CyberWire Daily - Lazarus Group in India. Suspected Chinese APT uses fake Narrator. Fleeceware. DNI testimony. TalkTalk hacker charged in US. Yahoo breach compensation. Chameleon spam campaign.
Episode Date: September 26, 2019North Korea’s Lazarus Group is active against targets in India. A “suspected Chinese advanced persistent threat group” is exploiting a Windows accessibility feature. Sophos warns of “fleecewar...e.” US DNI testifies efore the House Intelligence Committee. The TalkTalk hacker and an alleged accomplice are indicted on US charges. What’s involved in receiving compensation in the Yahoo breach settlement. And notes on the Chameleon spam campaign. Jonathan Katz from George Mason University with an overview of salting and hashing. Guest is Greg Martin from JASK on DOJ’s efforts to improve outreach with hackers. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/September/CyberWire_2019_09_26.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
North Korea's Lazarus Group is active against targets in India.
A suspected Chinese advanced persistent threat group is exploiting a Windows accessibility
feature. Sophos warns of fleeceware. U.S. DNI testifies before the House Intelligence Committee.
The TalkTalk hacker and an alleged accomplice are indicted on U.S. charges
and notes on the chameleon spam campaign.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 26, 2019.
Pyongyang's operators have turned up again in South Asian networks.
Researchers at the Kaspersky security firm say they've found renewed campaigns by D-Track and the related ATM D-Track in India. Both have been associated with North Korea's Lazarus Group. The objectives
are familiar, a combination of espionage and direct theft. Kaspersky says the operations
are using variants of code that go back at least to the Dark Soul campaign of 2013.
The Lazarus Group, recently the subject of increasingly stringent U.S. sanctions,
has been widely accused of engaging in cybercrime to shore up North Korea's struggling finances.
BlackBerry Cylance has released its study of a suspected Chinese advanced persistent threat group
that's using the open-source PC share backdoor modified
for sideloading by a legitimate NVIDIA application. Once established, the attackers run a version of
the narrator ease-of-access application, Fake Narrator, to achieve system-level access.
The APT is interested in exfiltrating sensitive data, conducting reconnaissance,
and moving laterally across networks.
The researchers see some possible connection with the Tropic Trooper threat actor, a group that's been mostly active against targets in Taiwan and the Philippines, but they carefully
avoid firm attribution.
The MITRE attack list describes Tropic Trooper as an unaffiliated threat group.
It's known to have been active since 2015.
Sophos calls it fleeceware. They're referring to Android apps that provide functionality freely
available elsewhere, and that then hit users with big fees after expiration of a trial period,
should the users miss some hoops in their cancellation of the app. Why aren't these
simply another instance of potentially unwanted
programs? Sophos says they occupy a kind of gray area. The apps aren't malicious, and they offer
some genuine functionality, but it's functionality that's available either cheaply or freely
elsewhere. It's customary in the Play Store ecosystem to make apps available to users free
for a defined trial period. Normally, if the users don't cancel the app at the end of the trial,
they'll be charged the few dollars the app cost.
The apps Sophos is talking about don't charge just a couple of bucks.
They take hundreds from the user.
So, use free trials with caution.
When I was a kid growing up near Fort Meade,
the parents of some of my schoolmates had jobs they couldn't talk about.
If you asked them what they did for a living, they would say, I work for the government,
with a tone that let you know the conversation was ending right there.
And of course, for decades, the running joke was that NSA stood for no such agency.
Well, times have changed. NSA has an Instagram page.
agency. Well, times have changed. NSA has an Instagram page. And they and the Department of Justice are actively competing for the best cybersecurity talent out there.
It's been a remarkable shift to see. Greg Martin is CEO of cybersecurity company JASC,
and he shares these insights on the change. If you go back to the early 90s, a lot of the DOJ early work with hackers was around arresting them and then working with those arrested individuals who are caught either hacking or involved in some type of cyber crime or cybersecurity scheme and turn them into, you know, either informants or pseudo FBI agents to essentially work on their
behalf. Did we reach a point where there was collaboration or was there a healthy tension
between them? Was there mutual respect? How would you describe it? Yeah, well, it was very much like,
you know, the catch me if you can story, if you recall. But, you know, I think what happened is that
cybercrime grew to be such a huge issue that I think that tactic of trying to convert would-be
hackers into good guys just faded over time with the surge in cybercrime, the amount of attacks,
and the fact that many of them were emanating from outside the country. They really had to start working on new programs.
Today, the Department of Defense and the DOJ have taken huge strides to try to change
their interaction with the hacker community.
One of the big things that you can point to is last year, the DOD released this Hack the
Pentagon, which is a crowdsource bug bounty where they were inviting hackers from anywhere in the world to find vulnerabilities in government and DOD systems.
