CyberWire Daily - North Korean and Chinese cyber espionage. Updates on Texas ransomware. Steam zero-day released.
Episode Date: August 22, 2019A North Korean cyber espionage campaign targets universities, think tanks, and foreign ministries. Chinese cyber spies goes after the healthcare sector. A bug hunter discloses a zero-day for Steam. Up...dates on the Texas ransomware attacks. Adult sites leak user information. And Veracruz fans hack their club president’s Twitter account to express their displeasure. Guest is Stewart Kantor, CFO and co-founder of Ondas Networks, on securing licensed spectrum. Emily Wilson from Terbium Labs on Phishing Kits. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A North Korean cyber espionage campaign targets universities, think tanks, and foreign ministries.
Chinese cyber spies go after the health care sector,
a bug hunter discloses a zero day for steam, updates on the Texas ransomware attacks,
adult sites leak user information, and Veracruz fans hack their president's Twitter account to
express their displeasure. From the Cyber Wire studios at DataTribe, I'm Bennett Moe, filling in again for Dave Bittner with your Cyber Wire summary for Thursday, August 22, 2019.
Researchers at Anomaly report finding an active North Korean cyber espionage campaign directed against universities, think tanks, and foreign ministries.
The infection method is phishing, with a malicious payload taking victims to fake websites.
In some instances, the bogus websites masqueraded as login pages for government diplomatic portals.
The threat group is thought to be connected to Pyongyang's missile program.
FireEye has described ongoing cyber espionage directed against the healthcare sector.
The researchers associate the campaign with the Chinese government. It seems to have two goals. First, the operators are interested in simply
acquiring large quantities of personal information, a goal many such campaigns have. The more you
have on people, so the thinking goes, particularly among services that devote themselves to large
scale unfocused collection, the likelier you are to be able to turn them into assets.
And second, the campaign appears to be particularly interested in cancer research.
This would seem to represent a phase in long-standing efforts to acquire valuable intellectual property. A researcher has disclosed a second zero-day vulnerability in Valve's Steam
platform. The issue is thought to affect more than 96 million users worldwide.
There's a bug bounty angle to this story. The researcher who found and reported the flaw,
Vasily Kravets, had disclosed an earlier bug to Valve under the company's bug bounty program.
Valve decided the privilege escalation problem wasn't serious enough to patch and declined to pay Kravets. User outrage, and as you know, gamers can be a touchy crowd, induced Valve to
move a patch out quickly, only to suffer further embarrassment when a different feature showed that
the patch was easy to work around. Anyway, disappointed with Valve's reception, one that
included banning him from the bug bounty program, Kravets decided to simply take his recent discovery
to the public. A few updates on the ransomware infestation in the Lone Star State.
Detailed information about the coordinated ransomware attack that hit local government
targets in Texas last Friday remain sparse, but Ars Technica and Wired have compilation
of what's known so far.
The number of affected organizations has been fixed at 23.
The attacks did come from a single source that authorities declined to name.
The affected organizations also haven't been named, but the names of a few of the local
governments have emerged, as some of the locals are being less tight-lipped than the state officials.
Lubbock County, population 279,000, one of the larger units, seems to have ridden out the attack
with the least damage. The smaller towns of Borger, population 13,000, Kaufman, 6,700 inhabitants,
Keene, home to 6,500, and Wilmer, with 3,600 people, struggled a bit more. The mayor of Keene
says the attackers demanded a total of 2.5 million from all of their victims. Ransomware in general
has gone up this year. Estimates of its increased range from IBM's low of 116% to malware bites high
of 365%, criminals continue to find local governments as attractive targets. Licensed
Spectrum presents its own security challenges. Today's guest, Stuart Cantor, CFO and founder
of Ondis Networks, talks with Dave about the ins and outs of securing Licensed Spectrum.
So today we're going to be talking about critical infrastructure and wireless spectrum.
