CyberWire Daily - Hidden Cobra’s new tricks. Notes from the criminal underground. Draft EU data transfer regulations. And the coming ape-man disinformation.
Episode Date: November 17, 2020Hidden Cobra inserts Lazarus malware into security management chains. Malsmoke malvertizing doesn’t need exploit kits, anymore. Ransomware operators shift toward social engineering as the ransomware...-as-a-service criminal market flourishes. Draft EU data transfer regulations implement the Schrems II decision. Robert M. Lee from Dragos shares a little love for the lesser-known areas of ICS security. Our guest is Greg Smith from CAMI with insights on promoting cyber capabilities at the state level. And the next thing in disinformation? No surprises here: it’s COVID-19 vaccines. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/222 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Hidden Cobra inserts Lazarus malware into security management chains.
Malsmoke Malvertising doesn't need exploit kits anymore.
Ransomware operators shift towards social engineering as the ransomware-as-a-service criminal market flourishes.
Draft EU data transfer regulations implement the Shrems 2 decision.
Robert M. Lee from Drago shares a little love for the lesser-known areas of ICS security.
Our guest is Greg Smith from CAMI with insights on promoting cyber capabilities at the state level.
And the next thing for disinformation, noribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 17th, 2020. Researchers at ESET have found that North Korean threat group Hidden Cobra
is deploying its Lazarus toolkit by infiltrating South Korean software supply chains.
South Korean Internet users are often required to install additional security software
before visiting government or financial sites.
The application Wizzvera Veraport is commonly used to manage such additional security,
and Hidden Cobra appears able to replace software delivered to Wizvera Veraport users
from a legitimate but compromised website with Lazarus malware.
ESET is highly confident in its attribution of the attacks to Pyongyang.
ESET is highly confident in its attribution of the attacks to Pyongyang.
Malware Bytes warns that the Malsmoke malvertising campaign has forsaken exploit kits for social engineering.
The Malsmoke gang usually targets high-traffic adult websites,
and they've most recently been posting notices that visitors to such a page need to install a Java plugin to view the saucy video they came for.
Sure, it's not plausible, but the hoods figure consumers of adult video are unlikely to be skeptical.
Whoa, says our hypothetical video user.
It says here, download that Java plugin, and that sounds like something you ought to do on a computer maybe,
so hey, what harm could it do?
The hoods are right in some cases, and for some audiences,
you really don't need to sweat the plausibility.
The mal-smoke operators aren't alone.
Security firm Ironscales sees a general shift toward social engineering in ransomware attacks.
Ironscales says, quote,
From an attacker's perspective,
the transition from spear-phishing emails packed with malicious payloads to social engineering was a no-brainer.
The overwhelming majority of email phishing attacks are now driven by social engineering messages aimed at prompting an action
and distributed via advanced phishing techniques such as business email compromise, VIP or CEO impersonation, and other forms of email spoofing and fraud.
Ransomware operations are also well supported by a strong market for criminal-to-criminal services.
Dark Web Intelligence shop Intel 471 counts at least 25 ransomware-as-a-service outfits currently doing business.
They divide them into three tiers based on size, reach, and reputation.
The Tier 1 ransomware-as-a-service players are big, offer proven code,
and continue to operate in the face of widespread public awareness and exposure in the media.
They also have to have been around for a while, for months,
which counts as enduring in the rapidly evolving world
of the criminal marketplace. The outfits in Tier 1 include Areval, Networker, Doppelpamer,
Egregor, also known as Maze, and Rayak. All of these, with the partial exception of Rayak,
also maintain leak sites they use to pressure their victims with the prospect of doxing.
Tier 2 is for the up-and-comers.
They've achieved a certain cachet in the underworld. They offer advanced ransomware strains,
but they don't have the volume in terms of either attacks or affiliates
that the big Tier 1 players boast.
Tier 2 includes Avedon, Conti, Klopp, Darkseid,
Mespinoza, Ragnar Locker, Ranzi, Suncrypt, and Thanos.
Tier 3 is for the wannabes, or at least the newbies.
Some of them may be making it in a small way,
but it's often hard to tell whether any one of them is still in business or not.
Tier 3 goons have been known to proffer
Seavark U45, Exorcist, Gothmog, Lolkek, Much Love, Nemty, Rush, WALL-E,
Zinov, Ziotikus, and lately Zagreus.
