CyberWire Daily - More North Korean malware identified. EOS scanned for misconfigurations by parties unknown. Canadian banks won't pay extortion. Stay away from Joker's Stash. Crime and punishment.
Episode Date: May 30, 2018In today' s podcast, we hear that the US has attributed two more strains of malware to North Korea. And whether you call them Hidden Cobra or the Lazarus Group, it's the same reliable crew of Pyongya...ng hoods. More trouble for the ICO world as unknown but probably bad actors scan for misconfigurations in EOS blockchain nodes. Canadian banks decline to pay extortion. Joker's Stash counterfeits show there's even less honor among thieves than you may have thought. Baratov gets five years for the Yahoo! hack, and "Courvoisier" gets a solid ten-year sentence for multiple crimes. Justin Harvey from Accenture with thoughts on GDPR. Guest is Ruvi Kitov from Tufin on why automation should be in wider use than it is.  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The U.S. attributes two more strains of malware to North Korea,
and whether you call them Hidden Cobra or the Lazarus Group,
it's the same reliable crew of Pyongyang hoods.
More trouble for the ICO world as unknown but probably bad actors scan for misconfigurations in EOS blockchain nodes.
Canadian banks decline to pay extortion.
Joker's stash counterfeits show there's even less honor among thieves than you may have thought.
there's even less honor among thieves than you may have thought.
Baratov gets five years for the Yahoo hack,
and Kovacic gets a solid ten-year sentence for multiple crimes.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, May 30, 2018.
The on-again, off-again U.S.-North Korean summit is back on, but relations between the countries in cyberspace remain frosty.
There's a good bit of speculation that DPRK hacking will figure among the agenda.
In the meantime, the FBI and the Department of Homeland Security yesterday, through the U.S.
CERT, attributed two more families of malware to the DPRK Security yesterday, through the U.S. CERT, attributed
two more families of malware to the DPRK's Hidden Cobra threat group.
The Bramble Worm and the Jonap Trojan are both said to be the work of Pyongyang.
Jonap is a two-stage backdoor remote-access Trojan that allows both data exfiltration
and installation of other threats onto the victim system.
Bramble, worm that it is, abuses the SMB protocol to spread via dictionary attacks on other systems.
Once it's in, as Security Week summarizes, Bramble also harvests system information,
accepts command line arguments, and executes a suicide script.
You may know Hidden Cobra by its other name, the Lazarus Group.
The Lazarus Group has got a pretty long rap sheet, albeit with no convictions,
since nobody in the world has any kind of extradition agreement with Pyongyang.
The threat group has been credibly blamed for the Bangladesh bank Swift caper,
the Sony Pictures hack, which appears to have been part
of a larger campaign outlined in the Operation Blockbuster investigations, Operation Dark Soul,
a 2013 campaign that affected two South Korean television stations and at least one bank,
and Operation Troy, a cyber espionage campaign unmasked in 2013 that was directed against South
Korea and in particular
against South Korean military cooperation with the United States. The Five Eyes have also said
the Lazarus Group was responsible for WannaCry, last year's misfiring but still very damaging
ransomware campaign. That's one attribution we think you can take to the bank.
Bleeping Computer reports that threat intelligence shop Gray Noise has observed someone, presumably a threat actor,
scanning for EOS blockchain nodes that have accidentally exposed private keys through inadvertent misconfiguration.
The scans began yesterday, shortly after Kihu360 reported a remote execution flaw in the EOS blockchain platform.
EOS is currently the subject of an initial coin offering.
The Canadian banks hit with a hacker-induced data breach over the weekend are indeed the
targets of extortionists. The attackers are demanding a million-dollar ransom.
If they're not paid, they threaten to release the information online.
a million-dollar ransom.
If they're not paid,
they threaten to release the information online.
The Bank of Montreal
and the Canadian Imperial Bank of Commerce
have both said
they won't pay the ransom.
Bravo, banks.
There's some speculation
as to why the hackers
tried extortion
as opposed to simply
selling the stolen data
on some of the usual
dark web markets.
