600 episodes of Spycast.
So the show got its start back in 2006,
and I think the first host was our former executive director,
late executive director, Peter Ernest,
who was a former CIA case officer and a bit of a CIA legend.
He was Robert Gates's spokesman at one point.
So he ran the podcast for a while,
and he obviously came at it
from more of an operations point of view
and then it seemed to transfer
over to the historians.
So then we had Mark Stout,
one of my predecessors,
a really good guy,
former CIA officer,
analyst and historian.
He'd done it for a bit
and then Vince Houghton done it for quite a
while, maybe six years or so. And then like you say, I took over three years ago, three years ago
at the end of this month, I think actually. So yeah, we're still going strong. And I think that
touches on an important point. Obviously me and Aaron hope to be here for quite some time,
but as the museum's podcast, it's not our podcast.
So we're just trying to do what we can to lift it up and make it better
and then hand it over to somebody at some point in the future to take forward again.
Aaron, I have to say you all sent over some statistics here
and this podcast has been running for 17 years. In my mind, that's about as long as it's possible for a podcast to have been running. You all were early adopters here. Did you start producing the podcast when you were just a child?
It's just, what would I have been in 2006?
Seven years old.
There you go.
I started producing spycasts.
No.
Yeah, it's actually, I mean, you know, when I came on the team, I did a bit of research on sort of the landscape of podcasts
in the United States and beyond.
And really, 2006 is like prehistoric era in terms of podcasting.
So it's really quite a pleasure to be working on something
that's been going on for 17 years. Certainly, Andrew and I can't take credit for all of that
on our own. There have been three previous hosts and plenty of other folks who have contributed to
the success of the podcast as well. Yeah. Well, let's talk about what you have coming up here.
I mean, with episode 600, you're kicking off a couple of months of some special guests here. You've got five weeks of spy chiefs. At the end of this month, episode 600 is going to be former CIA director and four-star general David Petraeus.
So that's how we kick off five weeks on Spy Chiefs.
And then we have, for the first time ever, a former Kenyan intelligence chief.
He's going to be speaking about Kenyan intelligence.
We have Ireland's Garda, their intelligence guy, top intelligence guy.
He's going to be speaking. I think that's a first as well. We're going to
have a former senior Indian intelligence officer on
so India's research and analysis wing there, CIA. He's going
to come on and then we finish off with Tish Long who
was actually the first female
intelligence agency director in American history of course there's been many more since then but
she was the first so those are those five weeks and then in October we have five weeks looking at
Israeli intelligence so we do a deep dive into one country. So the spy chiefs is global,
then we focus in and we look at Israel, look at the history of Israeli intelligence.
We have a former Israeli national security advisor on, former Mossad officer. We have
someone talking about the Yom Kippur War, which is 50 years ago, this coming October.
We have someone coming on to talk about Israel's top secret ultra elite special forces,
Sayyaret Matkal.
And then finishing off, we have a former head of intelligence for the Mossad.
So Aaron and I have been working on this for quite some time
and we're quite pleased and proud, I think, to be doing this.
Would you agree?
I agree 100%. Very proud.
Yeah. Andrew, you are a historian yourself and I'm curious, having all of these conversations
with these top people from all over the world, how has that informed your approach to the work
that you do there at the Spy Museum? Yeah, it's a great question.
I mean, I think one of the amazing things about the podcast
is that every week,
Aaron and I get to have a one-to-one tutorial
with somebody that really knows
what the heck they're talking about.
So it's a great way for us to broaden and deepen our education.
And that affects everything else that we do whether that be putting on exhibitions whether that be doing other work with the youth
education team so all of these conversations inform everything that we do here if you want
to think about it it's a way for us to constantly stay on top of ongoing professional education. We constantly have our ideas oxygenated by the
outside world, by people that were historians or that were in the intelligence business and so
forth. So it informs it in all kinds of ways. And I really, I can't think of a better way to just
stay on top of the field than to host a podcast and get people in to talk about it.
How about you, Aaron? A lot of your work is behind the scenes,
but what sort of things have you taken away here?
Yeah, well, it's funny. I've been at the Spy Museum now for about two years. When I started
here, I was in the guest services department, which I stood in the museum pretty much all day.
And when I started, I couldn't tell you the first thing about spying or intelligence. And in fact, this is a point of contention between me and many people
who work here, but I had never seen a James Bond movie before starting here at the Spying Museum.
Oh, it's a shame for shame.
