CyberWire Daily - Labour Party reports a cyberattack. What the Lazarus Group is up to. Platinum adds a quiet backdoor. Buran competes on price. PCI DSS compliance falling. Ahoy, Yantar.
Episode Date: November 12, 2019The UK’s Labour Party says it was hacked, but unsuccessfully. The Lazarus Group seems to be back out and about, and apparently interested in India. The Platinum threat actor continues to prospect So...utheast Asian targets with stealthy malware, and a new backdoor. Buran tries to take black market share in the ransomware-as-a-service souk. Paycard standard compliance is down. And is that a spy ship we see, or are you just looking at the seabed, all for science? Joe Carrigan from JHU ISI with browser vulnerabilities in Chrome and Firefox. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The UK's Labour Party says it was hacked, but unsuccessfully.
The Lazarus Group seems to be back out and about and apparently interested in India.
The platinum threat actor continues to prospect Southeast Asian targets with stealthy malware and a new backdoor.
Buran tries to take black market share in the ransomware as a service market.
Paycard standard compliance is down.
And is that a spy ship we see, or are you just looking at the seabed?
All for science.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 12, 2019.
The United Kingdom will hold elections on December 12th, and this morning the Labour Party said it had sustained what it characterized as a sophisticated and large-scale cyber attack.
That attack failed, Labour says, thwarted by the cyber defenses the party had put in place, and that it's referred the matter to the National Cyber Security Centre.
North Korean cyber operations received renewed attention from both the U.S. and India since late last week. U.S. Cyber Command posted seven malware samples to VirusTotal.
The malware is associated with Hidden Cobra, the Lazarus Group, and Cyber Command says they've
been used for fund generation and malicious cyber activities, including remote access, beaconing,
and malware command. Financial crime in particular has been characteristic of Pyongyang's cyber
operations, and so the motive here, fund generation, is a familiar one.
The motives in the other suspected North Korean attacks are less clear. Reports continue to link
North Korean cyber operators to recent incidents
at Indians' Kudam Kulam nuclear power plant. What the Lazarus Group was after, assuming the
attribution that's being widely circulated in the press holds up, remains unclear. As ZDNet pointed
out two weeks ago, the operation could have been espionage, reconnaissance, staging, or simply collateral damage from
some other campaign. In any case, Indian authorities continue to reassure the public that only
administrative systems and not control systems were affected by the D-Track malware found
at Kudankulam. More curiously, ISRO, the Indian Space Research
Organization, was also warned of a D-Trtrack infestation believed to be of North Korean origin.
The warning arrived during the space agency's Chandrayaan-2 lunar mission,
which failed when controllers lost contact with the spacecraft
during its September 6th landing attempt.
Again, the motive for attack is unclear,
as is the effect, if any, it might have had on the flight.
ISRO has been relatively tight-lipped about the cause of the lander's failure.
It is, we should note, the landing that failed.
Chandrayaan's lunar orbiter is up and working, sending data back to ISRO's ground station.
Bleeping Computer reports that the threat actor Microsoft tracks as Platinum is using a new stealthy backdoor.
Following its preferred metallurgical conventions, Microsoft calls the backdoor Titanium.
Platinum is usually described as a shadowy group, probably criminal, that operates against targets in South and Southeast Asia. Its usual sectors of interest, according to Microsoft,
are governmental organizations, defense institutes,
intelligence agencies, diplomatic institutions,
and telecommunication providers,
which is an unusual target set for a purely criminal organization.
Titanium is installed in a multi-stage process that includes several forms of obfuscation,
representing itself variously as security software, audio drivers, or DVD burning tools.
McAfee researchers note that Buran, a Russian-speaking gang offering a variant of Vega Locker ransomware,
is competing in the ransomware-as-a-service market by cultivating customer relationships and offering competitive discounts.
So, the black market sees marketing techniques familiar in legitimate markets.
Buran, which means blizzard in Russian,
is advertised as an attack tool that can't be used against the Confederation of Independent States,
that is, against a group of nine countries that were formerly Soviet republics.
The Confederation of Independent States was a Russian attempt to create an analog of the
British Commonwealth, but not all former Soviet republics are members.
In any case, Buran's marketing seems on this point to be disingenuous.
Buran does indeed check to see if a machine is in Russia, Belarus, or Ukraine,
and if the malware finds that this is so, it simply exits.
But that leaves out seven Confederation members,
and Ukraine, while a founder of the CIS, has never been a member.
And the discounting?
Most ransomware-as-a-service controllers take 30-40% of their affiliates' earnings.
Buran is content with a modest 25%.
Smarter ASP sustained a ransomware attack late Sunday, posting status updates to its site and Facebook pages.
The hosting service tweeted over the weekend that its first priority is restoring its data servers.
As of yesterday, Smarter ASP
said that it had recovered some 95% of its servers. The company has been reassuring its customers
that their data will be decrypted, and it's asked them for their patience.
Verizon has issued its 2019 payment security report. It's not particularly encouraging.
