CyberWire Daily - DPRK’s RGB shows improved targeting and tool-sharing. Cl0p updates. Two new RATs. Weak radio encryption standard. Razzlekhan will cop a plea.
Episode Date: July 24, 2023North Korea's increasingly supple cyber offensives. A look at Cl0p. The NetSupport RAT's fake update vectors. HotRat is a Trojan that accompanies illegally pirated software and games. Crackable radio ...encryption standard: a bug or a feature? Chris Novak from Verizon discusses ransomware through the lens of the DBIR. Carole Theriault describes a ransomware attack that hit close to home. And an alleged money-laundering crypto-rapper is back in the news. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/139 Selected reading. North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack | Mandiant (Mandiant) Ransomware Roundup - Cl0p (Fortinet Blog) FakeSG enters the 'FakeUpdates' arena to deliver NetSupport RAT (Malwarebytes) Researchers Find ‘Backdoor’ in Encrypted Police and Military Radios (Vice) Unmasking HotRat: The hidden dangers in your software downloads (Avast) Researchers Find ‘Backdoor’ in Encrypted Police and Military Radios (Vice) Crypto rapper 'Razzlekhan,' husband reach plea deal over Bitfinex hack laundering (Reuters) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
North Korea's increasingly supple cyber offenses.
A look at Klopp.
The net support rat's fake update vectors.
HotRat is a trojan that accompanies illegally pirated software and games.
Crackable radio encryption standards.
Chris Novak from Verizon discusses ransomware through the lens of the DBIR.
Carol Terrio describes a ransomware attack that hit close to home.
And an alleged money laundering crypto rapper is back in the news.
I'm Dave Bittner with your CyberWire Intel briefing for Monday, July 24th, 2023. Mandiant this morning released research into current activity by Pyongyang's UNC4899,
which it describes as a Democratic People's Republic of Korea nexus actor
with a history of targeting companies within the cryptocurrency vertical.
Mandiant assesses with high confidence that UNC4899 is a cryptocurrency-focused element
within the DPRK's Reconnaissance General Bureau,
and the researchers also believe it's the same activity
tracked and reported elsewhere as Trader Trator.
Mandiant's research was conducted in the course of its investigation
of a supply chain attack on one of JumpCloud's customers.
North Korean operators have undergone years of refinement and coordination to the point
where they represent an agile and sophisticated adversary with shared tooling and targeting.
Mandiant's report concludes, this seeming streamlining of activities by DPRK often
makes it difficult for defenders to track, attribute, and thwart malicious activities,
while enabling this now collaborative adversary to move stealthily and with greater speed.
Fortinet's FortiGuard Labs has published a report on the CLOP ransomware gang.
The CLOP ransomware is associated with the FIN11 cybercrime group and appears to be a descendant of the Cryptomix ransomware.
The gang has been conducting a widespread data theft extortion campaign,
leveraging a recently disclosed MoveIt transfer vulnerability.
The gang recently shifted its monetization strategy
and now focuses on stealing data for extortion rather than executing ransomware.
Klopp currently has over 400 victims
listed on its data leak site, most of which are located in the U.S. and Europe. According to data
collected through Fortinet's FortiRecon service, the CLOP ransomware group preyed on several
industry sectors between January and June 2023, with business services leading the way, followed by software and finance.
When victim organizations are classified by country, the United States is in first place
by a significant margin. Malwarebytes is tracking a new campaign called FakeSG that uses compromised
websites to trick users into installing the NetSupport RAT under the guise of a phony
browser update. Malwarebytes says, the tactics, techniques, and procedures are very similar to
those of SockGolish, and it would be easy to think the two are related. In fact, this chain also
leads to NetSupport RAT. However, the template source code is quite different, and the payload delivery uses different infrastructure.
As a result, we decided to call this variant FakeSG.
Researchers at Avast have discovered a campaign that spreads a newer version of AsyncRAT,
this latest iteration called HotRAT.
The remote-access Trojan piggybacks on downloads of illegally pirated games or illicit copies of software applications like Adobe Photoshop or Microsoft Office.
Avast writes,
Once it sneaks into your computer, HotRat can swipe your personal information, snap screenshots of what you're up to, and even invite more unwanted guests.
you're up to and even invite more unwanted guests. Cybersecurity Connect reports that HotRat has been in circulation since October of last year and has mostly affected users in Africa
and Asia. HotRat also has ways to maintain persistence. Investin.com writes, the malware
exhibits persistence by leveraging scheduled tasks, enabling it to maintain a foothold on
infected systems. It can also eliminate antivirus programs, thus endangering the system's overall
security. As always, experts recommend purchasing or downloading software and applications from
verified sellers or sources. HotRat is another example of why free versions of software hawked by third
parties are indeed too good to be true. At Black Hat this year, Midnight Blue researchers will
present the results of their study of the European Telecommunications Standards Institute's
Terrestrial Trunked Radio Standard, that's TETRA. Vice's motherboard has an early look at the research.
