CyberWire Daily - Notes on cyber conflict. Lazarus Group blamed for the Harmony cryptocurrency heist. MedusaLocker warning. Observation of the C2C market. The Crypto Queen cracks the FBI’s Ten Most Wanted.
Episode Date: July 1, 2022An update on the DDoS attack against Norway. NATO's resolutions on cyber security. North Korea seems to be behind the Harmony cryptocurrency heist. MedusaLocker warninga. Microsoft sees improvements i...n a gang's technique. Google blocks underworld domains. The Israeli-Iranian conflict in cyberspace. Chris Novak from Verizon with his take on this year’s DBIR. Our guest is Jason Clark of Netskope on the dynamic challenges of a remote workforce.And Now among the FBI’s Ten Most Wanted: one Crypto Queen. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/126 Selected reading. Pro-Russian hackers launched a massive DDoS attack against Norway (Security Affairs) NATO establishes program to coordinate rapid response to cyberattacks (POLITICO) NATO to create cyber rapid response force, increase cyber defense aid to Ukraine (CyberScoop) FACT SHEET: The 2022 NATO Summit in Madrid | The White House (The White House) North Korean Lazarus hackers linked to Harmony bridge thef (TechCrunch) North Korea Suspected of Plundering Crypto to Fund Weapons Programs (Wall Street Journal) Crypto crash threatens North Korea's stolen funds as it ramps up weapons tests (Reuters) CISA Alert AA22-181A – #StopRansomware: MedusaLocker. (CISA Cybersecurity Alerts with the CyberWire) #StopRansomware: MedusaLocker (CISA) Microsoft warning: This malware that targets Linux just got a big update (ZDNet) Microsoft Warns of Cryptomining Malware Campaign Targeting Linux Servers (The Hacker News) Google blocked dozens of domains used by hack-for-hire groups (BleepingComputer) Countering hack-for-hire groups (Google) Gantz orders probe after TV reports hint IDF behind Iran steel plant cyberattack (Times of Israel) Proofpoint: Zionist covert operation? (PressTV) Zionist intelligence company cyberattacked by Iraqi hackers (Mehr) FBI Offers $100,000 Reward for Capture of Ten Most Wanted Fugitive ‘Cryptoqueen’ (FBI) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
An update on the DDoS attacks against Norway.
NATO's resolutions on cybersecurity,
North Korea seems to be behind the Harmony cryptocurrency heist,
Medusa locker warnings,
Microsoft sees improvements in a gang's technique,
Google blocks underworld domains,
the Israeli-Iranian conflict in cyberspace,
Chris Novak from Verizon with his take on this year's DBIR.
Our guest is Jason Clark of Netscope on the dynamic challenges of a remote workforce.
And now, among the FBI's 10 most wanted, one crypto queen.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 1st, 2022. Killnet's cyber-spetsnaz continues to look more like a state-directed operation
than they do a spontaneously aroused group of patriotic hacktivists.
Security Affairs has an account of the various units now claiming adherence to the Killnet collective.
These include, most recently, Sparta, which says its remit is sabotage.
Beyond Sparta, Security Affairs' Killnet scorecard looks like this.
Phoenix coordinated its activities with another division called RAID,
who previously attacked government resources in Poland,
including the Ministry of Foreign Affairs, Senate, Border Control, and Police.
Other divisions involved in the DDoS attacks include
Vera, FasteningGang, Mirai, Jackie, DDoSGang, and Sakurajima, who previously attacked multiple
web resources in Germany. The aim of the operations seems to be influence, not really
serious disruption or disablement, and the DDoS attacks in Norway have been a nuisance
as opposed to a serious consequential attack.
NATO's Madrid summit this week addressed the threat Russia poses to its neighbors,
vividly on display in the special military operation.
The White House has offered the U.S. reading of how the Atlantic Alliance
intends to address the Russian cyber threat specifically through strengthened cyber resilience and defense. A White House statement says,
building on last year's adoption of a new cyber defense policy for NATO, allied leaders will
endorse a new action plan to strengthen cyber cooperation across the political, military,
and technical levels. As an operational domain for
NATO, cyber will also be a key component of NATO's strengthened deterrence and defense posture.
Building on lessons learned from the conflict in Ukraine, allies will decide at the summit to use
NATO as a coordination platform for offering national assets to build and exercise a virtual rapid response cyber capability
to respond to a serious cyber attack.
The United States will offer robust national capabilities as part of this support network.
So, a rapid cyber response capability is expected to become
at least as important as conventional kinetic capability.
