CyberWire Daily - For OceanLotus, a picture is worth a thousand words (or at least a few lines of loader code). Georgia Tech breached. Mounties raid offices associated with Orcus RAT.
Episode Date: April 3, 2019In today’s podcast, we hear that OceanLotus, a.k.a. Cobalt Kitty, a.k.a. APT32, is out and about and using a steganographic vector to deliver its loader. Georgia Tech suffers a major data breach, wi...th access to student, staff, and faculty records by parties unknown. Research universities remain attractive targets. Reflections on dual-use technologies. The Royal Canadian Mounted Police have raided offices connected with the production of the Orcus RAT, which is either a legitimate tool or a commodity Trojan, depending on whom you believe. David Dufour from Webroot with results from their most recent threat report. Guest is Roy Zur from Cybint Solutions on the essentials of hunting and fishing for information online. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/April/CyberWire_2019_04_03.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ocean Lotus, a.k.a. Cobalt Kitty, a.k.a. APT32, is out and about
and using a steganographic vector to deliver its loader.
Georgia Tech suffers a major data breach with access to student, staff, and faculty records by parties unknown.
Research universities remain attractive targets.
Reflections on dual-use technologies.
The Royal Canadian Mounted Police have raided offices connected with the production of the Orcus rat,
Canadian Mounted Police have raided offices connected with the production of the Orcus Rat,
which is either a legitimate tool or a commodity Trojan, depending on whom you believe.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 3rd, 2019.
Researchers at the security firm BlackBerry Cylance have new information on Ocean Lotus,
also known as APT32 and Cobalt Kitty,
the Vietnamese threat group that's been particularly active over the past few months.
They've discovered several purpose-built backdoors and evidence that the group is using obfuscated cobalt strike beacons for command and control.
Most interesting, though, is Cobalt Kitty's payload loader, which is steganographic.
It conceals itself inside an image, specifically in a.png file.
BlackBerry Silence points out that the threat group has taken pains to alter the image they use as little as possible to better to pass through malware screens that might otherwise block it.
Once executed, the loader installs either a version of a Dennis or a Remy backdoor in the victim machine.
The attack is easily modifiable to carry out any number of other payloads,
and the researchers think that Cobalt Kitty must
have invested quite a bit to develop the purpose-built tools they use. BlackBerry
Cylance calls them bespoke, like a suit designed and tailored just for the wearer.
This isn't commodity stuff off the rack. It's solid work, so hope you don't run into it.
Many organizations, and particularly smaller ones with limited resources, approach
cybersecurity primarily from a defensive posture. Make sure no one can get in and see your stuff.
Roy Zor is CEO at Cybint Solutions, and he makes the case that organizations of all sizes
need to look beyond security toward intelligence and even threat hunting.
In general, when we think about intelligence collection,
it's not different when we think about cyber intelligence
than we compare it to the more traditional signal intelligence.
So personally, my background was I was doing about 10 years of military intelligence in Israel.
And for example, when you need to prevent any attack,
let's say it's a suicide bomber or any other military strike that you want to prevent, the way to do that is first to identify the relevant sources that you need to track and then try to collect the information from these sources and then analyze the information that you collected from the sources and draw conclusions. So if we think about cyber attacks, for example, there are many different resources in which we can find useful
information for potential attacks that happened or will happen. For example, the dark web and hacking
forums or marketplaces in the dark web allows us, they allow us to take a look at what is planned to be, let's say, a potential attack
that is now planned or a data breach that happened and a specific organization is not yet aware of.
Once we track the specific forums and groups and marketplaces in the dark web, we can identify when
specific information is being leaked there or being discussed there. And it can provide us,
you know, information or potential information about a future attack that is going to happen.
Now, from an organizational point of view, how does a company go about budgeting for this sort
of thing? How do they dial it in relative to the amount of risk that they may face from this?
Right. So in general, when we think about the medium-sized businesses, most of them will have a fairly small security team and not necessarily a lot of budget to manage also intelligence team or what we call threat hunters.
In that case, the most important thing to do is, A, make sure our security teams are also trained on what we call correct intelligence.
And by working with many security teams worldwide, I found that if there was one gap, one significant
gap that almost every security team has is the fact that they lack the skills to do also
correct intelligence.
That's from, it's even before you buy tools or invest, I don't know, hundreds of thousands
of dollars in new devices and new tools, the skills of understanding how cyber intelligence works and what kind of
even online free tools you can use to better do it for your organization, that's the first
step.
Then for the medium sized businesses, there are many cyber intelligence vendors or cyber
intelligence providers that are available today that you
can actually use them as a service.
They are analysts and they use specific technology to track future threats against your organization.
