CyberWire Daily - Nation-state cyber campaigns: North Korean, Iranian, Russian, and unknown. Social media outages.
Episode Date: November 20, 2018In today’s podcast, we hear about nations behaving badly (but from the point-of-view of cyberespionage they’re doing, unfortunately, well). The Lazarus Group is back robbing banks in Asia and Lati...n America. Russia’s Hades Group, known for Olympic Destroyer, is back, too. Gamaredon and Cozy Bear have returned, respectively pestering Ukraine and the US. Iran’s OilRig is upping its game with just-in-time malicious phishbait. And it’s not you: Facebook has been down. Malek Ben Salem from Accenture Labs on skills squatting with Amazon’s Alexa. Guest is Ronnie Tokazowski from Flashpoint on his work with the business email compromise working group. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Nations are behaving badly, but from the point of view of cyber espionage, they're doing well.
The Lazarus Group is back robbing banks in
Asia and Latin America. Russia's Hades Group, known for Olympic Destroyer, is back too.
Gamerodon and Cozy Bear have returned, respectively pestering Ukraine and the U.S.
Iran's oil rig is upping its game with just-in-time malicious fish bait.
And it's not you, Facebook has been down.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 20th, 2018.
This week, it seems as if it's nation-states gone wild.
Several state-directed threat actors have returned to action this week in prominent ways.
They're back in familiar but upgraded forms
as the offense-defense seesaw swings up on the offensive side.
North Korea's Lazarus Group is back, for example,
hitting financial institutions in Asia and Latin America.
They're making improved use of backdoors.
Trend Labs thinks, on the basis of the Loader Components Service Creation Time,
that the backdoor for Pyongyang was installed on the victims' machines on September 19th.
The code's been improved, but the attack technique, Trend Labs says,
is a lot like the one BAE Systems took apart and analyzed back in 2017.
As usual with the Lazarus Group, the motive is financial,
and this latest campaign follows on the heels of the wave of attacks on ATMs
we saw develop over the last two weeks.
Another Russian threat group, the Hades APT, is also back.
Hades was responsible for the Olympic destroyer Wiper campaign
that targeted the South Korean-hosted Winter Olympic Games.
Researchers at Checkpoint say that Hades has added anti-analysis
and delayed execution as well as a single-stage dropper to its repertoire,
which suggests that the group is learning from and reacting to
the measures used against it earlier in 2018.
Three things are worth noting about Olympic Destroyer.
First, it was a wiper, intended apparently for disruption,
probably as a form of retaliation for the exclusion of Russian athletes who were caught doping.
Second, it was used in such a fashion as to make it practically inevitable
that the Olympic Committee, the South Korean government, and South Korea's allies
would immediately suspect a North Korean cyber attack.
But this turned out not to be the case.
Third, contrary to what its name might suggest,
Olympic Destroyer has surfaced sporadically since the Games,
prospecting targets not necessarily involved with the Olympics,
or indeed with athletics at all.
The Toronto backdoor campaign reported by Ukraine's CERT was initially characterized
as a nation-state attack that seemed to be targeting what Russia calls the near-abroad,
that is, the formerly Soviet, now independent republics.
Preliminary and circumstantial but nonetheless persuasive evidence
has led observers to conclude
that Tirado is indeed a Russian operation.
Tirado is associated
with the Gamerodon threat group,
widely believed to be a unit
of Russia's FSB.
It seems so far to have been used
principally for battlespace preparation,
at least in the attempt seen in Ukraine.
Coincidentally or not, the newly reawakened Cozy Bear, also generally regarded as an FSB
or possibly SVR unit, has deployed improved fishing techniques against U.S. targets.
Both the FSB and SVR are descended from the old Soviet KGB.
If you're looking for rough American equivalents,
they would be the FBI and CIA,
since the KGB had both domestic security
and foreign intelligence functions.
In this case, they've refined their techniques.
As Wired observes,
Cozy Bear has the reputation for upgrading older,
in many respects forgotten, attack code
in the hope that the newly effective malware will pass unnoticed.
In this case, that code is a Trojan called Canon,
which uses email to communicate with its command and control infrastructure.
That's old school, and it's working for them in part because it's unexpected.
This latest cozy bear fishing expedition has spoofed U.S. State Department emails.
A hearty congratulations to Ronnie Tokazowski from Flashpoint.
He accepted the prestigious J.D. Falk Award from the Messaging Malware and Mobile Anti-Abuse Working Group
on behalf of the Business Email Compromise Working Group.
Tokazowski helped create the group back in 2015.
