CyberWire Daily - North Korea harasses defectors. Researchers exploited Emotet bug for six months. RedCurl APT conducts corporate espionage.
Episode Date: August 17, 2020North Korea harasses defectors. Researchers have been exploiting a bug in Emotet to inoculate systems against the malware for the past six months. CISA warns of KONNI spearphishing. RedCurl APT conduc...ts corporate espionage. The US announces more restrictions on Huawei’s access to US-made chips. Chris Novak from Verizon on the evolving role of cyber insurance. Rick Howard on data loss prevention. And Australian schools are without email after an unpleasant experience with Reply-All. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/159 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Hey, everybody. Dave here.
Before we start today's show, I want to make an introduction to all of you.
Elliot Peltzman joined our team earlier this year.
He heads up our audio editing. And
when we hired Elliot, it was for two main things. First of all, to take some of the editing load
off of me, but also to improve the audio quality of all of our shows, something that he has done
with great measure. Elliot, welcome to the show. Oh, thanks, Dave. It's good to be on this side
of the microphone. That's right.
Now, some of you out there who are music lovers may recognize Elliot's name
because he is a former member of the Stone Foxes, a well-known rock band.
He is a composer, a keyboardist, a vocalist,
and had traveled the world with the Stone Foxes.
So quite exciting element of your career there, Elliot, right?
Yeah, absolutely.
And now just full-blown podcast nerd.
Welcome to the club.
Now, one of the things that really excited us
about having Elliot join our team
is the possibility of having new music composed
for some of our shows.
And I am excited to say
that that is what we are premiering today.
We have a new theme song for the Cyber Wire Daily Podcast.
Now, Elliot, can you take us through what was your process for that,
creating something new, replacing something that a lot of people out there
probably have a high level of comfort with?
Yeah.
I mean, first and foremost, I like it as well. You know, it's
something that is very comforting, like you said, and is very recognizable. You know, we're going on,
I think, almost four years of people listening to this theme. And there's a lot that I like about
it. So I really wanted to preserve those elements. I guess those would be kind of a feeling of
uplifting. You know, the original is a big rock band
really rocking out and having a good time
I didn't want to take that away from it
I didn't want to jump into something spooky
and minor or anything like that
I think listeners will definitely still be able to enjoy
that same feeling, being able to turn on the show
that they have come to love and appreciate
and still feel at home.
Now, Elliot, as you and I well know,
there is nothing in this world
that people like more than change.
And so I think we're all bracing ourselves
to the reality that I'm sure many people
are going to be on board and love the new theme music.
There's no question that a handful of people out there
are going to take issue with it.
And I guess that's just part of the gig, right?
It is part of the gig,
but I'm really happy with what we've got.
You know, obviously the whole team has heard it.
My parents have heard it.
They approve.
Right, right.
Yeah, and this has gone past a lot of my colleagues.
And it's, I don't know, I like it.
And I really hope everybody else does too.
And yeah, I would say just remember to keep a little bit of an open mind,
but also that it was designed with the original show in mind.
So it's not going to be,
you know, jump out of the gate with some heavy metal guitars or anything. It's,
I think it's right in our wheelhouse. Right, right. Well, let's get right into it. Without
further delay, thanks to our in-house composer extraordinaire, Elliot Peltzman,
our new theme song. Here it is.
North Korea harasses defectors.
Researchers have been exploiting a bug in Emotet to inoculate systems against the malware for the past six months.
CISA warns of Coney spear phishing.
Red Curl APT conducts corporate espionage.
The U.S. announces more restrictions on Huawei's access to U.S.-made chips.
Chris Novak from Verizon on the evolving role of cyber insurance.
Rick Howard on data loss prevention. And Australian schools are without email after an unpleasant experience with Reply all.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 17th, 2020. The Wall Street Journal reports that North Korea is engaging in a campaign of online harassment
against former DPRK subjects who've defected to South Korea.
The channels used to menace defectors include emails, texts, social media, and voice calls.