Payment Security Report. It's not particularly encouraging. Taking compliance with the Payment Card Industry Data Security Standard as a rough index of payment security health,
Verizon finds that compliance peaked in 2016 and has been falling off since. And that's just
compliance. As good as the PCI DSS is, and as important as it is to comply with it,
as the PCI DSS is, and as important as it is to comply with it,
compliance isn't sufficient for security.
Verizon points out that many organizations seem to think that they can follow a step-by-step recipe to protect data,
but unfortunately, quote,
In the real world, solutions are not simple,
requiring complex paths with non-linear progression, end quote.
And to judge by falling compliance rates, they're
not even following the recipe particularly well.
And finally, a Russian Navy vessel, the Yantar, has appeared in the Caribbean a few months
after dropping off open-source ship tracking systems.
The Russian Navy carries Yantar on its books as an oceanographic research vessel
operated by the main directorate of deepwater research.
Like the way the old U.S. Glomar Explorer was engaged in deepwater mining of manganese nodules,
any, say, Soviet missile submarines it might or might not have picked up were just so much gravy.
Forbes and others calls that oceanographic research stuff a euphemism
and says that Yontar's stock and trade
actually consists in deploying and servicing undersea sensors
and, of more interest probably to you,
placing taps on undersea cables.
Whatever she was up to, suspicious eyes see some sort of search pattern.
But we hope the crews enjoy the trip.
Trinidad and Tobago are lovely this time of year. Or so we hear.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
to learn more. time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute, also my co-host on the Hacking Humans podcast. Joe, great to have you back.
Hi, Dave.
I've got a couple of browser issues to talk about today.
Yeah, last week was a big week for browser bugs.
Yeah, well, get us started here.
Where do we want to begin?
Well, let's start with Firefox.
All right.
Because that's the one that is still a problem as of this recording.
So there is a bug that is being exploited in the wild in Firefox that allows a
developer or, you know, Melissa's developer to lock up the browser and make it so it doesn't work.
So it's being exploited right now in the field by scammers. These are tech support scammers.
They will display a web page that says, I love the wording on this web page. It says,
please stop and do not close the PC.
The registry key of your computer is locked.
But that's not how registry keys work, right?
That's not how any of this works.
Right, exactly.
It's a big pile of techno mumbo jumbo designed to scare and confuse people.
Right, and then they ask you to call in to a support phone number.
Exactly.
They ask you to call in.
You cannot close the browser through any of the standard interfaces.
You actually have to go and force quit the browser through your operating system.
Right.
And then when you load the browser again, if you have restore tabs on, which I actually
do have restore tabs on in my browser.
Yeah.
In Firefox, by default, that's disabled.
You're back in the same boat because the web page loads again.
Now, Ars Technica says that you have to close it quickly, right, before it has a chance
to load.
But you can also just disconnect from the internet, disconnect from your network, turn
your Wi-Fi off or pull the network out, and then go ahead and load the browser and wait
for it.
It won't find any pages, and then you can just close the page before it loads.
And then reconnect to your network and you're good to go.
So there is a workaround.
Firefox is, the Mozilla project is aware of the problem and they're working on a patch for it right now to fix it.
This is cross-platform?
It is cross-platform.
This one works on Windows and Mac versions of this browser.
Yeah.
All right. Well, there's another one, some news about Chrome. This is a big one about Chrome. Windows and Mac versions of this browser. Yeah. Yep.
All right.
Well, there's another one, some news about Chrome.
This is a big one about Chrome, and you should update your Chrome right away.
Kaspersky Labs found this was being exploited in the wild.
This was a zero day that nobody knew about.
This is the perfect example of why zero days are so bad.
When someone visited a site, if the site has this malicious script on it, it would be a
third-party script.
It would load to see if the machine was worth attacking, according to this article on Tom's Guide.
Once it was determined, the malware would download to the machine and check again to see if you were running Chrome version 76 or 77 and on a Windows box.
And then if it was, it would try to exploit the machine.
Now, I don't know if the bug is specific to the Windows version of Chrome.
It's not really clear.
But they have patched for all the operating systems.
And you can see the little upgrade arrow in the Chrome window where the menu normally is.
I recently upgraded my Chrome because that was a little red arrow that came up.
It said, hey, this upgrade is kind of important.
So Chrome does a good job.
Google does a good job of keeping their browser up to date.
Do you generally keep auto update on with something like Chrome?
I do.
I generally do.
Yep.
And Firefox as well.
I use Firefox.
The problem is a lot of times you have to restart the browser in order to get those
updates to go.
And I keep my browsers open frequently.
Yeah. For long periods of time.
Yeah. So, when
it's Chrome, you do actually have to go
through and update it. You have to
click the little arrow, it will shut down
and open back up. Alright, so
there is a patch for this Chrome issue.
There is a patch for the Chrome issue. Still waiting on Firefox.
And it will be quick, I'm sure. Yeah.
Alright, good information. Go out there
and make sure you're running the latest versions.
And if you're using Firefox, be cautious until that patch comes out.
Right.
All right.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
Thank you. We'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. to innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.