CyberWire Daily - Lazarus Group interested in thorium reactors? Disinformation by phishing. ZeroCleare wiper in the wild. NATO addresses cyber conflict. NotPetya litigation. Black market takedown.
Episode Date: December 4, 2019North Korea’s Lazarus Group may have been looking for Indian reactor design information. A possible case of Russian influence operations, served up by phishing, is under investigation in the UK. The... ZeroCleare wiper malware is out and active in the wild. NATO’s summit addresses cyber conflict, and a big NotPetya victim challenges insurers’ contentions that the malware was an act of war. And an international police action takes down a black market spyware souk. Michael Sechrist from Booz Allen Hamilton on security concerns with messaging apps like Slack. Guest is Roger Hale from YL Ventures on the changing role of the CISO when it comes to managing risk. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/December/CyberWire_2019_12_04.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
North Korea's Lazarus Group may have been looking for Indian reactor design information.
A possible case of Russian influence operations served up by phishing
is under investigation in the UK. The zero-clear wiper malware is out and active in the wild.
NATO's summit addresses cyber conflict and a big NotPetya victim challenges insurers' contentions
that the malware was an act of war. And an international police action takes down a spyware black market.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 4th, 2019.
The incursions into networks belonging to India's space program and its nuclear power
sector are generally thought to be the work of North Korean operators belonging to the Lazarus Group.
In neither case are they believed to have affected control systems, but instead to have
concentrated on administrative networks.
There haven't been any particularly strong accounts of what Pyongyang was after, but
now, according to the International Business Times, there's some reason to believe they
were interested in obtaining design information for thorium reactors. Another accusation of Russian government
phishing has surfaced during the run-up to the British elections. In this case, the report
originates with the Labour politician and candidate Ben Bradshaw, whom The Guardian describes as a
frequent critic of Moscow's influence operations. Bradshaw says he received email from someone calling himself Andrei,
who claimed to be a whistleblower inside Russian President Putin's administration.
The email's attachments purported to describe Russian disinformation operations,
including fake news operations,
and much of the information in them appears to be accurate.
They describe disinformation cells, but upon further review, they appeared possibly malicious.
Labor and the conservatives have been sniping over the handling of Russian influence operations.
Andrei, representing himself more or less as a westernized good government type
with strong internationalist sympathies
he deplored Brexit and was himself a never-Trumper,
said he was disturbed by Moscow's policies
and the consequences they've had on Western civil society.
So he's a whistleblower who wants nothing but the best.
That message seems crafted to resonate with a Labour candidate,
but Mr. Bradshaw wasn't buying.
Bradshaw had them inspected by a security company
who confirmed
that at least two of the documents contained malicious code. The NCSC, that is GCHQ's National
Cyber Security Center, is investigating and presumably will comment in good time.
IBM researchers describe a new destructive wiper, ZeroClear, which is active in the wild against
energy sector targets in the
Middle East. IBM regards it as likely that Zero Clear, which in some respects resembles Shamoon,
is being deployed by Iranian state actors. As their report puts it, quote,
Taking a page out of the Shamoon playbook, Zero Clear aims to overwrite the master boot record
and disk partitions on Windows-based machines. As Shamoon did before it, the tool of choice in the attacks is LDOS RawDisk,
a legitimate toolkit for interacting with files, disks, and partitions.
Nation-state groups and cybercriminals frequently use legitimate tools
in ways that a vendor did not intend to accomplish malicious or destructive activity.
IBM also sees wiper attacks,
attacks that aim at the destruction of data,
as a rising trend.
Criminals have been seen using them for extortion or for punishment upon victims' failure to pay.
But nation-states have been using them
to achieve military objectives,
often in the deniable way favored in hybrid war tactics.
One note in their report serves as a healthy reminder
that attackers too have their problems.
Zero Clear originally came in two versions,
one for 32-bit Windows architecture,
the other for 64-bit systems.
The 32-bit flavor, it turns out, didn't work.
It caused itself to crash when it tried to access
the LDOS raw disk driver before it began the wiping process.
YL Ventures is a venture capital organization focused on Israeli startups.
Roger Hale recently joined them as their CISO in residence,
helping provide his insights as an experienced CISO to the VCs,
but also giving the startups looking for funding valuable information as well.
I really feel that this is that next step.
I've been, I'm a multi-CISO.
I've been a CISO more than once
for companies and high-tech companies in Silicon Valley.
But this opportunity is to look at what YL Ventures does
as a venture capitalist company
because they do incubation and seed round.
So this isn't like a series D or an E
where you're providing the monies
to allow a company to grow and expand.