One defector told the journal that he's been receiving spear phishing emails, texts, social media, and voice calls. One defector told the journal that he's
been receiving spear phishing emails since May, and another continued to receive intimidating
phone calls even after switching phone numbers. ZDNet reports that researchers at Binary Defense
discovered a bug in Imhotep back in February that enabled them to develop what they describe as a combination of
a kill switch and a vaccine for the Trojan. The flaw was introduced by Imhotep's developers on
February 6th, and it involved the way the malware uses a Windows registry key for persistence,
as well as for various code checks during its execution. This key was predictable,
since it was based on each device's
volume serial number. Binary Defense researchers wrote a PowerShell script dubbed EmoCrash that
generated a malformed version of this registry key and triggered a buffer overflow vulnerability
during Emotet's installation, which would crash the malware before it finished installing. The crash also generated two easily detectable event logs,
enabling defenders to identify systems where Emotet was incapacitated.
Binary Defense worked with security research non-profit Team Kumry
to distribute the tool to national computer emergency response teams around the world.
Everyone with knowledge of Emocrash
kept its existence secret to prevent the Emotet crew from finding out about it. Emotet's developers
patched the flaw on August 6th, which is why Binary Defense is revealing the operation now.
It's not clear if the developers found the flaw or fixed it by accident, but they were most likely
aware that there was a bug somewhere in the code.
The researchers don't know how many organizations deployed their tools since they intentionally didn't collect telemetry,
but they believe Emocrash made a significant dent in Emotet's operations over the past six months.
The U.S. Cybersecurity and Infrastructure Security Agency warns of widespread use of malicious Microsoft Word documents
carrying the Kony remote access trojan as a payload.
The documents contain VBA macros that can change the font color from light gray to black
in order to trick users into enabling content,
while using the command line to download Kony in the background.
Kony has all the expected functionalities of a capable rat. while using the command line to download Connie in the background.
Connie has all the expected functionalities of a capable rat.
The malware has in the past been linked to North Korean cyber operators,
although CISA doesn't attribute this campaign to any specific actor.
Group IB describes a previously undisclosed Russophone APT dubbed Red Curl,
which has been conducting corporate espionage since at least 2018.
The security firm has observed 26 attacks against 14 victim organizations distributed across Russia, Ukraine, Canada, Germany, the United Kingdom, and Norway.
The group sends well-crafted spear phishing emails,
often posing as real HR employees and targeting specific departments within the companies.
The emails contain links to download the group's custom Trojan, which is hosted on legitimate cloud infrastructure.
The malware also uses legitimate cloud services to convey communication to the attacker's command and control server.
communication to the attacker's command and control server. Group IB thinks Red Curl is a hired gun,
possibly working to collect business intelligence on behalf of victims' competitors.
The researchers say, quote, in all campaigns, Red Curl's main goal was to steal confidential corporate documents such as contracts, financial documents, employee personal records and records of legal actions and facility construction.
Threat Post warns that a proof-of-concept exploit for two known bugs in Apache Struts 2 was published to GitHub on Friday.
One of the vulnerabilities can lead to remote code execution, and users of Struts 2 are urged to update to the latest version.
Struts 2 are urged to update to the latest version. A U.S. executive order issued Friday takes note of ByteDance's acquisition of Musical.ly and the integration of that acquisition into TikTok.
The order served notice that ByteDance had 90 days to divest itself of TikTok
and to delete any data it had collected from U.S.-based users of TikTok and Musical.ly.
The U.S. Commerce Department this morning announced more restrictions on Huawei's access to U.S.-made semiconductors.
A new amendment to the Foreign-Produced Direct Product Rule applies the restrictions to any transactions
where U.S. software or technology is the basis for a foreign-produced item that will be incorporated into
or will be used in the production or development of any part, component, or equipment
produced, purchased, or ordered by any Huawei entity on the entity list.
Or, two, when any Huawei entity on the entity list is a party to such a transaction,
such as purchaser, intermediate consignee, ultimate consignee, or end user. End quote. The amendment also adds 38 additional Huawei affiliates from 21 countries to the entity list.
The U.S. State Department said in a press release that the amendment
will prevent Huawei from circumventing U.S. law through alternative chip production
and provision of off-the-shelf chips produced with tools acquired from the United States.