Midnight Blue says the standard, widely used in first responder,
infrastructure operator, and some military radios,
offers an encryption standard that can be broken by readily available techniques.
Midnight Blue says a reduction step reduces the entropy of the initial key
and enables passive decryption of traffic to the point that it amounts to an intentional backdoor.
The vulnerable TEA1 encryption is relatively old but continues to see widespread use.
Midnight Blue recommends that users replace it with more recent standards
or adopt additional end-to-end encryption.
Etsy said that it welcomes any testing of its standards, noting that Tetra was designed to
comply with export standards and that Etsy has seen no evidence of the vulnerability's
exploitation in the wild. Midnight Blue thinks such exploitation, being passive,
would have been very difficult to observe and could easily have
passed unnoticed. And finally, remember the crocodile of Wall Street? She's back in the news.
Reuters reported Friday on Heather Razelkhan Morgan, the crypto rapper arrested in February
2022 in connection with laundering some 100,000 Bitcoin stolen in the 2016 hacking of the altcoin
exchange Bitfinex. Her husband, Ilya Lichtenstein, also charged in the case but without an online
persona as colorful as his enamoratas, will also be accepting a plea agreement. Both face one count
of conspiracy to launder money. Ms. Morgan faces an additional
charge of conspiracy to defraud the United States. Details of the plea haven't yet been announced.
The hearing is scheduled for August 3rd. Bitcoin has fluctuated considerably in value.
The coin the couple is alleged to have laundered was worth $71 million in 2016,
of laundered was worth $71 million in 2016, but had appreciated to over $4.5 billion by February of last year. Prosecutors are seeking to have the two forfeit assets now worth roughly $3 billion.
Those who can't help themselves can view and listen to Razzlecon's characteristic rap stylings
online. Word to the wise, the performance includes
naughty words, not safe for work unless, you know, you work on Wall Street.
Coming up after the break, Chris Novak from Verizon discusses ransomware through the lens of the DVIR.
Harold Terrio describes a ransomware attack that hit close to home. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass
your company's defenses is by targeting your executives and their families at home? Black
Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Ransomware continues to stay in the news,
and our UK correspondent Carol Terrio files this report about a ransomware attack that hit a little close to home.
So imagine you run a company.
And like any company these days, you have at least one IT person, someone who can help you sort out the tech, make sure it works, make sure it's safe.
Now imagine that you receive an email, a blackmail email that demands that you pay a ransomware fine.
Turns out these baddies accessed an unauthorized part of your computer system.
What a pickle.
So what do you do?
You call your IT person to help you figure out what steps you should take next.
So far, nothing terribly noteworthy. Companies face ransomware
scams all the time. Sometimes it's due to lack of security. Sometimes it's due to insider threats.
Sometimes it's simply down to lack of oversight. Whatever the case, you want a crack team that's
going to guide you and help you through this mess, and you want them to be trusted. In short, they should be working in good faith. But what if they don't? A recent case in my hometown of Oxford in the
United Kingdom stinks of opportunism, greed, and maybe a little stupidity. And it's worth sharing
because it's pretty fascinating. Now, as you probably know, Oxford is home to Oxford Biomedica. This is the UK gene and
cell therapy company that was involved in the creation of AstraZeneca, one of the vaccines
fighting COVID-19. And back in 2018, they were hit with a ransomware attack demanding a glut of
Bitcoin. They call IT to advise. But what the founders of Oxford Biomedica didn't know is that their
cybersecurity IT rep, a 28-year-old IT security analyst named Ashley Lyles, had other ideas.
According to the Southeast Regional Organized Crime Unit, Lyles commenced a separate and
secondary attack against the company. Now remember he had access
to sensitive information in this ransomware case and he inserted himself between the board and the
attackers secretly changing the bitcoin payment address to his own. So if the bosses decided to
pay the ransom he would be the recipient, not the
attackers. Pretty bold move if you ask me. Lyles also created an email address very similar to the
one of the attacker. And from this new email address, he began emailing the employers,
pretending to be the attacker and putting pressure on them to pay up.
Unfortunately for Lyles, a payment was never made and the unauthorized access was noticed
during the investigation. He was eventually found out and arrested. Lyles pleaded guilty
very recently and awaits sentencing. I can't imagine the judge is going to be terribly
lenient here. Crazy story has all the hallmarks for a streaming series, don't you think?
This was Carol Theriault for The Cyber Wire. And it is always my pleasure to welcome back to the show Chris Novak.
He is Managing Director for Cybersecurity Consulting with Verizon Business.
Chris, welcome back.
You and I have been talking about the DBIR, and I wanted to focus in on some specifics here, particularly ransomware.
In a previous conversation, you and I had talked about how ransomware seems to have flattened out a little bit, but that doesn't mean we're out of the woods yet.
That's absolutely right, Dave. Pleasure to be back.