They may have come to believe
that stolen data
simply wouldn't fetch
as much as they could make through extortion, or they were hoping that embarrassment would
induce the banks to pay up, even if the data wasn't that valuable. Or, of course, they may
have been interested in getting whatever they could from the banks and then going on and selling
the data anyway, since honor amongieves is much frayed nowadays.
Speaking of black markets and the general absence of Honor Among Thieves, it's worth noting that Krebs on Security has a piece up about Joker's Stash and its various imitators
and counterfeits.
Joker's Stash is an illicit carter's forum where hoods buy and sell stolen paycard credentials,
mostly for what amounts,
relatively speaking, to chicken feed. Joker's Stash has been tied to a number of retail breaches,
including those at Saks Fifth Avenue, Hilton, Whole Foods, Chipotle, and Sonic. The counterfeit
Joker's Stash sites are out there to con the conman. If you, Mr. and Ms. Criminal, think you're
going to get some cards from Joker's stash,
look carefully, because you may find the bitcoins you virtually plunked down
are gone baby gone without so much as a login credential left behind.
We won't offer any more specific advice, since at some level criminals who let themselves be
defrauded by other criminals deserve what they get, but do stay away from Joker's stash.
When word comes down from the bosses upstairs that it's time to improve productivity and security,
or to do less with more, many organizations turn to automation to make it happen,
but that can be easier said than done.
Ruvikitov is CEO and co-founder of security firm Tufin,
and he's got some words of wisdom for companies looking to automate.
There's a good crawl, walk, run model.
A lot of times when we speak with customers or organizations
who have nothing of the sort, no automation,
usually it also means that very often they won't know
what their security posture even is.
When we ask organizations, what's your security policy? Let's look at
zone-to-zone segmentation. Which networks can talk
to other networks and which networks should not be allowed to talk to other networks?
Just connectivity. Basic layer three connectivity. A lot of times
people scratch their heads and there might be a document
written in the CISO office. Some security architect wrote it.
There's a big gap between that concept
of the security policy and the actual implementation on the ground.
And then after assessing, usually there's a cleanup
phase where people for two to three months, they go and they start cleaning up all of the vulnerabilities they discovered.
And there's a lot.
You want to reach steady state, you know, pretty healthy and clean, you know, state of network security.
Right.
And at that point, the question is, OK, I've done some work.
I've cleaned up and I think I'm in pretty good shape.
But if I don't maintain that hygiene, I'm going to be vulnerable again.
I'm going to have all sorts of problems very soon because dozens of changes occur on my network on a weekly basis.
So how do I maintain that continuous compliance?
that continuous compliance. So then the next phase would be taking that policy element and actually
analyzing every single change that is about to be implemented
to see whether it adheres to the policy. So then once you're
kind of in a pretty healthy place, you would probably
want to have zero mistakes done on the production
network because you want to move from being reactive, like, OK, let's look at my network and figure out what's wrong with it to I've cleaned it up.
And now I don't want any mistakes even reaching the production network.
I want to avoid those things to begin with during the change process.
begin with during the change process. There's additional challenges as people are adopting the cloud and they're migrating more and more applications to the cloud. There's a whole
other set of challenges that have to do with policy. What we're seeing is a lot of organizations,
DevOps or a cloud team that are responsible not just for the application, but also for the
infrastructure on the cloud side. And they're managing, for example, maybe the AWS configuration.
We're seeing a lot of friction between the DevOps team and the firewall team, where DevOps
teams want to build their own security controls, and they don't want a very heavy and manual
process of requesting changes from the security team to allow them connectivity.
So we're seeing a lot of issues between DevOps teams and network security teams.
And we think that a key thing is how to bake security into the DevOps cycle
so that essentially the network security team will have much deeper visibility into the security posture of the cloud.
And a lot of organizations are actually flying blind today.
So you have DevOps teams making changes in the cloud with very little security oversight, which we believe is a huge mistake.
