CyberWire Daily - Leviathan group exploits patched .NET flaw. North Korean cyber ops. Russian suspicions. Cutlet Maker ATM malware, Sockbot Minecraft malware. Ransomware and backups.
Episode Date: October 19, 2017In today's podcast, we hear about how a cyber espionage campaign exploits a recently patched .NET vulnerability as Leviathan phishes with torpedo recovery programs. What does Pyongyang want in cybers...pace? Apparently a lot of the same things it wants in physical space. Some observers think Putin thinks the Americans started that whole destabilization and delegitimation influence ops struggle. He's probably wrong, but there you go. Cutlet Maker malware jackpots ATMs. BoundHook stealth tool demonstrated. Minecraft malware got into Google Play. Ben Yelin from UMD CHHS with a follow up on President Trump’s executive orders. Guest is Dinah Davis from Code.Likeagirl.io with an update on their activities. Ransomware's still a threat, and a New York judge thinks the NYPD didn't get the memo about the importance of backup. Thanks for listening to the CyberWire. One of the ways you can support what we do is by visiting our sponsors. We read Recorded Future’s free intel daily, and we think you'll find it valuable, too. If you’d like to learn more about how small nuances in how artificial intelligence and machine learning are used can make a big difference, check out E8’s white paper. Interested in the latest research in cyber security? Our new Research Saturday podcast highlights research being done in industry, universities, and governments. Hear from people who are discovering threats, uncovering vulnerabilities, and devising the security measures to keep cyberspace as safe as it can be. Check it out. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A cyber espionage campaign exploits a recently patched.NET vulnerability
as Leviathan fishes with torpedo recovery programs.
What does Pyongyang want in cyberspace?
Apparently a lot of the same things it wants in physical space.
Some observers think Putin thinks the Americans started the whole destabilization struggle.
Cutlet maker malware jackpots ATMs.
We check in with Dinah Davis from codelikeagirl.io.
The bound hook stealth tool is demonstrated.
Ransomware is still a threat,
and a New York judge thinks the NYPD
didn't get the memo about the importance of backups.
I'm Dave Bittner in Baltimore
with your CyberWire summary for Thursday, October 19, 2017.
A recently patched.NET vulnerability, CVE-2017-8759,
is being exploited in the wild by a threat actor believed to be operating from China,
possibly under Chinese government control.
Most recently, Proofpoint has seen this threat group active against a U.S. research center
and shipbuilding industry targets.
Proofpoint is calling the cyber espionage group Leviathan.
Leviathan is using torpedo recovery programs as their fish bait.
F-Secure last year observed the group's Nanhaishu malware deployed against Philippine targets.
F-Secure hasn't attributed the activity to the Chinese government,
but others perceive connections between the threat actor
and attempts to advance Chinese interests in disputes over territorial waters in the South China Sea.
Those disputes have been with many of the nations bordering what every country,
save China, regards as international waters,
but the Philippines have been particularly affected.
What's North Korea up to in cyberspace?
By general consensus,
little good. Writing in The Diplomat, two George Washington University experts,
Frank Salufo and Sharon Kardashian, argue that Pyongyang's intentions must be understood in
the context of that country's perceived self-interest. Why the ongoing involvement
of the Lazarus Group with theft, most recently another bank heist?
Salufo and Kardashian point out that North Korea's missile and nuclear ambitions are expensive and the country is cash-strapped.
They also argue that the DPRK's development of a non-negligible cyber capability is an attractive tool the Kim regime can use to make up for its conventional military shortfalls.
But, as always, attribution is murky.
Security firm Trend Micro, which does a great deal of work in East Asia,
points out that North Korean computers are as hackable as anyone else's,
and that they're susceptible to manipulation into false flag or simple criminal operations.
So the caution is a useful one.
A cyber-tunking Gulf incident is as much to be
deplored as a cyber-Pearl Harbor. Still, all things considered, security specialists in
government and out of it do well to keep a close eye on North Korea. Russian President Putin has
long had a number of beefs with the United States, but apparently some diplomatic activity in January 2012 really set Mr. Putin off.
Specifically, the newly appointed U.S. ambassador to Moscow held some prominent meetings with
dissident and opposition leaders. Reports indicate that Putin perceived the ambassador's meetings as
the opening shots of an American campaign to destabilize the Russian government, with some
observers dating the beginning of his
strong interest in influence operations to that episode. The ATM malware Cutlet Maker is able to
jackpot the cash machines. A video of what this looks like is available on Bleeping Computer.
And Kaspersky has found it for sale in criminal markets for $5,000. Cutlet Maker comes bundled
with a password generator
and an app that can tell the crooks what's inside the particular ATM they're working.
With the ongoing shortage of qualified candidates for cybersecurity jobs,
businesses struggle to attract and retain women and minorities to the industry.
Dinah Davis is director of R&D at Arctic Wolf Networks
and founder of
codelikeagirl.io. Code Like a Girl describes themselves as a space that celebrates breaking
down society's perceptions of women in technology. We check in with Dinah from time to time throughout
the year for updates on the Code Like a Girl community. One of the hard things is always
talking about the hiring pipeline, right?
There's even fewer women in security than there are women in tech. And how are we going to change
that pipeline issue? And I think that like some positive things are we are seeing change there.
