CyberWire Daily - Exploit-of-the-month club open for business. Disinformation technology. Lazarus Group tied to North Korean intelligence (again). Extortion is big, but carding is still with us. Spammy apps in Google Play.
Episode Date: May 31, 2017In today's podcast, we hear that the ShadowBrokers open their exploit-of-the-month club at the low, low price of $22,000 in Zcash. Group-IB finds more evidence that the Lazarus Group is a North Korean... intelligence unit. Extortion, both real and bluffing, grows in underworld popularity, but carders are with us still, alas. President Macron tells President Putin everyone's on to his use of Russia Today and Sputnik News for disinformation. Accenture's Justin Harvey explains red-teaming. Ely Kahn from Sqrrl outlines NIST's call for comments on their cybersecurity framework. And if you're a regular Joe or Jane looking for some Android action, take this advice straight from the shoulder: steer clear of Star Hop and Candy Link. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The shadow brokers open their exploit of the month club at the low, low price of $22,000 in Zcash.
Group IB finds more evidence that the Lazarus Group is a North Korean
intelligence unit. Extortion, both real and bluffing, grows in underworld popularity,
but Carters are still with us, alas. President Macron tells President Putin everyone's on to
his use of Russia today and Sputnik News for disinformation. And if you're a regular Joe or
Jane looking for some android action, take this advice straight from the shoulder.
Steer clear of Starhop and CandyLink.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, May 31, 2017.
The shadow brokers have released more details of their Exploit of the Month Club.
It will cost you about $22,000 per month to join.
The club, say the brokers, whose identity remains at least publicly unknown, is, quote,
being for high rollers, hackers, security companies, OEMs, and governments, end quote.
Symantec and others have linked WannaCry to North Korea by its evident connection to the Lazarus Group.
Skepticism about that attribution has been based in part on doubt that the Lazarus Group really is a tool of DPRK intelligence services.
Researchers at Group IB, a Russian security firm with offices in Moscow and New York,
have published the results of their investigation into the Lazarus Group.
They conclude that, yes indeed, the Lazarus Group is in fact an agent of the North Korean government.
Group IB looked at evidence found in the threat actors' command and control infrastructure.
The Lazarus Group's attacks used three layers of IP addresses,
and Group IB succeeded in identifying the two addresses at the bottom of the campaigns
against Sony and Bangladesh Bank.
The first address is assigned to China Netcom, a Chinese company.
Group IB researchers, however, claim they have unconfirmed reports
that this address was assigned to North Korea on an interim basis.
About the second address, they have few doubts.
As the researchers express it in their reports,
quote, 175.45 with earlier intelligence community conclusions that
the Lazarus Group is in fact simply Bureau 121 of the DPRK's Reconnaissance General Bureau.
BAE systems had, on other grounds, reached the same conclusion in February. It's noteworthy that
Group IB's attribution doesn't depend upon discerning similarities in a tech code. The
researchers find the Russian language snippets in the code to be bad Russian
and suggest the North Koreans put them there as intentional misdirection.
This latest research simply ties the Lazarus Group more closely to North Korea.
To attribute WannaCry to the Lazarus Group,
as Semantek, Kaspersky, and others have done,
is, while compelling, still circumstantial.
New York-based security firm Flashpoint has noted, without insisting too much on the point,
that the code used in the WannaCry campaign points to some fluency in Chinese, but also to broken Korean.
There is, of course, as Flashpoint notes, a large Chinese diaspora,
and it's possible to achieve fluency in a non-native language.
Anyone who read
Lord Jim in high school will recall that Joseph Conrad came late in life to English from his
native Polish, and he seemed to do just fine. It's also possible to deliberately botch a language
in which you're fluent. We is being looking at you, Shadowbrokers, and is thinking you is being
doing that same thing to high rollers and OEMs. Sorry, our editorial staff insists on showing off their near-native proficiency in shadowbroker English.
Moving on.
NIST, the National Institute of Standards and Technology,
recently issued a call for revisions to its cybersecurity framework.
Eli Kahn is co-founder of the threat-hunting company Squirrel,
and he checked in with us for an overview of the framework.
The NIST risk management framework is, in my opinion, one of the more exciting things happening inside government today.
It is becoming the de facto standard for not only how the government, but industry as a whole, manages cybersecurity risks.
So there's been lots of frameworks developed over the time.
NIST 800-53 has been sort of one of the primary documents around security controls,
but those were really just lists of security controls and missing sort of the risk framework
to wrap around them that is really designed to help an executive think about how they want to
manage cyber risks as a whole. So what are the
risks that they're willing to accept? What are their overall risk levels that they want to
push off to insurance type of controls? And then ultimately, what is the risk tolerance levels?
How does this framework play into the recently released presidential executive order on
cybersecurity? So it's actually at the core of it. The executive order calls for every government agency to adopt the risk management
framework as their central way for managing risk within their organization. Now, it's not overly
prescriptive. It's not saying exactly how each agency needs to implement that risk management
framework, but it does say it must adopt it.