This measure follows the more limited expansion of the foreign direct product rule in May,
which Huawei has continuously tried to evade.
And finally, the Register reports that 94 public schools in Australia's capital territory
Finally, the Register reports that 94 public schools in Australia's capital territory will be operating without email for the rest of the week
after some naughty students abused a global distribution list
to send smut and other unwanted content to all of their peers.
Many recipients of the emails used Reply All to complain about the issue,
which further clogged up the system.
to complain about the issue, which further clogged up the system.
The local education directorate has blocked access to Gmail,
Google Drive, and Google Classroom while they clean up the mess.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies
like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows
like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Rick Howard. He is the CyberWire's chief analyst, also our chief security officer,
and he is the host of the CSO Perspectives podcast.
Rick, it's always great to have you back.
Hey, Dave.
So this week on CSO Perspectives, you are covering data loss protection.
Let's dig in here.
First of all, definitions.
What does that mean?
Well, that's a good question, right?
And it is not a universal answer.
I don't think there's one clear answer
to what everybody thinks, okay?
And also, it's not clear what we should be doing, okay?
I say that because it always comes down
to this idea of a risk equation.
And what I mean by that is we have tools and processes,
you know, that can help us reduce the impact to our organization.
If a hacker steals or corrupts our data somehow, these things have been around forever, like creating backups in multiple locations, destroying unused data, labeling data that might be material so at least we know what it is, and then encrypting it at rest and in transit and wherever the backups reside,
right? But we still have to be aware of the business requirements. You know, the risk
of some of the data that flows through our networks getting out or getting destroyed
has to be weighed against what the business leaders need to run the business. You know,
they might even understand the risk, but decide anyway that the more important task is to keep
the business
running at high velocity without any friction that I might inject because I need my DLP program to
function, you know. So I was talking to Tom Quinn about this yesterday. He is the CISO at T. Rowe
Price. He's been there just over four years. And he's also one of our subject matter experts that
comes to the hash table to discuss
these kinds of issues. Here's what he said. You really need to understand what the business
expects from its data, right? It may be more important to have the data be high velocity
and moving where it needs to without a lot of restriction, even though it is sensitive. You know, data wants to be free.
And the faster the velocity of data, the better, you know, often it's the better outcome because you want to get the right data at the right time to the right people.
So velocity really does matter.
But eventually, right, data needs to be opened, right?
Data needs to be available to people to do the work that they can.
Interesting stuff, Rick. What do you make of that?
I think the bottom line here is that, first, not all data is important, or at least as important as all the CISOs think it is.
And even protecting the data that is may not overrule the business requirements to deliver it at high velocity.
may not overrule the business requirements to deliver it at high velocity.
You know, it makes me think back to my days in creative fields where there'd be this chart that's very popular.
People would say, you know, good, fast, cheap, pick any two.
It's exactly right.
And I wonder, is there a version of that for what we're talking about here?
You know, could it be, you know, safe, fast, cheap?
Pick any two.
I don't know if that works or not,
but it's something to think about maybe.
It's going to be my new model going forward, right?
I do think that, you know, as a CISO,
I have to make the case to the business leader
that this is something we need to do something about,
this particular situation.
And either I make the case to the business leader,
and we all decide that something has to be done, or I don't.
And that's okay, because he's the one running the business,
and he has to make that call, and I'm okay with that.
Yeah, that's interesting.
I mean, how much of, I don't know, you know,
covering your tail happens with these sorts of things, too,
where the practical
reality of the person who's the CISO being able to say, I told you guys, you didn't listen,
right? I told you. I'm not going to admit here in public that I've used that in my own mind,
right? I told you about the risk, okay? You guys decided not to do it, right? So. Yeah, yeah.
All right. Well, it's CSO Perspectives.
It's part of Cyber Wire Pro.
Do check it out.
Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Chris Novak.
He is the director of the Verizon Threat Research Advisory Center.
Chris, it's great to have you back.