Now, this is a huge departure from how we did things in the past, where if you hacked into a government website, well, you could expect that the FBI would be knocking on your door and it would not be a very good outcome for that individual, whether they had good intentions or
not. Well, this has totally changed in the past year. Does the DOJ find itself at a disadvantage
compared to private industry when it comes to being able to provide, for example,
salaries in the competitive market? Yeah, I mean, that's been a
huge issue. So the DOJ has a very capable cyber program, but I think talent is the big issue that
they struggle with. So part of it is the culture and the mission is what they've used and focused
on to attract people. You know, do you want to go out and, you know, catch bad guys? Do you want to
keep people safe? Do you want to keep our government safe? You know, this is something
that has attracted a lot of people out of college who have, you know, cybersecurity skills.
Unfortunately, when those individuals are looking for at an offer from a Facebook or a Google,
for sometimes double the amount of money that they would get at a upper
level salary in the U.S. government, you know, it makes it a very hard task for the government to
be able to compete. And that's going to remain a challenge. What about from a marketing and PR
point of view of the public perception that working in a government situation is going to
be something desirable, that they have unique things to offer that you might not find out in industry?
Yeah, absolutely. You know, I've been through some of that myself in my career and background,
and I have lots of friends that have started cybersecurity companies, and they came from
NSA and groups like the TAO program, where they're out, you know, doing offensive hacking
for the government. I think it's an incredible experience, and it out, you know, doing offensive hacking for the government.
I think it's an incredible experience. And it's, you know, a way that you can serve your country without holding a gun in your hand. And I think it's going to remain very attractive for people
to come. And I think it's, it's a cool way for folks to start their career if they have an
interest in cybersecurity, and they're coming out of college. I think working for DOD, working
for DOJ or NSA on cybercrime, I think it's a huge opportunity.
Yeah, it really is an interesting shift, isn't it? I mean, both culturally, but also,
I suppose there are lots of practical things that they have to deal with as well. You know,
like you mentioned, some of the things that previously would have been prohibitions might have kept you from getting a clearance.
Perhaps they have to ease up on some of those requirements.
Yeah, absolutely.
One of them is marijuana use.
I think if you're going to hire the top hackers in the world, you have to lower your bar a little bit in some of those areas.
But I think all in all, the government is improving in their way that they interact with the hacker community. I think they're trying very hard. And look, this is out
of necessity. We are really fighting a losing battle every day. And I think that if we don't
take some radical steps to try to change and really recruit the top talent to get ahead,
you know, it's really a national security issue at this point.
That's Greg Martin. He's CEO of cybersecurity company JASC.
Acting U.S. Director of National Intelligence McGuire testified this morning before the House
Intelligence Committee concerning a whistleblower's complaint concerning U.S.-Ukrainian
presidential interactions. The complaint centers on a phone conversation between U.S.-Ukrainian presidential interactions. The complaint centers on a phone conversation
between U.S. President Trump and Ukrainian President Zelensky, its contents and subsequent
classification. Much of the discussion centered on whether the complaint of the whistleblower,
whose identity is being properly protected, was disclosed to Congress as expeditiously as the law
requires. The transcript of the conversation has been duly released.
Acting DNI McGuire has said, in response to questions from Representative Hurd,
Republican of Texas, that great power competition has largely moved to cyberspace.
We'll see how the matter develops and what implications it might have
for cybersecurity in particular.
We send out a bravo to Emsisoft and Kaspersky,
who have released decryptors for WannaCryFake,
Yachtron, and FortuneCrypt ransomware.
Emsisoft took care of WannaCryFake,
Kaspersky's decryptors work against Yachtron and FortuneCrypt.
A British teenager who was convicted of the TalkTalk hack
and received a sentence of 20 months is expected to face U.S. charges as well.
Elliot Gunton, who's still only 19, was indicted on U.S. federal charges related to fraud and aggravated identity theft.
The indictment also charges Anthony Neshatka, a U.S. citizen. The two are alleged to have defrauded customers of the EtherDelta cryptocurrency exchange by redirecting customers to a bogus version of EtherDelta's site where their account
credentials and private keys were stolen. Finally, security firm Trustwave's SpiderLabs
is tracking a spam campaign, Chameleon, that's shown the changeable appearance of its namesake.
The messages it sends use randomized headers,
the templates are also frequently changed,
and the links, if you follow them,
which of course you shouldn't,
move through frequent redirections.
Spider Lab says that the messages look like phishing,
but in fact, they generally don't seem to be that at all.
The subject lines will be familiar.
Remember me? I'm your ex-colleague.
Or, hi, do you need a job?
Well, hey, who doesn't?
Or the ever-popular variations on critical security alert.
This is why the apparent failure to deliver a typical hook inside the fish bait is curious.
The ultimate direction of all the redirections has generally been equally familiar,
either bogus Canadian pharmacy pages,
because of course it's a known fact on the internet that you can get Viagra without a
prescription in Saskatoon, or so I'm told. Or, wait for it, sites that will show you how to get
rich with Bitcoin. Trustwave says on their blog that they'll be keeping an eye on Chameleon.