Anecdotally, I'm sure we could go and get the data. But anecdotally, I am seeing more women graduate, more women being influential
in the first couple years out of school. I think we still have a huge gap in the like 10 to 15 year
experience. That's like where there was no recruitment done, focused towards getting more
women in computer science. We have these amazing women from the 80s when we had higher rates of women in technology who were pioneers for us. But we had this massive drop in the early 90s that persisted really until just maybe like three years ago. And even the upside on that isn't huge. It's not like we're gone from 20% to like 40%. We might be gone from like 20% to 25% at schools that have been focused on,
on changing that ratio. So it's good. Like the pipeline is, is getting bigger. I think we are
starting to fix that problem. But when you're looking for experienced women, you still, it's
really hard to find the, and the women who are there, they're amazing. They're, they're highly
sought talent, right? So they're getting asked for multiple jobs.
Their recruiters are always asking them to come and interview because everyone wants to increase their gender diversity.
But it's not there.
In terms of the Code Like a Girl community, are people optimistic that the workplace environments that they'll be going into have sufficiently changed that it's going to be a kind of place where they want to stick around?
Well, I would love to say yes, but I'm not sure we're there yet.
I think that's an evidence from a lot of what's been in the news over this past spring with Susan Fowler and some of the newer things that were happening this summer.
Bowler and some of the newer things that were happening this summer. I don't think that we are there, but there's much more awareness of it than there ever was before. And when women bring things
forward now, they are being taken seriously. Whereas, you know, two, three years ago, you look
at that Ellen Poe case and she lost. I don't think Ellen would lose today. As someone who does hiring, what do you wish that some of the men who do the hiring in our
industry knew? That women will not necessarily brag about themselves enough in an interview
and that that will make them look like they maybe are not as good as the men when that is not the
case. I think there's just this sense of us,
we don't want to overstate our ability, want to be very honest. And while it's not that the men aren't being honest, they're just more confident about it. So I mean, even for myself, I make sure
when I go into interviews, when I've been interviewing and push myself to like, pretend
I'm talking about my best friend instead of talking about myself. And how would I explain myself as my best friend instead of as myself? And I'd probably
highlight things a little bit more, probably a little less humble, right? Because you're
showcasing yourself in an interview. You're not there to like show who's the humblest.
You're there to like really show the talent you have. And I think that that comes a bit more naturally to some men, not all men, but to some men, than it does to women.
That's Diana Davis from Code Like a Girl.
You can check out all of their resources at codelikeagirl.io.
CyberArk describes a proof of concept it's calling Bound Hook that enables post-intrusion application hooking and stealthy manipulation
in Intel's Skylake microprocessor. Microsoft calls Bound Hook more stealth technique than exploit,
since it functions to conceal activity in an already compromised machine.
More malicious apps surfaced in Google's Play Store, among them Sockbot, malware that ropes
Minecraft playing devices into a botnet.
Locky seems to be holding its place atop the ransomware leaderboard.
Locky ransomware's constants appear to be a close association with Nekors and the dissemination
of an awful lot of spam, according to a Trend Micro study.
And finally, in a story that's ripped from the headlines, no wait, it actually is a headline,
anyway, a New York judge is shocked to learn that the NYPD's large evidence database isn't backed up.
The headline in question appears in Ars Technica, which reports that the New York Police Department's
property and evidence tracking system, PETS, is in effect a single point of failure. If it went down, were corrupted, or say were hit with ransomware,
the NYPD would lose everything stored therein.
We'll give the last word to Manhattan Supreme Court Judge Arlene Bluth.
That's insane, she simply told the ADA.
If it pleases the court, Your Honor, you're right.
That's insane.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, we had a story come by from Wired, really taking a look at President Trump's cybersecurity executive order so far.
It's been a few months since the order came out, and we're sort of taking stock of what's happened.
So bring us up to date here.
Well, it was received very well when it was first put out on May 11th.
It got bipartisan praise.
He had claimed during the campaign that he was going to come up with a cybersecurity executive order in the first 90 days.
And though it was a little late, he ended up fulfilling that promise, which I think was significant.
The criticism has started to mount since the executive order was enacted.
For one, the administration has missed some mount since the executive order was enacted. For one,
the administration has missed some of its self-imposed deadlines. And at least according
to some experts, many agencies are still in their planning and information gathering stages,
which is fine. But time starts to become a factor, especially when we've had
what this article calls destabilizing cyber attacks. We had the
WannaCry attack, the NotPetya ransomware outbreak this summer. We've had attacks on the integrity of
our election systems. So the criticism now is focusing on how quickly the policies, which have
received bipartisan praise, are actually going to come to fruition. And what kind of teeth does the
policy have in terms of
pushing, you know, the agencies along to meet the deadlines? Well, you know, executive orders
don't carry the same weight as federal statutes. They are sort of self-imposed. I don't think any
individual who would potentially be affected by this executive order would have standing to sue
based on any of these
delays. So it is sort of self-enforced, which is why it's particularly difficult. One of the
problems they've been having, and this is true across all agencies, is staffing. The administration
has been very slow to staff some of these agencies. I know this article mentions NIST as one of the
agencies that's had problems staffing. And then
he also has a number of councils, including a National Infrastructure Advisory Council,
which advises DHS on matters of cybersecurity, in which we've seen some members resign over
unrelated political issues and also based on the slow implementation of this executive order. So
when you start to lose that expertise, both the private sector members that sit on some of these
boards and you fail to staff up some of these public agencies, that's when we'll really start
to see some of these delays. Stakeholders are starting to get concerned that the federal
response is not keeping up with the threats that we're facing. They don't want us to have to wait for some sort of 9-11 type cyber event
where metaphorically everything comes crashing down.
That's the worry that many of the stakeholders have on this issue.
Ben Yellen, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.