The leading brand in all of this, Intel 471 says, is Rayak,
which by their estimation has been involved in about a third of the ransomware attacks observed this year.
The Wall Street Journal summarizes draft EU privacy rules
expected to drastically circumscribe how Europeans' personal data must be handled
when that data is moved outside the EU.
The draft guidelines are intended to implement the EU's Court of Justice decision
issued earlier this year in the Shrems 2 case
that invalidated the former EU-US Privacy Shield
regime. Cooley describes the new process for transferring data as consisting of six steps.
First, map any data transfers. Second, select a transfer mechanism. Third, determine whether
your selected transfer tool works without supplementary measures. Fourth, adopt any necessary supplementary measures.
Fifth, take any required procedural steps. And sixth, re-evaluate at appropriate intervals.
That's of course a bare outline. There are many details in each step.
If you handle European data, call your lawyer. And finally, you know, all that election
disinformation stuff we've been hearing about is so yesterday, isn't it?
So what's the new thing coming down the pike in terms of lies and grifting?
Well, the Washington Post goes out on a limb and predicts that the next big disinformation fight will be over COVID-19 vaccines
We'll crawl out there with them as well and say they're probably right
In fact, it's already begun 2019 vaccines. We'll crawl out there with them as well and say they're probably right.
In fact, it's already begun. After all, Moscow's been busily predicting that anyone who takes the AstraZeneca vaccine under development in the UK is likely to turn into a monkey. We think better
of AstraZeneca and their partners at Oxford than that, but maybe the Kremlin, like, knows stuff.
As with any risk, if you're concerned about the
whole simian transmogrification thing, there are three things you can do with the risk.
You can mitigate it, transfer it, or accept it. Forewarned is forearmed. AstraZeneca is probably
mitigating this risk as well as anyone can. We haven't seen any insurance companies offering to indemnify
ape transformation, although in fairness, there's not a whole lot of actuarial data on the process.
Or you could accept the risk. That's where we are. I'm a king. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
There are organizations at all levels who lend a helping hand to businesses in their area at the local, state, and national level. Locally, that could be the Chamber of Commerce or the
Office of Economic Development. When it comes to cyber, many states in the U.S. have organized efforts to promote this
rapidly growing vertical with its high-paying jobs and potential for growth and prestige.
Greg Smith is chairman of the board for CAMI, the Cybersecurity Association of Maryland,
and he shares insights on the value proposition these types of organizations bring to the table. CAMI is the Cybersecurity Association of Maryland. We have over 580
cybersecurity companies located throughout the entire state of Maryland. We have companies in
every county. And really what we're focused on at CAMI is creating connections, creating connections
for our companies, creating connections for employees that might want to work for our
companies, creating connections with service providers that provide services to our companies at a discounted rate, and also providing connections for our universities to provide students to our companies.
Why is it important for an area like Maryland, a region like Maryland?
I mean, we have a very robust cybersecurity sector,
partially based on our geography, being close to D.C., having organizations like NSA here.
Why is it important for us to have an organization like CAMI to help kind of
make those connections and provide the resources that they do?
Well, I think that's a great question. And as an organization, when we started,
really what we were trying to do is come back to that one word that I said earlier, connections.
You know, a lot of our cyber companies are very focused on building product or providing services, but they didn't have a lot of capabilities or the intros to the universities, whether that's from an employee standpoint or from a technology standpoint.
One of the other things that CAMI has done pretty effectively is brought vendors to the table where we've leveraged our membership and gotten discounts on things like health insurance. So again, it's all focused on connections and trying to help grow our members and enhance the ecosystem.
Do you ever get inquiries from other parts of the nation or other parts of the world who say,
hey, we see what you all are doing there and we're thinking about spinning up a similar organization in our region?
Is there that sort of broad interest for these sorts of endeavors?
Interestingly enough, yes, there is.
We've had numerous discussions with various states.
And really, if you look at the United States ecosystem,
there's a lot of other cyber Tennessee or cyber Georgia.
And those have all been modeled after cyber Maryland.
So I think what you're starting to see is a definite broadening reach of what we started here at cyber Maryland.
And it's growing aggressively around the United States.
And now we're just starting to touch other parts of the world.
That's Greg Smith.
He's chairman of the board for CAMI, the Cybersecurity Association of Maryland.