But then going through a process that looks at those inherent risk levels and then very thoroughly decides what are the risk controls that it should adopt based on its inherent risk levels. And
ultimately, what are the risks that it's willing to accept, which would be the delta between
its inherent risks and the controls that it's willing to accept, which would be the delta between its inherent risks and the
controls that it adopts. And what kinds of comments and suggestions are being submitted
in terms of the framework? There's been a lot of different comments and suggestions,
a lot of them around further defining how to decide what risk controls are appropriate for
certain risk levels, and also comments on, you know,
maybe some specific risk controls that weren't flagged in the risk management framework that
should be identified. But, you know, from our perspective, there are some categories of controls
that should have been included that weren't. For example? Certainly one that we're quite
focused on is the idea of threat hunting. And the risk manager framework specifically calls out automated detection processes as being important controls, but misses the idea of threat hunting and more human-driven iterative approach to detect cyber threats that have
evaded detection by other defenses, really evade detection by your automated defenses.
What we're advocating for is to be explicit in that you can't rely just on automated detection.
You can't just rely on your automated rules in your SIM or your other sensors. You need these human-driven
processes also to proactively look for threats that have evaded detection by your automated
defenses. That's Eli Kahn from Squirrel. Criminals are increasingly turning to extortion,
both crypto ransomware and traditional blackmail. Sometimes the blackmail is a bluff,
as Disney claims was the case in the Pirates of the Caribbean extortion attempt.
Hackers did not, CEO Iger says, get into Disney servers.
They were simply trying to hustle Team Mouse into paying up.
Other blackmail is unfortunately quite real,
as is the case with a threat to post before and after pictures
of a Lithuanian plastic surgery clinic's patients.
Older forms of commodity crime are still with us, too.
Chipotle this week disclosed that it sustained a breach in its point-of-sale systems
that affected most locations in North America.
Customer paycard information is said to be at risk.
French President Macron is disinclined to let Russian information operations pass unremarked.
In a joint news conference held Monday with Russia President Putin,
he called out Russian attempts to influence elections,
specifically citing Russia Today and Sputnik as agents of influence spreading disinformation.
The two presidents' dialogue was characterized as frank and sincere,
which we take to be diplomatic language for see you at knife point and I'm gonna get you, sucker.
And finally, there are other issues in Google's walled garden. Android users shopping for
diversion in Google Play should avoid Starhop and CandyLink. Both apps are serving spam. And lest you be confused by
the ambiguities of the word spam, we mean the bad kind of spam, all those tiresome
heckling messages that cumber your device, not the tasty Hormel
confection made of pork with ham, salt, water, potato starch, sugar, and sodium
nitrate. Now if we could find an app that served up that kind of spam, we'd be all
over it, as would every other
person of taste and discernment. And with that, we conclude our special linguistic and gastronomic
edition of the Cyber Wire podcast. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, Thank you. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son. But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Only on Disney+. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined today by Justin Harvey. He's the Global Incident Response
Leader at Accenture. Justin, welcome back to the show. We wanted to talk today about
using offensive capabilities to test security, this whole notion of red teaming.
But why don't we start off with that? Tell us, what do we mean when we're talking about red
teaming? Well, red teaming has actually been an evolution or an evolutionary process. Years ago,
organizations really wanted to know, do we have vulnerabilities in our networks and in our
systems? And that's really where vulnerability management and vulnerability scanning came in. There was a need to see,
well, can any of these actually be exploited? We know we have vulnerabilities, but can those be
exploited to show an effect? And that was what we would call penetration testing. And then
red teaming came along. And red teaming is a little bit more evolved than
penetration testing in the sense that can you string along a few of these exploits against
vulnerabilities on systems or networks in order to accomplish a mission? The next step after red
teaming is adversary simulation, which is, can you utilize these exploits
against known vulnerabilities in your network and the system in order to accomplish a mission
that would, and then the punchline is, in order to override a business process and in order to
impact a business critical function. So I'm an organization and I want to set up a red team
to test my own defensive capabilities. How do I go about doing that? That's a great question.
In my opinion, it should really be after you've got a strong blue capability. Blue is the opposite
of red in the security world, which is strong security operations. You've got a SIM in place,
you're doing log management, you have great use cases, great threat intelligence. And you think that
you've got that nailed pretty well. The red team is really there to provide the blue team a sparring
partner. And the blue team is looking day to day at logs. They're going through analysis. They're looking at the events
and the alerts. And it gets to be quite tiresome. And when you have a red team, this is a funny
term, a friendly adversary, someone who you know isn't going to wreck your systems or to create
an availability issue or steal your data. It really gives you a sparring partner to draw some
great conclusions and see how your blue team would really react during an investigation or during an attack.
All right. Interesting stuff. Justin Harvey, thanks for joining us.
And now a message from Black Cloak.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.