So, yeah, you're right. It flattened out. But the thing that I call out is it flattened
out at the high watermark, right? The highest point it's ever been was about a quarter of our
cases in the data set, and it continues to be at that high watermark. So I tell people, it's
great that it hasn't gone up any further, but I think you have to look at the why did it stay
flat? What is it that we can maybe take away from that? What do
we foresee? And let's dig into that. What is some of the backstory? Sure. Yeah. So, I mean, what I
call out is I think ultimately it has kind of flattened maybe partially because we've gotten
better. Organizations have gotten more prepared, which is great. I don't attribute it to fully that aspect. I also attribute it heavily to, I think the threat actors have
reached a point of saturation. The tools that they have at their disposal and the resources they have
to deploy them, they've reached a point where I think they've hit a lot of what they can hit and
be successful. And I think ultimately
what they're looking at is either recruit more resources to be able to go out and hit harder,
or they need to evolve their tools more in order to be able to get past some kind of layers of
defenses. But I don't think it's going away. I don't think this is like a flattening to followed
by a decline. I honestly
think it's a flattening followed by a retooling. You know, I've been calling it kind of a retooling
or a rebuilding year. You know, they're working on some player trades and some new offenses.
And I think we're going to see them, you know, look to try to kind of get another leg up on that
chart in the coming time. And I think part of that also is the
fact that ransomware pays so incredibly fast. If you look back at the history of breaches,
most of the data breaches play out over weeks or months. Ransomware typically plays out over days.
So if you're a threat actor, much better to get paid in days and move on to your next one than weeks or months. So I think the financial dynamics continue to be strong for them.
What are we seeing in terms of the ransoms, both demanded and paid? How's that tracking?
Interestingly as well, that is also remaining relatively flat. And when we actually look at the data, while we've seen the
number of successful attacks flatten, we've actually started to see a little bit of an
increase in the actual paid ransom amount. So threat actors are demanding more, victims are
willing to pay it. And I think part of it also is the entry and maybe maturity of cyber insurance
and not in any way suggesting that cyber insurance causes ransomware
attacks. But what I've found is in talking with
lots of organizations, one of the leading reasons they typically say in terms of why
they buy insurance is to help them through a ransomware event. They want someone they
can lean on to pay that ransom and absorb that cost. And so I think that has also resulted in situations
where threat actors recognize, I hate to say this, this is like the old school analogy to bank
robberies where the bank robbers would say, ah, we're robbing the bank, but the bank has got
insurance. It's a victimless crime, right? The bank depositors, they don't lose a cent. They're insured, right?
And so the threat actors think that nobody really gets hurt, right? It's just an insurance company
that pays out and as if the money just grows on trees. And I think the threat actors somewhat
are looking at ransomware in a similar vein of nobody really gets hurt. We're just asking for
money. The insurance company is
going to step in and pay it. Nobody really loses. And so in that respect, I think that is also still
driving kind of some degree of bad behavior and bad hygiene because the victims of it also believe
that the insurance company will step in and pay it for them as well.
Interesting. Are we seeing any dent from either direct involvement
of law enforcement or even just the specter of that for the threat actors here? Or do they still
feel like they're pretty much able to operate out of reach? In many cases, they're still able to
operate out of reach. Whether they believe it or in actuality, I think we still continue to see that.
It obviously depends on where they operate. And obviously, the geopolitical tensions I don't
think are helping because while we may not have always had the best alignment with some of the
countries where we see these events emanate from, we have had case studies of success stories where things have been shut down or prosecuted or
disrupted. And now I think there's a level of coldness that exists in a lot of those
relationships where that's probably the last conversation that we're diplomatically going
to have or law enforcement may engage in in some of these different geopolitical climates.
So I think that is definitely a challenge.
I know that I see a lot of organizations who they'll see a headline that looks so-and-so
managed to get their ransom payment back.
So maybe we'll just pay the ransom and we'll do the same thing.
And I also try to advise people that you never know that you're going to be successful in
trying to recover the ransom.
And you never know that paying a ransom is going to lead to you getting your data back
or getting your systems unencrypted or any of those things. You're placing a lot of trust in
the threat actor that they're going to follow through. And maybe they will. But the other thing
I also always tell people is the ransom is only one part of the cost. At the end of the day, you still need
to do the root cause analysis to figure out how it started. You still need to patch and rebuild
all the systems involved. So it's not like paying the ransom makes it like it never happened.
Paying the ransom buys you a little bit more time. And obviously, there's a whole other debate on
whether or not we should even allow ransoms to be paid. I know there's a lot of things going back
and forth
in various legislative bodies around the possibility
of even making ransom payments illegal.
Yeah, no, it's a complicated equation for sure.
Yeah.
Well, Chris Novak, thanks so much for joining us. Thank you. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. CBC News brings the story to you live. Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit cbcnews.ca.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment
on Jason and Brian's show.
You can find Grumpy Old Geeks
where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine Thank you. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by the CyberWire editorial staff.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.