Can you give us a little bit of the background sort of leading up to where we are today and where
things stand, where we find ourselves? As we all know, we've been all adopting wireless technology at a rapid pace. I think if we rolled back the clock to
the mid-1980s, you would see mostly that the technology out there on the wireless side was
heavily cordless phones, right? That was the great innovation in the 80s. And then,
along with cellular technology, introducing analog versions in the late 80s and early 90s,
introducing analog versions in the late 80s and early 90s, and then digital wireless technology,
which ballooned in the 90s. What we've seen is an ever-increasing, I'd say, grab for wireless spectrum to offer voice and data services. And so where have the pressures been to assign that
spectrum to all of the different organizations who would like to use
it how has that process played out well initially to stimulate the markets the spectrum was awarded
to different parties with the idea that they were going to put the spectrum to use for the public
benefit in the early 90s an idea in the United States came about, which was,
we can sell these frequencies to the highest bidder, and that will drive an economic model
where more services will be delivered. So there's been an evolution in thought behind the public
airwaves, which is to auction them in an economic model
where people would compete for the spectrum and then offer services. That has had a dramatic
impact on the evolution of how the airwaves are used and who controls them. And we see that being
played out every day. And so now what has happened,
and this is heavily in the United States, you see this bifurcation between what they call
unlicensed frequencies, so your Wi-Fi and Bluetooth, which are really sort of personal
area networks, and then your wide area networks, which are heavily controlled by the major wireless operators
now when it comes to critical infrastructure and their
usage of spectrum
who are the heavy hitters here who are the folks who
who are really dependent on
the spectrum here the FCC has come up with a definition of critical
infrastructure and in our
opinion it's fairly limited it is pretty much been first responders and to some
extent some transportation as folding under critical infrastructure pretty
much everybody else is not included but if you were to meet with a lot of our customers the oil
and gas suppliers the electric utilities the water utilities they would all make
an argument that they should fall under critical infrastructure but today it's
very separated and it's very limited in the description in terms of looking
towards the future obviously there's a lot of excitement
about 5G coming. How do you see that playing out and how does that play into the kind of things
that you all are working on? Right, so 5G is an interesting evolution in cellular networks,
but I think going back to one of the things I discussed early on, if you think about the evolution of wireless networks
starting back in the mid to late 80s, it was really very limited voice traffic, not a lot of
capacity. As the networks evolved, they became digital to get more voice traffic over those same
channels, and then the evolution to data networks. So 5G, I think one of the things I try to tell people is that a lot of these numbers and letters sound exciting,
but it really often comes back to two issues, capacity and coverage.
So that's really been the game that the wireless industry has been focused on since its inception,
which is making sure you have coverage so people
can use the devices and then adding more capacity. And so I think the general excitement, I think,
from a carrier perspective is that 5G allows them to push more capacity to their users. So
the users will effectively be able to see much higher throughput and potentially even it will
compete with the cable operators that are delivering high-speed video to your home.
So in some ways, it's my opinion that 5G is really a race for consumer data traffic,
high bandwidth to the consumer market. That's Stuart Cantor, CFO and co-founder of Ondis Networks.
So here are a few more reasons not to do something you knew better than to do in the first place.
And what would that be? Downloading, and what somehow seems worse, uploading adult content
from and to a niche adult site. VPN mentor researchers say they found one such site, Luscious, is leaky.
That is, data on the roughly 1 million registered users could reveal information such as
usernames, personal email addresses, user activity logs, country of residence, and gender.
Luscious specializes in risque hentai,
the researchers at VPNmentor noticed in the course of their entirely work-related studies.
One bit of information the researchers noticed was that a lot of the users registered using their official government email accounts.
A pro tip, otaku, it's rarely a good idea for civil servants to sign up for fan service with your work email.
The nation's most heavily represented among Luscious users are Germany and France.
Either Canada or Australia leads the English-speaking world.
Canada's on top, but it's not clear how many of its users might be Francophones from Quebec or the Maritimes.
And that introduces the uncertainty.
We offer some free advice to our audience.
What happens on a website doesn't necessarily stay on that website.
It's not like Vegas.
It's not even like Atlantic
City. And finally, ESPN reports that impassioned and evidently very disappointed fans of Veracruz's
losing football side have hacked the club's president's Twitter account because he's, quote,
tarnishing the badge, and because doing so is their first step in, quote, taking back their club.
This would seem to represent a new variety of hacktivism.
Perhaps hacking by enraged, long-suffering fans of sports teams deserves its own name.
Feel free to send us your suggestions.
