CyberWire Daily - Fancy Bear phishes in think tanks. Lazarus Group takes a swipe at Russian organizations. New decryptor for GandCrab. Citizen Lab and Novalpina discuss NSO Group. Ryuk’s lousy help desk.
Episode Date: February 20, 2019In today’s podcast, we hear that Microsoft has disclosed a Fancy Bear sighting, snuffling around Atlanticist think tanks in Europe. Ukraine says, in effect, see, we told you so. Speaking of bears,... it seems that North Korea’s Hidden Cobra may be striking at the biggest bear of them all, going after Russian targets. There’s new decryptor available for GandCrab ransomware. Citizen Lab and NSO Group’s new partial owner exchange notes. A look at a ransomware help desk. Mike Benjamin from CenturyLink with an update on the Necurs botnet. Guest is Tommy McDowell from the R-CISC (the retail ISAC) on the importance of sharing threat data. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Microsoft discloses a fancy bear sighting
snuffling around Atlantis' think tanks in Europe.
Ukraine says, in effect, see, we told you so. Speaking of bears, it seems that North Korea's hidden cobra Thank you. exchange notes, and a look at a ransomware help desk.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 20th, 2019.
Microsoft this morning said it had discovered another Russian cyber operation targeting
think tanks critical of Moscow.
The attacks occurred between this past September and December.
Microsoft says it warned the affected institutions and the appropriate governments
and that it also took unspecified technical measures to put a stop to the attacks.
The institutions Redmond says were hit include the German Council on Foreign Relations,
European branches of the Aspen Institute, and the German Marshall Fund,
so there's a clear Atlanticist flavor to the target list.
The method of attacks was spearfishing, and the hook was a link to a malicious website.
The spearfishers are said to have been from APT-28 or Strontium, as Microsoft prefers to call them.
have been from APT-28 or Strontium, as Microsoft prefers to call them.
We'll continue to call them Fancy Bear, but whatever the name,
it's Russia's GRU Military Intelligence Service.
It's not clear from Microsoft's blog exactly what measures it took against the spear phishing.
In an early wave of Fancy Bear attacks prior to the U.S. midterm elections,
Redmond had obtained appropriate legal authority to take down the offending domains used in the campaign. In what the company at the time called a novel legal move, Microsoft had successfully argued that spoofing of the kind observed was a violation of
its intellectual property rights, got a court order to transfer the domain names to its own
servers, and then shut the sites down. As the Washington Post points out,
Redmond doesn't seem to have done that for the present wave of spear phishing,
and the company declined to say why not.
In any case, Microsoft has extended its account guard security system
into 12 new European markets.
Fancy Bear's goal appears to be influencing European elections,
both upcoming national elections and the EU elections scheduled for May.
Microsoft notes that its findings would seem to confirm alarms raised in many European governments.
Ukraine has been particularly explicit in its concerns.
That country's National Security and Defense Council announced yesterday
that it will undertake joint cyber defense exercises with EU partners in the near future. The announcement was accompanied by
charges that Russian hacking and influence operations have risen unabated as Ukraine's
March 31 presidential election approaches. Moscow may sometimes be a victim too,
security firm Checkpoint says with appropriate exclamation and question marks in the heading of its announcement,
that it's detected signs that North Korea's Lazarus Group, also known by its animal name Hidden Cobra, is turning its attentions to Russia.
Checkpoint's researchers point out that there are two apparent subgroups to Lazarus,
and Dariel, which attends closely to South Korean government agencies
and other South Korean organizations,
and then, which focuses primarily on attacking the South Korean government and organizations,
and the second, Blunerov, which works against other cyber-espionage targets
and, most importantly, against targets where attacks can be monetized.
Cybercrime has long been one of Pyongyang's approaches
to redressing the chronic financial pain it feels
as a pariah state laboring under extensive international sanctions.
Checkpoint found a familiar and versatile Lazarus backdoor,
key marble, to use the name U.S. CERT gave it,
carried by malicious PDFs or Microsoft Office files
crafted for Russian
intelligence.
Cyrillic-looking characters were used in images to bait recipients into enabling content,
thereby triggering the malicious code.
On balance, the campaign is unusual because it doesn't appear to reflect geopolitical
tensions, which have usually accompanied even North Korean financially motivated campaigns.
tensions, which have usually accompanied even North Korean financially motivated campaigns.
To be sure, North Korea has plenty of tension with just about everyone, and is no longer anyone's client state, but it's got fewer such tensions with Russia than it does with
most others.
Perhaps there are tensions present that aren't obvious to outsiders.
There are a growing number of ISACs, which stands for Information Sharing and Analysis Center, serving organizations in a variety of sectors.