Since then, they've helped stop the group back in 2015. Since then,
they've helped stop millions of dollars in wire transfers, taken down thousands of romance accounts, and contributed to well over 100 arrests. Ronnie Tokazowski joins us today.
Initially, when we started, our approach was just to take a look at the phishing emails and try and
attack it from that perspective. So we wanted to go ahead and give law enforcement a good spot to where we could give them the intelligence they needed in order to pivot
off for their investigations, as well as trying to figure a good way to help stop this.
And as we started operating and looking at the different types of fraud, it started to
balloon out really quickly. And that's where it started including other things such as
romance scams, real estate scams, lottery scams. So in working together on this, both good or bad, if you want to have it that way,
that was where we started to understand that there was a lot more to this type of fraud than just
an email and a mutual account. Can you describe to me, I mean, what was the back and forth,
the cross specialty education that went on between the tech folks and the law enforcement folks? I
suspect you all had specific skills to bring to the fore. Yeah. And that's very much how we wanted to
model it. So take me, for example, I'm a malware analyst. I've done reversing and I've worked in
threat intelligence. Likewise, we have some people with different walks of life who want to go ahead
and want to take out romance scams. And you have law enforcement who were the ones who can arrest the people. So some of that collaboration was working directly with law enforcement to say,
hey, we identified this actor. You may want to go ahead and go forth and help kick off your
investigation on that. And one of the ways we like to look at it on the list is that something where
I can't go arrest somebody, law enforcement doesn't have the intelligence. So we need to be able to work and collaborate together on that to make it better
and start making a difference in the industry. Take us through the process. I mean, how does a
scam come to your attention? And then how does it work its way through the group?
Yeah. So the way it usually works is we would go ahead and have different individuals
who may receive a phishing email to
their organization. So with the list and everything, once we get those emails, everybody works together
to try and fight it from different ways. So for example, someone may be able to do something with
the headers, someone may be able to do something with the email sender, someone may be able to do
something with a certain piece of the malware that's associated with that. So that's been the
approach is to try and attack the phishing emails from several different angles
as opposed to just one different angle.
And that's very much how we've operated, not just with the emails,
but also with the other aspects of the list as well.
It sounds to me like in addition to all of the good that you all are doing,
that it sounds like you're having a good time doing it.
Oh yeah, very much so.
Some of the successes that we've had on here,
we've actually been able to watch what the actors do
based on some of the actions that we've taken.
One good example of that is,
it's also caused confusion within a lot of the actors.
So one case of that,
it was where one romance accounts got closed
and the response, they
ended up reaching back out to the victim.
And they said that they didn't know if it was like another hacker who got access to
their account or they didn't know if ISIS was involved.
And that's the story that they were trying to say.
It was that's how they were trying to tell one of the victims that their accounts were
closed.
Now, do you have any general advice for folks who are out there in business and personal to help protect themselves against this with the unique insights that you've gained from working with this group? Are there any basic tips you have for folks?
you through social media, try to build up a relationship like that. So just being aware of that type of scam is one way to help protect yourself. Additionally, for your larger organizations
who may be dealing with wire transfers, have different protections in place. So if you
have to wire out $50,000, for example, then have that be signed off by one person.
If you have to wire out $100,000, have two layers of protection in order to sign that.
There's also cases where the actors
will try and fly under those amounts.
So by being able to know that,
hey, this person shouldn't be wiring money out
or maybe something as simple as picking up the phone call
or picking up the phone and calling and say,
hey, did you actually send me this email?
That goes really far.
And very much to what the law enforcement
has said over the years,
if you see something, say something.
And that's another good way to help identify a lot of these types of fraud.
That's Ronnie Tokazowski from Flashpoint,
describing his work with the Business Email Compromise Working Group.
Palo Alto Networks has been evaluating the Iranian threat group known as Oil Rig,
also tracked as APT-34 and sometimes as
Helix Kitten. Oil Rig is seen principally as a cyber espionage outfit, and it's been active
largely against regional rivals in the Middle East. Researchers are struck by the way in which
Oil Rig has been testing the malicious documents it uses as vectors for the Bond Updater Downloader.
Once they're satisfied, they deploy the documents in the wild.
The testing is quick.
Security Week calls it just-in-time creation of malicious Word and Excel files.
The final test document was created less than eight hours
before the delivery document was put into final form.
That delivery document was used to hit targets within 20 minutes of its creation.
The goal of preliminary testing
seems to be the evaluation of likely antivirus detection rates.