Cyber threats are evolving every second. Thank you. solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Robert M. Lee.
He is the CEO at Dragos.
Rob, it's always great to have you back.
I thought it might be fun to do a little survey together of some of the areas in ICS security that don't
necessarily get the love of the high profile ones. We're always talking about the electrical grid.
We're always talking about water and, you know, things like that. Are there areas that you all
are still out there protecting that don't really get mentioned so much? Yeah, for sure. And it's
a good question. And you're right. Electric systems, first and foremost,
then oil and gas are the ones that states are always freaking out about.
Rightfully so, to some degree.
But I find it really enjoyable to go into a water facility
and look at the water utilities or look at wastewater treatment facilities,
although it's not always the greatest smell.
It's a wonderful industrial control environment.
And the folks working there are just as hardcore and passionate as anybody you'll find in the industry.
Usually just don't have as many resources to address the problem. And there's kind of an issue
there where they don't have the resources to then look, so they don't
see the problems or attribute them to cyber, so they don't get the resources to go address it.
So it's kind of a self-fulfilling, or I guess a violent circle, if you will.
But the water one comes to mind because a lot of people in the United States
depend on their water utilities and they don't get the love and attention. You get in some
really cool environments too. Like we've got a number of customers in the mining industry
as well. And getting into mine is a fantastic
exploration of different industrial control systems. Everything from
controllers operating a cyanide bath
to strip gold from minerals.
Everything from the HVAC systems,
which are now life-critical safety systems
for those working conditions,
to self-driving Caterpillar trucks
with MindStar applications on them and similar.
It's just wonderfully cool
with absolutely zero interest from your state level leaders
and stuff. They generally don't even think about mining. Rail is another beautiful one. We start
looking at not only the intricate control systems inside the control center itself,
you're looking at the actual onboard train communication networks and all the control
systems that go into there. I mean, it's really, really cool. And personally, I live in Maryland.
I'm a huge fan of taking the Amtrak.
And every time I get on board, it's like, oh yeah,
I know what control systems are on here.
It's such a cool system.
And they have a bunch of risks and cyber threats as well.
But they just, again, don't get the attention,
don't get the resources as everyone else.
And then I would say probably the last one that comes up is kind of interesting.
And it's more emerging, but it's really airports.
When you start thinking of all the control systems that relate to everything from baggage
claims to the maintenance lines for the airlines themselves, to even some of the non-IoT parts,
the actual OT parts related to the vehicles and flight lines, it gets really, really cool.
And I said the last one, but actually building off of that,
the one that's going to become a bigger topic because of Space Command
obviously is the space side of it.
And most people don't realize how many Siemens controllers and similar
are up in satellites and ground control stations and similar.
So I think we'll see a lot of focus on
that in the years to come, largely because the government's willing to invest the resources
there, which will spawn an industry around it, and we'll start seeing more of the threats that
have been resident. So anyways, those are kind of the different industries, I would say, that get
the least amount of love, but have some of the coolest systems and just really interesting
challenges ahead of them, as well as unique insights to go
and share with larger community. Now, is there any correlation between those ones that are sort of,
you know, running quietly under the radar that they're not getting the attention, the same level
of attention from adversaries? I don't think that's correct. So, you know, what is a fair
hypothesis to state that electric systems
are more targeted than others, potentially?
And that's probably accurate, just anecdotally.
But I think a lot about the visibility problem we have in the community.
And we take a really large focus of victim-centric targeting
and victim-centric analysis, which is good,
but it also leads to an over-focus on specific industries.
And when we first started getting into mining as an example,
as a company, we were like,
okay, let's have some intelligence requirements
as it relates to mining threats.
Maybe within the next year we'll find some.
And I want to say three weeks into searching,
we found our first threat group targeting mining industry.
We're like, oh, well, interesting.
our first threat group targeting mining industry.
I'm like, oh, well, interesting.
And so I do think the number of OT-specific cyber threats are much larger than anybody would imagine.
And I think our viewpoint right now
is especially energy and especially Western-focused.
As you start finding more entities
that are doing monitoring and visibility and hunting and similar inside
of African state sites, Latin American sites,
mining and rail at similar sites, you're going to
start learning about more of these threats and find out that many of them have been there for
a decade plus, not just relatively new.
Rob Lee, thanks for joining us.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
The ultimate driving machine.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Harup Rakesh, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.