And please, sports fans, don't emulate the Veracruz supporters.
If protest you must, consider wearing a paper bag with eye holes or something like that.
And yes, Baltimore Orioles fans, we're looking at you.
Come on, the birds are rebuilding. Don't foul the nest.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Thank you. slash cyber for $1,000 off. And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Emily Wilson.
She's the VP of Research at Terbium Labs.
Emily, it's always great to have you back.
We had an article come by.
This was from CyberScoop.
It's titled,
Fishing kits are licensed, managed, and pirated like any other legitimate software.
This is written by Shannon Vavra. What do you make of this?
So I think this is a really interesting development and sign of maturation in the
dark web fraud economy. There's an expectation now that some of the materials that people are
creating are intellectual property.
You know, right, the article talks about licensing fees and expectations that people will use
this and not share it around.
We see that developing in more and more materials.
One example that comes to mind is some of the fraud guides.
You know, I did some research earlier this year looking at these fraud guides, these
manuals on how to do crime.
And a lot of them contain things like referral links, the same way as you might see for a social
media influencer. Others contained copyrights or warnings not to share the information,
don't distribute it. And of course, this same guide with all of these warnings and all of
these copyrights would show up in six or seven different mega packs of guides. So of course they're being widely distributed. No one's going to
follow that. But the idea that there's this instinct in here to say, hey, don't share this
around or don't sell this off to anybody else, you know, make them come to me to get it,
I think is a really interesting setup for illicit activity.
Is that the ego of some of the folks who are putting these together,
showing through, or that these are the real full-time jobs for some of these people?
A little bit of both. There's definitely a desire for maintaining and monitoring your own brand,
especially in an illicit economy where all you have is your brand. You rely on people knowing
who you are and knowing that your materials are good.
If someone steals that material
and puts it into a new PDF with their branding,
then that's encroaching on your market share.
As to the question of whether these are full-time jobs,
in some cases, yes.
There are a lot of different pieces here
that people can supply in this fraud economy.
Think about things like contact lists.
You can sell the same contact list over
and over again and people will pay for it, right? You set that up and you let it just run and people
will keep buying it. That's sort of a hands-off project. Set it up once, set it and forget it,
effectively. Same thing for these guides. You write these guides, maybe you need to update them,
but again, you can just sort of have your listing, you can re-promote it, you can change the image,
but the fundamental materials remain the same.
Those are scalable operations.
Then you have things like the phishing pages.
And the article mentions these.
I think these are really interesting.
We've seen now people develop these branded phishing pages where you can just go in, you
pick the brand you want.
The article mentions Apple.
I've seen some major banks.
I've seen some retailers who were hit with this.
And you sell off the HTML and all of the information that you need to just insert and
set up your phishing page, right? Your phishing page in a box. And so that takes away, you know,
that sort of abstracts away a lot of the effort to get the fonts right, to get the page layout right.
It's all done for you. And yes, you would need to update those as the websites
get updated. You would need to adapt them. If a website is now running some sort of some new
branding campaign, maybe you update it, maybe you don't. It depends on what sort of user you think
is going to click on these links. Are they going to notice that this new Apple phishing page doesn't
have the latest iPad on it. Maybe, maybe not.
You know, for how much money you're going to spend on it, do you really care?
As long as you get some success?
Probably not.
Yeah, that is fascinating.
How much of this is, we've entered this era of kind of plug and play where you don't need
to have the technical sophistication to head off and down the path of doing these crimes.
You can buy solutions out of the box.
You can find consultants and contractors to do some of this work for you.
I also think about some of the ransomware or malware schemes
that we know have these setup wizards
or have these nice glossy user interfaces
where you can track the success of your campaign.
Salesforce, but for crime.
You can see all of these metrics and you can generate these reports.
This is the way that the technology is advancing,
which says that the criminal market thinks
that there's a demand for this.
They can draw in new users, right?
They can gather more market share.
This is one more example in my book
of how stable and resilient this fraud economy is.
People are finding new ways to make it easier
for customers to use their goods and services.
And that should be concerning to all of us because, of course, we're going to be the ones who are receiving those phishing emails. All right. Well, Emily Wilson, thanks for joining us.
Thanks.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and
compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too. Thank you. Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.