For big companies or companies that have a bigger security team, they usually take one
of these cyber intelligence vendors, license their tools,
and actually create a threat hunting team. So in addition to your regular SOC team, security team,
you will have an intelligence team in your organization. So it's like every intelligence
or every defense organization or security organization or government agency, like we do
it there, we need to do it in the corporate level. We need to think about our organization
like we do in the military. We have our security forces, but we also have our intelligence forces,
and they have to communicate with each other. That's Roy Zor from Sibent Solutions.
There's trouble these days among the rambling wrecks. Georgia Tech learned late in March that it had sustained a security breach
affecting some 1.3 million current and former students, staff, and faculty.
The breach is bad.
It's not quite a set of fools, but there's a lot of inadvertent oversharing of PII.
The university said the exposed information includes names, addresses,
social security numbers, and birthdates.
The Atlanta Journal-Constitution says the data were accessed by an unknown outside entity,
which sounds totally spooky but really means just that someone got into the database and the university doesn't yet know who done it.
They're investigating and figuring out whom they need to notify.
The university says
they've clapped a stopper over the breach. We got a quick reaction by email from Dan Tuchler
of Security First. He said, quote, how ironic that a university with a high ranking in computer
science, which offers courses in cybersecurity, got hacked. This is in a state which has had
privacy regulations in place, the Georgia Personal Identity Protection Act, got hacked. This is in a state which has had privacy regulations in place,
the Georgia Personal Identity Protection Act, since 2007. This is a clear example of the need
for encryption of personal data. Hackers always find a way in, and they need to be stopped before
they get the personal data, end quote. He's right, of course, and it is ironic, but let's not be too
hard on Georgia Tech or on the Peachtree State itself, which does have some serious privacy protections in place
and the local expertise to use them.
First, expertise in academic programs often doesn't translate to administrative matters.
Second, universities, particularly universities with strong technical programs,
are very attractive targets with an expansive attack surface.
And third, Georgia Tech is far from alone.
A great many large universities with highly regarded computer science programs
have been hit before, and more of them will be hit again.
And finally, can we talk for a few minutes about dual-use problems?
A dual-use problem poses a familiar set of dilemmas,
most familiar to people who have to do with arms control.
Ammonium nitrate fertilizers? Innocent.
You may have some out in your garage ready to be applied to your lawn.
Diesel fuel? Innocent. Fill her up.
You can pump your own at any gas station,
unless you're in New Jersey where the filling station attendant by law must pump it for you.
But put diesel and fertilizer together and you get a powerful explosive.
Ballpoint pen ink? Totally righteous. Where'd we be without it?
We use it in the pens the cyberwire gives away at trade shows.
The chemicals used to produce it? Innocent, too.
But those same chemicals are precursor materials used in blister agent production,
that is, they're used for making mustard gas, and boo to that.
Crytrons, innocent, nice high-speed switches for photocopiers,
but also nice high-speed switches for nuclear implosion weapons,
high yield, and no bueno.
Cybersecurity also has its dual-use problems. Take the humble
rat. I mean the remote administration tool. That's okay, right? Sure, nice rat. But the remote access
Trojan? Bad rat, bad. How do you tell the difference? If you ask the author of Orcus Rat,
it's the good kind. If you ask the Mounties, it's the bad kind.
And therein lies a tale.
The Royal Canadian Mounted Police late last week
raided the residence of an Ontario software developer, John Ravesse,
who wrote and sold Orcus Rat through his company Orcus Technologies.
There are problems with Orcus Rat.
One of them is the markets it's found its
way into. It's being traded in various black markets. Another problem is its use in various
attacks since its introduction in 2015. Mr. Reves says Orcus is legit, the nice kind of rat,
and that it's just being abused by bad guys who happen to have bought it. Poor rat. Besides, rats don't hack
people. People hack people. Most security experts would demur seeing in Orcus features that really
do hiss and bite like a bad rat. Still, Orcus does seem to be a dual-use item. Ilya Kolchenko,
CEO of web security company Hitech Bridge, emailed us some comments.
He said, quote,
It's pretty difficult to draw a straight line and delineate legitimate RA software from malware.
Unless the rat in question cannot be used by its design for anything but malicious activities,
it will be quite complicated to charge its author with a crime.
However, a walkthrough with customers may shed some light on past
cybercrimes committed by unscrupulous buyers who purposefully acquired the tool to break the law.
End quote. He looks forward to the findings of fact and to the investigation of intent.
We'll know soon enough if the Mounties got their man or their rat.
And finally, in a very odd story out of Florida,
the U.S. Secret Service over the weekend detained a woman, Yu Jing Zhang,
who was carrying at least one, maybe two, Chinese passports, a laptop,
four phones, and at least one dongle as she sought entrance
to President Trump's Mar-a-Lago estate and club.
