CyberWire Daily - Nation-state cyberespionage and cybercrime. Cryptocurrency fraud and theft give alt-coins a rocky ride. Sino-US trade conflict update. GDPR data extortion. Spammy protection racket.
Episode Date: June 25, 2018In today's podcast, we hear that Taiwan continues to receive the PLA's cyber attentions. A look at what the Lazarus Group is up to. Cryptocurrency fraudsters arrested as alt-coin values have a roc...ky ride. Continuing US hot water for ZTE and Huawei. GDPR-themed data extortion. Business email compromise is up. So are ransomware attacks against US city governments. And when is a ransomware attack not a ransomware attack? When it's just a protection racket. Johannes Ullrich from SANS and the ISC Internet Storm Center podcast on evasive cryptocoin miners. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Taiwan receives the PLA's cyber attentions.
A look at what the Lazarus Group is up to.
Cryptocurrency fraudsters are arrested as altcoin values have a rocky ride
Continuing US hot water for ZTE and Huawei
GDPR-themed data extortion
Business email compromise is up
So were ransomware attacks against US city governments
And when is a ransomware attack not a ransomware attack?
When it's just a protection racket.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, June 25, 2018.
An increase in cyber operations directed against Taiwan is observed as China's policy toward
what it regards as a breakaway province hardens.
Cyber operations from the mainland against the island nation haven't really abated ever,
but the Financial Times is reporting an increase in their tempo,
which it correlates with a starchier and more assertive regional policy from Beijing.
Alien Vault examines malicious documents used by North Korea's Lazarus
Group against South Korean targets. The documents are crafted as Hangul word processor files.
Some of those AlienVault researchers have looked through are directed against participants in
recent G20 meetings. Others are connected with recent lootings of South Korean cryptocurrency exchanges.
Police in Ukraine have arrested four young men on charges of running a fraudulent cryptocurrency
exchange. Cryptocurrency mining and other forms of fraud exact a toll on altcoin values
as the cryptocurrency markets continue to react to the recent wave of raids on exchanges.
cryptocurrency markets continue to react to the recent wave of raids on exchanges.
The extent to which the U.S. is offering ZTE any sort of lifeline seems likely to be much attenuated. Congress is on the warpath, agencies are quietly advising companies to stop doing
business with ZTE and Huawei, and the administration is working on a broad range of trade sanctions
against Chinese tech firms and investment generally.
The U.S. Secretary of Commerce, while pointing out dutifully
that his department isn't really responsible for counter-espionage,
has agreed to a congressional request that Commerce evaluate the espionage risk ZTE poses.
He'll get back to Capitol Hill with a full report.
And the administration seems to be taking
China's ambitions for technological dominance as a serious competitive threat. The Treasury
Department is working on a set of sanctions and restrictions designed to stem the outflow of usable
U.S. technology to China. ZTE itself obviously doesn't think it's out of the woods,
and like the panda bear, some of its employees will have to go to the woods to do their business.
Gizmodo reports that the Chinese device manufacturer has suspended planned repairs to some of the urinals in its facilities
because management is unsure of their access to U.S.-made plumbing fixtures.
We think this must be in some fashion related to a brain drain.
Flush your cashes elsewhere, folks, or so the suits appear to be saying.
GDPR implementation has inspired a wave of data extortion scams.
The TAD group warns that one such crime wave is hitting companies in Bulgaria.
The extortionists threaten not encryption,
but rather public release of personal data.
The risk is exposure to potentially very heavy GDPR penalties.
Business email compromise attacks appear to be rising,
so too are ransomware attacks,
especially against U.S. municipal governments.
These enterprises are often poorly secured,
and the lasting damage done to the city of Atlanta has put the fear of hackers into them.
And finally, everyone has seen some old-school scareware pop-ups, right?
We hear from some friends that they used to encounter scareware
when they visited adult-themed sites in the course of their research.
The pop-up usually said something like,
Attention, attention! This is the Federal Bureau of the FBI,
and we have detected you visiting illegal content on your computer.
Pay your fine to us online, and your family need never know of your shame.
Plus, also, too, you're infected with a virus or something as well.
Well, something like that.