Tommy McDowell is vice president at the Retail Cyber Intelligence Sharing Center, or RSIC, a member organization serving the technical and community so that our members can share information about cybersecurity, threat intelligence, breach information, best practices.
A lot of our members come from gaming organizations as well as in hospitality, consumer product manufacturers, hotels, restaurants.
And we also have other cybersecurity partners around the world.
So what are some of the specific vulnerabilities that folks in your vertical have to deal with?
You know, we really deal with a top three threat vector and top three threats to our industry.
And most of these are all through email.
Everything from ransomware to account takeover to credential harvesting.
Everything from ransomware to account takeover to credential harvesting.
Also, any threats facing point of sale systems are the e-commerce ecosystem, all the way from the credit card readers, all the way back to the e-commerce system as well.
Most of our members, when they experience breaches at some stage of that notification
and investigation process, they will let our community know of the breach and of the techniques employed by the actors.
In most cases, in many cases, there are legal restrictions as to what can and cannot be
released.
Luckily, because you participate with a community such as ours, they may not acknowledge the
breach, they may not give details as far as the amount of loss or exactly what we lost, but they're more than willing to let us know what the techniques are so that they can protect other companies and other systems all in the sector.
So you sort of serve it as this central clearinghouse and repository to gather these things, but then also distribute them out to folks to help alert everyone and help keep them safe?
Not only just keep them safe, the knowledge of the breach, but also what are the best practices?
What techniques are working? A large number of vendors have similar type systems, but there's
always variation. And where you may have a vendor coming out with a patch or workaround,
what we get from our community is the experience of on the ground implementation of those patches
and the configuration issues that come up and what remediation steps have to take place.
So you have this instant community of people involved in one or two key incidences and be
able to give really good, lively feedback, you know, based on their availability, which for the
most part, we have a large number available at any given time.
Even if they're not a member, in many cases,
we'll reach out to that agency.
Or if we learn of an attack or a vulnerability,
or even if we see something on the dark web being sold
that addresses a retailer, even if they're not a member,
in many cases, we reach out and let them know.
So we have a lot of relationships
with various other threat
intelligence companies, as well as other agencies that just aren't members. And yet we do try to
keep them abreast of the latest attacks and threats as they're evolving. One of the things
we've learned over the last year or two is to be able to stand up a fully fledged threat
intelligence program is pretty challenging. So what we've been able to do is identify two or three key behaviors that a small company could do
that would be activities a threat intelligence group would perform, but you don't have to have
the full program to get the benefit of that. So it is a community and it is one that shares openly.
Our level of engagement has increased tremendously
over the last couple of years.
I think that's largely because the amount of trust
we build and emphasize inside this group.
I mean, sharing vulnerability information
and information that you've been breached with a community.
And by the way, these are retailers
that often compete with each other.
So there has to be this level of trust created.
And I have to say,
I've seen a lot of really good people step forward. That's Tommy McDowell from the Retail
Cyber Intelligence Sharing Center, the RSIC. A decryptor is now available for GANDCRAB
ransomware's version 5.1, bleeping computer reports. the fix by Bitdefender, Romanian police, Europol, and other law enforcement partners is also effective against some earlier versions.
There are, however, already signs that Gancrab version 5.2 is beginning to circulate in the wild.
But, in the meantime, bravo Bitdefender and colleagues.
An exchange of letters between Citizen Lab and Novalpina outlined the suspicions
that persist around NSO Group. Novalpina Capital, the private equity firm that backed the recent
reacquisition of NSO Group by its founders, said in their letter to Citizen Lab that they and the
new owners were committed to greater transparency and that they welcomed dialogue with those with
concerns about the company's business.
Novalpina alluded to the safeguards that were now in place and that were, it said, sufficient
to make Novalpina comfortable with owning a stake in NSO Group.
Citizen Lab, after expressing its appreciation for Novalpina's gesture of transparency,
offered a long list of questions, answers to which it said would go a long way toward producing such transparency.
They come down to two sets of concerns.
Citizen Lab would like to know more about the extensive due diligence
Novolpina undertook before its purchase of NSO Group,
and what criteria were employed to determine that NSO Group operates with integrity and caution.
were employed to determine that NSO Group operates with integrity and caution.
The other concerns centered around Citizen Lab's study of how various repressive regimes have used NSO Group's intercept products in less than lawful ways,
and in ways that Citizen Lab says put NSO Groups on the wrong side
of the UN guiding principles on business and human rights.
Among other things, Citizen Lab would like to know
what remediation has been undertaken for past issues
and what grievance procedure NSO Group has in place
to address other issues that may arise.
Amnesty International and six partners also weighed in,
thanking Novolpina for the opportunity to discuss transparency
and calling upon the investors to commit to eight specific undertakings.
That letter specifically called out the misuse of NSO products
by the government of Mexico, earlier Citizen Lab Research reported.