Bond Updater itself has some interesting
domain generation algorithm functionality.
Other organizations have been tracking Oil Rig,
FireEye, and Booz Allen Hamilton among them.
Booz Allen's Dark Labs has looked at Bond Updater and the associated POW Runer backdoor, and they've
discovered three additional malware variants as well as network infrastructure that makes OilRig
a potential threat to organizations anywhere. If you've been having trouble getting on Facebook
or Instagram, it's not you, it's them.
The services have been suffering widespread outages beginning about 7.40 a.m. Eastern Standard Time.
That's Baltimore time for those of you living on other continents.
Service seems to be back for now, at least intermittently, in our neck of the woods,
but the problems are persisting elsewhere.
This is the second significant service disruption in as many days.
Yesterday, it was Messenger.
They're working on it.
At this point, the outages seem to be accidents.
If you're interested in venting,
everybody seems to have taken to Twitter to do so.
And various adult sites report a spike in traffic
as frustrated Facebookers seek elsewhere for diversion.
Come on, everybody, go out and take a walk or something.
And finally, two quick notes for our listeners.
We'll be observing Thanksgiving this week,
so there will be no daily news briefing or daily podcast on Thursday or Friday,
and no week that was this Saturday.
The Hacking Humans podcast is taking a break this week as well.
Everything will return to normal Monday.
After the Thanksgiving holiday, we'll be rolling out a new format for our email.
We've redesigned it, the better to avoid falling into spam traps
or becoming inadvertently enmeshed in the array of anti-phishing measures increasingly deployed.
You've seen some of these changes already with our addition of inline links to our summary.
When the redesign is complete, you of inline links to our summary.
When the redesign is complete, you'll see fewer links to suggested reading in the email itself.
That selected reading will remain present in its entirety on our website,
posted as always with the appropriate daily news briefing.
We hope you'll find the new format more user-friendly.
We'll announce the date of the rollout as it approaches.
As always, thanks for subscribing and reading.
And if you don't subscribe to the daily news briefing, why not?
I mean, the price is right.
It's free.
So line up and sign up today.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Malek Ben-Salem. She's a senior R&D manager for security at
Accenture Labs. Malek, it's great to have you back.
Interesting topic you bring up today, and that is skill squatting with Amazon Alexa.
What are we talking about here?
Yeah, hi, Dave. Great to be back.
So skills, as most people know, are apps that are developed specifically for Alexa.
developed specifically for Alexa. Now, skill squatting is an attack whereby an adversary can misdirect Alexa to apply or use the wrong skill. So think about cases where the user would like to
launch, let's say, the Amex skill, the Amex app that they use to access their Amex account, there may be another skill
deployed by the attacker that sounds very similar, but is spelled differently. So if the user calls
that skill, Alexa may disc direct them to the wrong app. And therefore, you know, the adversary can use that app to harvest
certain credentials for those users. So it's similar to the type of attack where you type
the wrong website and the adversary directs you to another website that looks very similar to what
you're accustomed to seeing, and they harvest your password or, you know, online credentials, this is a very similar way of doing the same thing
just through that voice interface. Yeah, that's interesting. I could imagine also if you're
dealing with, as Amazon Alexa has to, dealing with folks with all sorts of different regional accents.
Absolutely, yeah. And that's what makes this attack very interesting
is because now the adversary can predict what types of errors Alexa could make
based on people's accents. And therefore, they can take this attack to the next level
by ensuring that an entire region, let's say an entire region in the
U.S. with a certain accent, you can predict how certain words would be pronounced and how Alexa
might misinterpret them. And you can develop skills that take advantage of that misinterpretation and direct an entire group of people in a certain
region to a certain skill that they didn't want to use at all. You can also do it based on gender.
You know, there are things that words that Alexa misinterprets based on whether the user is female
or male. You know, those studies have been done.
So the researchers from University of Illinois have done those studies on how Alexa misinterprets
certain words based on the user's accent or based on their gender. So that creates basically an
entire, it takes the attack to the next level, right, where it can be scalable for
the adversary. Now, what sorts of things can Amazon do to protect against this? Can they verify or,
I guess, repeat back to you the site that they think you want to go to? Well, one thing they can
do is make sure that any skills go through a certification process
before they get published to prevent that skill squatting.
They can do a phoneme-based analysis for that skill
to understand how it gets invoked
and whether there are any similar apps
that would sound similar to that skill that are available.
Well, it's interesting information.
Melek Ben-Salem, thanks for joining us.
Thank you, Dave.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant. And that's the Cyber Wire. For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.