This is really incubating and building that company up.
And in that process,
when you're looking at building that new tech,
and in Wiles' case, cyber tech,
getting that direct feedback
and understanding what's critical to the operation
of cybersecurity to protect a company,
I feel is a large step up.
But as a CISO coming in and listening to new startups and as they're telling us about the
great tech, you know, my challenge has always been to help them understand or tell them
what's important to me as a CISO, as an operator, and be able to bring those features into their
technology development, not just the next cool thing, but being able to provide
technology that does what we need it to do. Is there a particular pattern that you see
with startup companies? Are there things that, words of wisdom and tips that you find yourself
sharing with those companies at that stage over and over again?
So the interesting thing is is the first thing on that
is the technology wins, seems to be the expectation, where the real winner here is,
can the technology actually solve the business problem I'm trying to solve for? Because the
evolution of the CISO has gone from being an incredible technologist and being able to protect your perimeter, protect the data,
to now looking at how do we actually provide secure access to the data to assure the data is used the
right way while still allowing the business to be able to use the data the way they need to use it
to keep the competitive advantage. So the same thing from the startup side is you have a great
idea. You know how to protect this data. You know how to assure the integrity of that data, but I have to be able to implement this
and still allow people access to it. And so that conversation is you may have the best tech in the
world, but if I can't implement it, if it doesn't integrate into what I'm doing, I can't buy it.
And so that's one of those first things. The second thing is when you're having these discussions with people, you really need to understand what's most important.
And in many cases, it's not just the tech, but it's how the tech can be implemented and how the tech can be sustained and maintained.
I wonder, too, I mean, is there an element of
the cobbler's kids having no shoes? With startups, I think very often they're running at such a high
velocity. I can imagine that their own security can be something that it's easy to overlook or
back burner while they're busy building that company. Oh, great point. Great point. Because
they are, they're focused on the tech and this is what they're so good at is focusing on that tech.
And this is the difference between building technology and being able to implement technology
into an enterprise company, because there are those levels of assurance, you know, third party,
fourth party assurance of what are you doing with the data that you're collecting or that's flowing through your systems?
Are you managing this in the appropriate manner?
And are you allowing your customers to continue to maintain ownership of their data in that
process?
And so this is the age-old problem of technologists want to build technology, and then all of
a sudden we look at security at the end, and they try to bolt it on at the end.
It costs 3x and three times as long to do that. It's the same thing in the startup world.
If we start and look at doing things from a security framework, from looking at what type
of assurance based upon what's your industry model that you're going after, who's your target
audience, who's your target customers, and meeting their assurance needs, their data privacy and data protection needs,
then you're building this into a secure SDLC process that provides that trust and allows companies to acquire your software,
subscribe to your software, your service faster and earlier in the process.
That's Roger Hale. He's the CISO in residence at YL Ventures.
The NATO meetings this week are addressing many issues, but two are of particular interest to the
cybersecurity sector. First, Deutsche Welle reports that the Atlantic Alliance is, for the first time,
formally recognizing that Chinese military capabilities represent a significant challenge
to NATO's member. The alliance's Secretary General
Jens Stoltenberg put it this way yesterday, quote, we have now of course recognized that the rise of
China has security implications for its allies, end quote. Prominent among those implications are
the security dimensions of Chinese interest in 5G technology and how that country's position in the
IT hardware markets positions it to wield significant power as an equipment vendor.
Second, NATO continues to wrestle with an appropriate response to cyber operations.
Not only are such operations readily deniable and usually difficult to attribute,
but they represent a problem as NATO tries to deal with adversaries working below the threshold of armed conflict.
NATO tries to deal with adversaries working below the threshold of armed conflict.
And even when that threshold is reached, it remains unclear how or when the alliance should invoke Article 5, its central collective defense provision.
Cyberwar has implications for the private sector as well.
Many insurance policies have war clauses that exclude payment for damages sustained as a
result of combat.
These have particular importance for cyber insurance because of the difficulties surrounding
attribution and because of the increased use of cyber weapons in hybrid war.
One such case is now being litigated in a U.S. court.
Big Pharma giant Merck is wrangling with its insurers.
Over the $1.3 billion in losses the company incurred as the result of the NotPetya infestation it suffered on July 27, 2017.
The insurers have balked at paying because it appears that the NotPetya attack, generally and credibly attributed to the Russian government, may have amounted to an act of war.
The malware was initially deployed as part of Russia's hybrid war against Ukraine, but spread rapidly to targets elsewhere in the world.