I know. The first one that I watched was the newest one, No Time to Die, which is just
another point of contention. But so I started, I really didn't know anything.
And now it's been almost a year
of me working with Andrew on the podcast.
And boy, I just feel like I have gotten a masterclass
in intelligence and espionage.
There's no better way to learn about it.
Like Andrew said, then to sit down
and listen to all of these professional folks
who are from so many different areas of the
intelligence community, talk about their experience, talk about what happened in the past,
talk about what's going to happen in the future. I feel like I'm somewhat of an expert now.
Certainly couldn't call myself an intelligence historian by any means, but maybe a couple steps
below that, a couple steps above the average person on the street
who's seen a couple James Bond movies.
So yeah, it's been great.
It's been really great.
Sometimes I honestly feel like I'm a scuba diver
and the most fascinating and also bewildering coral reef in the world.
And I just get to go around and explore it.
And sometimes it's where all the pretty fish live
and then other times it's where the really ugly, scary eels live. But it's always colorful and it's
always interesting. All right. Well, Andrew Hammond and Erin Dietrich are the duo behind
the Spycast from the International Spy Museum, which of course is hosted right here on our
CyberWire network. Andrew and Erin, thank you so much for joining us. Thank you for having us. Thanks, Dave.
Our thanks to Andrew Hammond and Erin Dietrich from the International Spy Museum for joining us.
You can check out Spycast right back to the show Rick Howard.
He is the CyberWire's Chief Security Officer and also our Chief Analyst.
Rick, welcome back.
Hey, Dave.
You know, it's hard to believe,
but you have just published the last episode
of CSO Perspectives, your podcast for this season,
Lucky 13.
Lucky 13.
What do you got in store for us, my friend?
Well, yes, indeed, sir.
Okay, this season, we've talked about
Moneyball for Workforce Development,
First Principle Strategies with the AWS CISO, C.J. Moses, and the current state of Zero Trust, Quantum Computing, and DDoS Protection.
And it's appropriate that this season's last episode is a Rick the Toolman episode because we've been doing a lot of these kinds of episodes in 2023, basically explaining the tools that best help security leaders pursue their chosen
first principle strategies.
For this last episode of the season, we're taking a look at a couple of tools and one
best practice guide designed to make the MITRE ATT&CK framework more useful to the Average
Security Operations Center.
You know, I know you are a big fan of the MITRE ATT&CK framework.
In fact, I want to say the very first conversation you and I ever had at RSA, you were back at Palo Alto.
I know where this is going.
You were at Palo Alto, and it was the first time we met.
And you told me all about the MITRE ATT&CK framework in that interview.
That's my recollection.
What prompted this discussion here, Rick?
Why turn back and emphasize this one again?
Well, in January this year, CISA, the Cybersecurity and Infrastructure Security Agency, working with MITRE, released an update to their original paper called Best Practices for MITRE Attack Mapping.
And they released a new tool called the Decider, which I just love, by the way, the Decider.
a new tool called the decider, which I just love, by the way.
It's a decider.
Sounds like something from either a Despicable Me movie or something that Dr. Doofenshmirtz would make.
I'm the decider.
The decider, yeah.
So the tool is supposed to help analysts map
incoming cyber intelligence reports to MITRE ATT&CK.
So what does that exactly mean when we say that we're mapping to the MITRE ATT&CK? What is that?
Yeah, so you may have noticed that you report the news every day that as a community,
we have no shortage of cyber threat intelligence reports to read through on any particular day,
from security vendors seeking to make a name for themselves,
from government agencies like the FBI and CISA trying to share actionable intelligence to the InfoSec community, and, you know, from our own internal intelligence teams trying to make sense
of their own collected telemetry. When SOC analysts transform that raw intelligence into something
useful, something where they can later design and deploy countermeasures designed to defeat known adversary behavior, the first step of that process is mapping
that raw intelligence to the intrusion kill chain using the MITRE ATT&CK framework as
a guide.
So for this episode, we walk through the CISA best practices white paper and talk about
how to use the MITRE tool, the decider, in that kind of work.
All right.
Well, we'll look forward to that.
That is part of CSO Perspectives. That is part of CyberWire Pro, which you can find on our website,
thecyberwire.com. Rick Howard, thanks for joining us. Thank you. solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
deny approach can keep your company safe and compliant. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I join Jason and Brian on their show for a lively discussion of the latest news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure
we're delivering the information and insights
that help keep you a step ahead
in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire
are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.