She said she was there to use the pool, then said her father was a member,
and then that she was there as an invited guest to a United Nations Chinese American Association
event. At this point, it all just became too implausible, especially since there was no such
event, and the Secret Service took her into custody. The devices she had with her are said
to contain what the Miamiami herald helpfully if
perhaps redundantly called malicious malware or maybe the dongle and so on were potentially
dual use like a rat people have checked and found that the malware was the bad kind
and not the beneficial kind that might be on anyone's laptop or tablet in any case ms jang
has been charged with making false statements to a federal
law enforcement officer and entering a restricted area. No word on whether she got to take a dip in
that pool, but probably not. all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is David DeFore.
He's the Vice President of Engineering and Cybersecurity at WebRoot.
David, it's great to have you back.
You all recently published your 2019 threat report.
A lot of interesting stuff in here.
Take us through.
What did you find?
First of all, great to be back, David.
And yes, every year we take a look at our data that we've been collecting on threats, things we're seeing out there in the wild.
And we published the annual threat report.
And it's pretty big, so I'm not going to sit here and read it to you.
But some super curious things we found.
One of the key things was 40% of malicious URLs we found to be inside of good domains.
So as your listeners know, I'm sure a domain is like google.com or webroot.com.
And a URL is something that's like webroot.com slash business slash information dot html.
And so the URLs that we're seeing, a significant proportion of them, that are malicious, that are hosting malware, that are trying to do phishing or things of that nature are living inside of good domains.
So describe, what does that mean?
I mean, someone has compromised a legitimate domain and they're sort of hiding a malicious URL within there?
That's exactly right.
And it's typically a non-navigable link.
So it's not like they hacked a domain and then changed one of the links or added a link that sends you to something bad.
They literally went in there and, you know, a web root dot com or my domain dot com slash malware slash this is a virus dot exe.
They dump some malware on that actual server or provide a link to a location, a server inside of that domain that allows them to deliver malicious payloads.
And how should folks protect themselves against that? I mean, there must be a lack of awareness
there, right? Well, it's interesting because there is something of a lack of awareness.
And what you really do need is a solution that will not only prevent if the malware gets on
your computer, but is actually analyzing the domains you're either browsing to or looking at, you know, in your behind the scenes where maybe web pages are
navigating to or programs are navigating to that will then block that access to that malicious URL.
Now, another thing that you found, you all were tracking phishing attacks. You saw some movement
there. Yeah. You know, I'm sure everybody's getting tired of hearing about fishing attacks, but boy, that's something that just won't go away.
We saw a 36% increase over the last year, and we've seen just an astronomical growth in a number
of fishing sites over 2018, over 220% increase. And that's saying a lot because fishing sites go
up and down all the time. So to see that
kind of growth, it's just phenomenal. But what you're seeing is it's really become an automated
process where people have gotten really sophisticated in their ability to find places to
drop fishing payloads, again, using potentially good domains, and then just gather data through
automated processes. So it's just, it's continuing
to balloon. Now, you also found some interesting things when it comes to places that malware tried
to try to install themselves. So what's going on here? Yeah. So this, this is like one of those
old is new. And sometimes we just got to refresh things because, because people aren't that
creative, but we're seeing as usual, tons and tons and tons
of malware being dropped into your app data, your temp and your cache folder. You shouldn't be going
in there and locking down your app data folder because applications need to install there.
But the thing is, these folders where we're seeing this stuff installed, if whatever permissions that
a specific user has when a malware lands on the machine,
that malware is going to end up with the same permissions.
So things like making sure you have proper permissions configured on your machines,
and then, again, any almost rudimentary endpoint solution is going to protect against malware running in these folders.
So the point is that the malware is looking for folders that it knows have to be active,
that there's a lot going on there, so that's not a folder that can be locked down.
Correct, but on top of being active, it also is a place where there's a lot of stuff,
so it's easy to get lost in those folders as well.
So what are some of the take-homes from the report?
As we look toward the horizon, what are some of the lessons learned here?
from the report. As we look towards the horizon, what are some of the lessons learned here?
You know, every time your listeners hear me, I end with the same thing. But David, it's really true. Just make sure you have a good endpoint solution. Make sure you're
applying patches so that if you do end up at a malicious URL that's trying to exploit something
in your machine that it can't because you've got the latest patches and make sure you got your data backed up because at the, at the very worst,
you can format your computer and restore your data. I mean, that's the same takeaways we always
have. They remain tried and true today. All right. Good enough. I guess don't mess with
success, right? Exactly. Yeah. All right, David DeFore, thanks for joining us.
Thank you for having me.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep
your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.