Amnesty and its partners also showed particular concern
for the use of intercept technology against reporters.
And finally, pop quiz, hotshot.
What criminal sector provides its own help desk?
The mob? Nope.
The Chicago outfit? Nope and nope.
Cyber gangs? Ah, there you go.
Especially the ransomware hoods.
They offer a help desk whose help is to help the victim pay the extortionists.
Ryuk Ransomware, for example, according to No More Ransom initiative partner Coverware,
does just that.
But when it comes to the help you get, some victims are more equal than others.
There are two notes Ryuk victims might get.
One of them is blunt, unpolished, and crude.
That help note comes with a lower ransom demand.
crude, that help note comes with a lower ransom demand.
Still, a hefty 15 to 35 Bitcoin, which at the high end comes to around $224,000, but lower than the demand associated with the longer, friendlier, better written note that
asks you for around 50 Bitcoin and change, somewhere around $320,000.
HelpNet security speculates that either the help desk was having a bad day when it used
the curt text, or that the subtext under the niceness of the more polished note was that
the crooks were reasonable and willing to negotiate.
In either case, the help, as the kids say, sucks.
The decrypter is buggy and just about as likely to destroy your files as recover them.
Better to back up early and often and offline so you don't have to deal with Ryuk help.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, Thank you. been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Mike Benjamin. He's the Senior Director of
Threat Research at CenturyLink. Mike, it's great to have you back. We wanted to dig into another one of the botnets that you all have been tracking there, and that is Neckers.
What do you have to update us with here today?
Yeah, thanks, Dave.
So Neckers, for those that aren't familiar with it, it's actually quite a few years old, and it's a spam botnet.
It has sent just about every type of spam you can imagine during its lifetime.
It has sent just about every type of spam you can imagine during its lifetime.
And I was on the show a few months ago and mentioned one of the unique attributes that we were seeing about Necker's was that it was shutting itself off on a periodic interval. And what I meant by that was that the command and control host of certain aspects of the botnet.
And so this botnet has about three different chunks, which are DGA seeds.
And so this botnet has about three different chunks, which are DGA seeds. And so we track them as individual entities.
And sometimes they're actually delivered different payloads or different attack commands.
But each DGA seed shuts itself off at the C2 level.
And so what we've been seeing over the last few weeks is that it is shutting itself off against all DGA seeds for eight days at a time, coming
back on for less than a day, delivering all its spam, all its junk, whatever the focus was for
that particular campaign, and then shutting itself off again. And so from a defender perspective,
this is particularly interesting because it calls back to DGA when it can't reach its C2s. It's a
lot louder during the periods that it can't find the C2s. It's a lot louder during the periods that it can't
find the C2s than when it can. And so this is a great way to detect it within an environment.
The campaigns that we've seen recently, two of them are very common with what we've seen
NECRs do in the past. They've been deploying secondary payloads of a variety of families
of remote access Trojans. So they've been delivering rats as well as ransomware,
nothing new there.
But one of the things that we saw a couple months ago, a lot of us all unfortunately saw in our inboxes what people deemed these sextortion emails,
where they were claiming to have dirt on the individual and asking for upwards, in some cases, of a couple hundred dollars worth of Bitcoin to be delivered to the cryptocurrency wallet.
And this was pretty rampant, got a lot of press.
And if you look back now at the wallets that were being utilized during that time period, they made some money.
Tens of thousands of dollars were successfully gleaned from this.
And we were able to track that, in many cases, being delivered through Necker's.
Certainly not Necker's alone was the vector utilized.
Oh, interesting. Now, do you have any insights onto this pattern that it shows, this,
you know, going dark for days at a time? Any guesses on what the strategy there is?
Well, in some cases, this, from an infection perspective, means that it changes, that the
infrastructure is not live at the moment that they're not using it.
And we've seen this in different malware families where the actors believe that by shutting off their own control infrastructure, they may be able to evade takedowns as well as evade certain detection techniques.
And, you know, I'd argue from a network perspective, that's not effective, but maybe in some corners of the world and in some
defense cases, that is effective. One of the other things that we see that's interesting
about the behavior, I find this interesting, is we see a lot of actors out there sending their spam
in one language. Or maybe if they've got a ransomware landing page, they've translated
it to a couple languages.
But we've actually seen through Necker's, they're beginning to be more and more effective with language localization, where they are targeting a part of the world in the native tongue of that part of the world to be more effective in the campaign that they're delivering malware from.
And so, you know, there's always the conversation in our team that maybe they need that extra few days just to be more targeted and translate some campaign language.
And that's why they're shutting their stuff down.
Interesting.
All right.
Well, thanks for sharing the update with us.
Mike Benjamin, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire. Thank you. Sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.