I wanted to touch today on cyber insurance and particularly how people are coming to rely on it in responding
to data breaches and some of the things that you and your team are tracking when it comes to that
area. Absolutely. Yeah. Pleasure to be with you. Yeah. Cyber insurance is kind of a funny topic
that started to really peak. In fact, we're seeing more and more organizations leaning heavily on
their cyber insurance when they have an incident. And I think one of the key things that really stands out, in fact, we get this question a lot is, well, do I need incident
response if I have cyber insurance? And the way I really approach it is, in fact, a lot of times
when I talk about cybersecurity, I draw analogies to healthcare. And I say, it's much like healthcare.
You may have a medical insurance company, but you do not go to
the insurance company to have a surgery done. They may tell you who's approved under that healthcare
plan. They may tell you what your coverage limits are. And you would then typically go to your
doctor or your surgeon to actually have whatever the procedure is taken care of. And sometimes
there's some confusion in the industry around that, that, well, I've got insurance. I don't need to plan or prepare or I don't need playbooks or
policies. I'll just rely on my insurance to make everything right. And obviously that can sometimes
trip people up when they actually have an incident and find out, oh, my insurance company isn't
actually the one doing the investigation or the incident response. I now need to, quote,
find that doctor. And how much back and forth is there between, say, the incident response, I now need to, quote, find that doctor.
And how much back and forth is there between, say, the incident response team and the insurance company, you know, of, okay, here's what we think, here's what we think this is going to cost,
you know, is that a collaborative process when these things kick into gear?
Yeah, it typically is. In fact, generally speaking, when an incident response would kick off,
you know, it's not uncommon for our incident responders to actually outright ask the customer, hey, do you have cyber insurance? If you do, you should probably give them a call. Just make them aware of the fact that you have an issue that you might be making a claim on because generally speaking, they want to be involved, just like your health insurance typically wants to understand what you're doing from a healthcare care perspective so they can understand how to, you know, handle the claims and all that kind of stuff.
And typically, you know, most of the incident responders out there, you know, for example, we work with dozens of cyber insurance companies around the world.
We're pre-vetted, so we know what the process typically looks like and help kind of guide our customers through it. But at the same time, their insurance company may have input that they want to impart as things go along in terms of understanding the size,
the scope, and ultimately, obviously, like anything, they'd like to understand, you know,
the root cause as well to determine whether or not certain things may or may not be covered.
You know, to that point, do you have any tips for folks who are out there shopping around for cyber insurance?
Any questions they should be sure to ask their insurance agents to make sure that what they think they're getting is what they're actually getting?
Yeah, that's a great point.
And one of the things that I always recommend organizations do is, you know, just like, you know, with health care insurance, you want to make sure that your health healthcare insurance gives you the coverage that you want and feel that you need. So obviously you want to kick the tires on
the coverage limits, understand any potential exclusions. And then also if you're an organization
that may have a global footprint, you want to understand whether or not it's going to cover
you in all the places that you may actually have, you know, people, data and facilities.
And then also you want to make sure just like in healthcare, if you have a doctor or a facility that you want to be able to use, you want to make sure that they're, quote,
in network, if you will. You want to make sure that you don't run into a situation where you
have a health scare or you have a cyber incident that pops up, only to find out that the incident
responder you were planning to use isn't one that's working with your insurance company.
So you always want to kind of bring those together.
In fact, a lot of times what we'll even do
is work collaboratively with a client and their insurance
and say, hey, maybe we'll do a tabletop exercise
or something like that together
so that all the parties can kind of get a feel
for what it looks like in the event
of an actual live incident,
how we would all actually work together
and make that process as smooth as possible.
Yeah, because the last thing anybody wants is surprises when you're in the midst of an incident.
Exactly.
Yeah. All right. Well, Chris Novak, thanks for joining us.
Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll
save you time and keep you informed. Listen for us on your Alexa smart speaker too. Don't forget
to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called Security,
Ha! I join Jason and Brian on their show for a lively discussion of the latest security news
every week. You can find Grumpy Old Geeks where all the fine podcasts are listed and check out Thank you. Our podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Harold Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Ivan, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.