In the meantime, don't take the fish bait.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
Look at this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with BlackCloak.
Learn more at blackcloak.io.
And joining me once again is Jonathan Katz.
He's a professor of computer science at the University of Maryland
and also director of the Maryland Cybersecurity Center.
Jonathan, welcome back.
I wanted to talk today about hashing emails
and this whole notion that hashes can be reversed and kind of the where
does hashing leave us when it comes to actually providing any sort of privacy or anonymity? Can
you give us a little lesson here? Hash functions actually are ubiquitous now. They're used in all
kinds of applications. I think what you're referring to is hashing email addresses as a way to provide
some kind of pseudonymity or anonymity for individual users. And the interesting thing
about these hash functions is that a well-designed cryptographic hash function is actually supposed
to be non-invertible, meaning that if I hash some value and then present you the output,
you should not be able to figure out from the output what
the input was. Now, the problem with that is that it's true that these hash functions are
uninvertible, but anybody can compute them. They're not keyed. They're not like encryption schemes.
And so anybody, they're public algorithms. Anybody can go ahead and evaluate them.
And so the problem is that even though the hash function itself is uninvertible,
an attacker who's presented with a hash output but knows that the input was chosen from a small set of possibilities
can enumerate over all the possibilities, compute all the hashes, and then find out
which one corresponds to the output it was given. So if someone knows what my email address is,
they could somehow align that with a hash of it and then use that to track me around the internet, for example?
Well, exactly.
So, I mean, to take the simple example like you were mentioning,
if I hash your email address and give it to somebody,
just by looking at that value,
they have no way to tell that it corresponds to your address.
But if they wanted to verify whether it did indeed correspond to your address,
all they would have to do is compute the hash of your email address themselves
and then check whether the output matches. These hash functions are deterministic.
They always give the same output when run on the same input. And so that would allow them to verify
that this value did indeed correspond to a hash of your email address. Now, in a more general
scenario, one way to see this, for example, is to consider what would happen if somebody presented
you with a hash of somebody's social security number. So a priori, you don't know that person's social security number. You'd have no way
to verify whether the output you got really corresponded to their social security number or
not. But on the other hand, social security numbers are only nine digits long. And so somebody could
enumerate over all possible nine-digit social security numbers, hash each one of those,
and then see which of those hashed results corresponded to the value they were given.
And in that way, they could essentially end up reversing the hash value they were given and de-anonymizing that particular individual.
And the same thing would apply to email addresses as well.
I saw an estimate recently that the number of valid email addresses is on the order of
about 5 billion.
And so hashing all 5 billion of those possible addresses and seeing what those hash values corresponded to
would allow you then to de-anonymize a hash value that you were presented with.
Now, is this a matter where once you've reversed one hash, does it get quicker or easier to,
as you go, does each one you sort of decode, Does it make it a little easier to do the next one?
Or is there a randomness built in? No, actually, it's not the case. So these hash values are all
essentially independent. And so figuring out the value that corresponds to one person's hash
doesn't necessarily help you with the other one. But if you think about it, though, if I give you,
if you're given two different hash values, and in the process,
let's if we go back to the social security number example, if in the process of hashing
all those nine digit social security numbers, you're going to end up finding both of those
values. So in essence, the work that you're doing in hashing all those SSNs is going to allow you
then to actually end up inverting all those hash values. So from that point of view,
you can amortize the work and basically figure out everything in one go.
Right, right. I guess the total set of possible numbers decreases each time you get one.
Well, it's basically you're doing everything. And so once you do everything, you can break anything.
So given that this is the case, what are people doing to mitigate this possibility?
Well, you have a similar situation that comes up with hashed passwords.
So very often servers will store hashed passwords of the users on their site.
And you run into the same sort of problem because if a server stores the hash of somebody's password
and an attacker might guess, let's say, that that password is an eight-character password,
they can enumerate over all possible eight-character passwords
and then figure out what your password was after being given your hash.
And so one thing that you can do to kind of make it harder for the attacker
is to make sure that the work they invest in figuring out one user's password
is not going to be of any benefit to them in figuring out another user's password.
And the technique that's done to ensure that is called salting.
So what you do is you basically pick a
random salt per user, a random value for every user, and you compute the hash of the user's
password along with the salt value that you've chosen. And this means that the attacker can still
do the same kind of a brute force attack like before, but now it's going to have to be hashing
all possible passwords along with one particular user's salt. And that's not
going to help it figure out the password that results in the hash involving another person's
salt. And so this makes it just harder for the attacker. It doesn't make it any harder to crack
one user's password, but it means that now they have to spend the same amount of work to crack
each user's password at the server. Well, as always, thanks for explaining it to us.
Jonathan Katz, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.