So one of the things that we would recommend is to get tools that allow, first of all, security practitioners
to see the security posture in the cloud. And the second phase would be to actually bake security
into the DevOps CICD tool chain so that every time you want to make a change that actually affects
security and the DevOps tool chain, it'll be vetted against some kind of a security policy.
And we think that's critical as organizations are moving to the cloud.
That's Ruvik Kitov from Tufin.
A U.S. government look at the cybersecurity of federal agencies offers a depressing vista.
Three out of four agencies are said to be at significant risk of cyber attack
and poorly prepared to manage that
risk. Whether or not it's reprieved from U.S. Commerce Department sanctions, analysts think
ZTE will find recovery difficult. ZTE and Huawei remain under widespread suspicion of posing
security risks. Canadian Premier Justin Trudeau is being asked by many to take a close look at what Huawei's up to in its penetration of the Canadian market.
Karim Baratov, convicted of hitting Yahoo on behalf of Russia's FSB, has been sentenced to five years.
The U.S. Justice Department points out that the verdict should indicate to people that hacking for hire is a serious crime.
the verdict should indicate to people that hacking for hire is a serious crime.
You remember the fellow who went by the name Kavasie? He isn't French, but English. He's the heavy-handed gent who ran virtually amok in Kent. Anywho, Kavasie, whose given name is Grant West,
had his day in court and was convicted of charges related to phishing, drug sales,
and other illicit
online activity.
He will be Her Majesty's guest for ten years, which is by British standards a pretty stiff
sentence.
Mr West is 26, he'll be in his mid-thirties by the time he gets out, assuming he serves
his full time.
He was caught when authorities tracked the IP address of his girlfriend's computer and
picked Mr West up on a train bound for London.
The relationship is doubtless strained at this point,
or as Facebook might put it, complicated,
because the co-conspirator girlfriend got community service. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, welcome back.
You know, I feel like we have been running towards this finish line,
which, of course, was the implementation of GDPR.
We have crossed that line, and now here it is.
It's active. It's a real thing.
Do you think that companies are ready? Do you
think all these months of preparation are going to pay off for them? Well, Dave, the glib answer
is I believe my clients are. I don't think that the majority of companies are truly ready for the
GDPR. Based upon what I've been seeing in the market, many organizations are
scrambling. They're getting their incident response plans going. They are given the ambiguous nature
and the wording of the regulation. I think that it's almost like I should say it's anyone's ball
game because with regulations, particularly of this nature, you can't read a document
that says this is an incident.
And when this type of incident hits this threshold, then you need to report it to regulators.
It's almost like regulators want to keep it loosey-goosey and they want to see companies
demonstrate that they are trying. I don't believe
any organization is truly 100% compliant with any regulation. But what matters is, are they
demonstrating the right steps? Do they have the right intent? And if and when something does
happen, are they being forthcoming with regulators? Yeah, it's interesting because it strikes me that
there's been kind of wait and see on both sides. As you described, the regulators waiting to see are people making a good
faith effort. But I think there's been a lot of wait and see on the other side to see are these
potential fines actually going to come down? That's right. I was speaking with a colleague
the other day, and he made an observation that he doesn't think GDPR is here to last.
And the reason is it'll be one large organization, one large company that will unfortunately have a breach and maybe they lose a lot of personal data.
And then they're looking at quite a lot of fines and perhaps it even drives that company out of business.
And then where does
that leave regulators at that point? Who wants to participate in a regulation where the downside is
you can lose up to four or however many percent of your global annual revenue. So time will tell.
I think that this is an interesting experiment. It's funny that I call it a regulation and experiment, but I think this is a new kind
of regulation applied to a large region.
And I think if it works, if they are able to pull it off and if it does enforce change
and allow society to operate where people can be forgotten on the Internet, if they
can really, truly have better controls around people's privacy,
I think it'll be positive. And even then, the United States should definitely pay attention,
keep notice of what's happening with the EU and the GDPR, considering all of the privacy concerns
we've been having on this side of the pond. All right. Well, as you say, time will tell.
It's going to be interesting to watch. Justin Harvey, thanks for joining us. Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.