The matter is now being litigated, claims Journal reports, in a Union County, New Jersey, court.
And finally, congratulations again to the law enforcement agencies
involved in the takedown of the imminent methods spyware black market.
The Australian Federal Police led the international effort
to shut down the sale of the market's principal product,
the Imminent Monitor Remote Access Trojan, also known as IAMRAT.
This spyware could be had for as little as $25,
and more than 14,000 buyers are said to have sampled Imminent Methods wares.
In all, police executed 85 warrants,
seized more than 400 items in the gang's possession,
and arrested 14 people. And in taking down the site, they also disabled the spyware,
so those who bought it won't be able to use it. And that's a good day's work in anyone's book.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Michael Sechrist. He's Chief Technologist at Booz Allen Hamilton,
and he also leads their Managed Threat Services Intelligence team. Michael, it's always great
to have you back. I wanted to touch today on some of these utilities like Slack that
corporations use for internal communications and some of the potential malware attacks
that can happen within those
types of services.
What do you have to share with us today?
Yeah, great.
Thanks for having me back.
We were attuned here at Booz Allen to a couple instances where a new backdoor malware was
used as a kind of command and communication C2 channel.
And the malware, which was identified by Trend Micro back in the, I believe it was the summer or early part of 2019, was named Slub, which basically was a variant of the Slack backdoor.
And this is a malicious backdoor that's used to, again, go outbound. It's very targeted internally. It's how it kind of identifies users, pulls them
into a private channel, pins messages to get the infected computers to execute commands,
and then potentially pass outbound communications through to a server or a node that's listening
outside your network. Yeah, it's interesting. I think for many of us who use these sorts of tools,
they almost fade into the background.
They become so much a part of your workday
that it's easy to not think of them
as even having a connection to the outside world.
Yeah, so I think also attackers understand that.
So they understand how prevalent
these type of new communication technologies are.
They understand that when there is sort of a newness in the industry, that it presents a potential opportunity for attackers to leverage.
attackers are going to be standing at the gates trying to figure out ways that they could leverage them into providing sort get captured and filtered back to a security team in an easy-to-evaluate way to look for suspicious and malicious events.
It also strikes me that tools like this, they tend to function at a high velocity.
People are responding to things in real time versus there's something like email where you might be, take a little more time to reflect on something,
not, not reply so quickly and in fact be trained to not reply so quickly to things.
With tools like Slack, I mean, you're pretty much chatting real time.
Yeah, that's correct. I mean, it just generates so much data than we had prior. And there have always been
sort of instant messaging, you know, communications going back decades. But sort of the prevalence of
them, the ease of use, the ability to edit and delete messages that have been there for a long
time, prevents, it's obviously fantastic as a user, but it does provide avenues of attack that we hadn't seen prior.
So what are your recommendations in terms of best practices for teams that are using these kinds of tools?
So one is when you do have new platforms put in place to quickly make sure that your security teams are aware of those and working with the security teams at these companies to find
ways to gather the requisite information you need in the event that there's an incident
from one of these platforms.
That's kind of a level set.
That's very difficult to do.
I mean, there's so many new technologies that come in place.
But when these ones that come in place that are being used by all sorts of critical members
of your staff and
your enterprise are using them, you need to make sure that you also have ways to gather what you
need in the terms that they're used in an event. Now, it's also important to make sure that you're
profiling the risk of them. And that means having sort of a threat intelligence program that can
capture if there's new malware being used. In the case of Slack, there is this one called Slub, like I mentioned,
but there's others that affect all sorts of different platforms.
And to make sure that, okay, now I know that these communication platforms
are being targeted, how am I going to make sure that I'm looking
for the indicators of compromise that are associated
with the kind of attacks we're seeing?
How am I looking and using analytics to look for ways that they're using these attacks?
What are the new tactics, techniques, procedures
that are being used
and how they're going to be leveraged against us?
And then you could also use threat hunting
to look for things that haven't been used
but potentially could be against this profile.
There's whole sorts of red teaming options
that you could do
and how they could kind of provide avenues
of those attack internally.
And then just also working with the parties themselves to make sure that you're capturing, you know, what their best intelligence looks like that they're seeing.
And so that you can look for that in your log data.
All right. Well, Michael Sechrist, thanks for joining us.
Thanks so much.
Michael Sechrist. Thanks for joining us. Thanks so much.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time
and keep you informed.
Listen for us
on your Alexa smart speaker, too.
The CyberWire podcast
is proudly produced in Maryland
out of the startup studios
of DataTribe,
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing CyberWire team
is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilby,
and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.