Or so we hear, never actually having visited a virus or something as well. Well, something like that. Or so we hear,
never actually having visited a sleazy adult site ourselves. The important thing to understand about
old school scareware is that it's all bark and no bite. It wasn't really the FBI. No one was going
to shame you in front of your family and know your computer had not been infected by a virus or
something else bad as if you'd caught some sort of virtual STD. Well, this latest scam is a little
like that, except there's no veneer of law enforcement. Instead, it's like an old school
protection racket right out of a movie about the mob. You know the scene. The poor but honest
immigrant shopkeepers of a big city mom and pop,
usually in New York or New Jersey,
well, they get a visit from the local mobsters.
Mama and Papa are told, usually in these words exactly,
Nice store you got here. Shame if something happened to it.
In this case, a collection of skids calling themselves the WannaCry hack team is spamming people with the subject line
WARNING WANNACrypt. For emphasis, they've equipped their subject line with an escort of exclamation
points, three to the left and three to the right as they march into your inbox. They haven't done
anything to your data yet, they point out, but they could, and they will too if you don't pay
them up front. Why, why, they'll infect you with that WannaCry thing, Mama.
That thing you've been reading about, Papa.
Unless you pay up.
The choice is yours.
Well, fortunately, it's an easy choice, Mom and Pop.
These clowns are no more involved with WannaCry than your Uncle Louie.
So just mark the email as spam and delete it.
The spammers haven't got any more malware than they've got game.
So kids, if you're listening, and we know you are,
here's a good deed you can do.
When Grandma or Grandpa, or both, or even all four of them,
tell you in horror that they've been hit with that WannaCry thingamajig
they read about in the paper,
tell them you know all about it, and that they can just delete the email and forget about it
they'd love you even more if that were humanly possible which of course it isn't
calling all sellers salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich. ulrich he is from the internet storm center stormcast the
daily podcast from the sands institute uh johannes welcome back um crypto coin miners are still out
there uh doing their thing and uh you make the point that they're starting to be more evasive
yes crypto coin miners certainly is of the number one malware that we're seeing out there and that's being installed on servers or client.
Pretty much any vulnerability we are seeing these days is predominantly being exploited to install crypto coin miners.
But the attackers have gotten better in hiding those crypto coin miners.
The first crypto coin miners were very easy to spot.
In some cases, they used so much CPU resources that they crashed some of the legitimate software that was running on the system.
They also used connections to some very easy-to-enumerate mining pools.
Now, what we have seen more recently is that attackers take advantage of Cryptocoin mining's parameters that allow them to limit how much CPU is being used.
So they're just trying to use enough
that it's still worthwhile crypto coin mining,
but that it's less likely
that the crypto coin miner is being discovered.
Secondly, the backhaul,
where they're actually sending the data back
to the mining pool,
uses less and less the standard mining pools.
But what these attackers do is they're
essentially setting up sort of an equivalent of a proxy where the miner does connect to this proxy
that's run by the attacker. So that's now a little bit more difficult to enumerate because they keep
changing all the time. They're not publicly advertised like standard mining pools. Also,
now it's easier for the attacker to use things like TLS to encrypt the data.
So this makes it a bit more difficult to really identify these infected systems.
Now, other than listening for the fans to spin up on your computer, what can you do to detect these?
Well, anti-malware actually still works pretty well.
We always discount anti-Malware
as sort of, you know, catching yesterday's exploits. But the crypto coin miners I've seen
so far are pretty well recognized. They're not really changing the code there too much.
So that certainly helps. And, you know, of course, good old software whitelisting,
that will help because hopefully you don't have any crypto coin miners whitelisted
in your network. Yeah, I've also seen a number of plugins available to look out for this,
you know, Chrome plugins and things like that. Are those effective?
They're effective. They sort of take a little bit of signature approach where you're looking for
like the standard coin hive miners and the like. They work pretty well at this point.
Now, there are some approaches that sort of just generically detect the use of crypto
functions.
JavaScript has a very elaborate crypto library in its recent versions.
But of course, those crypto functions, they're sometimes used legitimately too.
So I wouldn't really go overboard here and just block all crypto in your browser.
Good advice as always.
Johannes Ulrich, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly
produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your