The Wall Street Journal reports that efforts to launder some $100 million
taken in last week's looting of Harmony's Horizon blockchain bridge,
a service that enables the transfer of funds from one blockchain to another,
appear to be the work of North Korean state-sponsored threat actors.
TechCrunch notes that strong circumstantial evidence
points to the long-familiar Lazarus Group
as the operators behind the theft.
The U.S. government sees such theft
as principal North Korean means
of funding its advanced nuclear and ballistic missile programs.
Why the unseemly haste to launder the stolen altcoin?
Things have changed, and they're not working out as well for Pyongyang as they once did.
Reuters reported earlier this week that the current crash in cryptocurrency values
has given the DPRK's weapons programs a bit of a haircut,
which explains the urgency on display in the Lazarus Group's money laundering efforts.
Times are tough all over.
CISA and its partners, the FBI, the Department of the Treasury,
and the Financial Crimes Enforcement Network,
warn that Medusa Locker ransomware operators are now relying, for the most part,
on exploiting vulnerabilities in remote desktop protocol to access their victims' networks.
Medusa Locker is a ransomware-as-a-service operation
in which the proprietors split the take with their affiliates.
Microsoft warns that the 8220 gang,
a criminal group that's been around for a few years,
is improving its ability to attack Linux devices.
8220 is running crypto-jacking attacks
that install a coin miner in the victim's systems.
Redmond says, to protect networks against this threat, organizations should secure systems and
servers, apply updates, and use good credential hygiene. Always good advice, and as always,
we note in full disclosure that Microsoft is a CyberWire partner. Google's Threat Analysis Group has published an account of its observations of hack-for-hire groups,
a subsector of the criminal-to-criminal market that specializes in account compromise and data exfiltration.
Recent hack-for-hire campaigns have been run by operators in India, Russia, and the United Arab Emirates.
in India, Russia, and the United Arab Emirates.
Hack-for-hire operators are essentially an illicit counterpart of firms who provide lawful intercept capabilities to governments.
They differ from the lawful intercept companies, however,
in at least one important way.
The vendors themselves are engaged in the operation.
Google, which has blocked a number of the hack for Hire domains it's located, explains,
they say, and opportunistically take advantage of known security flaws when undertaking their campaigns.
Both, however, enable attacks by those who would otherwise lack the capabilities to do so.
State-versus-state cyber conflict news has been dominated since January by Russian campaigns against Ukraine,
but it's worth remembering that cyber and hybrid conflicts are in progress elsewhere as well.
The long-running tension between Iran and Israel is an evergreen example.
Reports earlier this week attributed disruption of steel production at a major Iranian mill to an Israeli cyber attack.
The action, which Iran says it quickly mitigated, was attributed to a nominally hacktivist group, Predatory Sparrow,
but speculation in the Israeli press suggests that Predatory Sparrow might be a front group
used by a nation-state to achieve deniability. Iran has no shortage of nation-states who don't
necessarily wish Tehran success, and those include, in the Jerusalem Post's accounting,
the U.S., the Saudis, the UAE,
and others with significant cyber capabilities. Prominent among those others is, of course,
Israel, as the Post itself points out. Israel's defense ministry is treating the reporting as
prima facie evidence of an illicit leak, and the Times of Israel reports that Defense Minister Gantz has ordered an
investigation into the leak, not the cyber attack. Iranian media have taken an interesting tack in
the ongoing information conflict with Israel, asserting that specific Israeli companies are
engaged in illicit cyber operations. Mentioned in dispatches are specifically proof point which press tv says is connected with
israel's unit 8200 and engaged in a covert campaign to intercept the email traffic of u.s
media companies and mobile forensic company celebrite which the mayor news agency says is
now being targeted and rightly so in mayor's's view, by Iraqi hacktivists,
presumably in retaliation for the company's provision of forensic technology to Israeli authorities.
Presumably, the hope is that other Israeli companies will draw the same hostile scrutiny that's been directed at the NSO group, the proprietors of the Pegasus intercept tool.
In these cases, that hope seems a long shot.
And finally, the FBI has added a new member to its most wanted list.
Ms. Ruya Ignatova, formerly styled as the crypto queen and the founder of OneCoin,
which the U.S. Department of Justice maintains was a Ponzi scheme,
cracked the top ten, and it was well-earned.
She's alleged to have defrauded investors of around $4 billion
—that's billion with a B—
before she quietly went into hiding back in 2017.
She's been tough to track down,
her holiday being well-funded by the cool $500 million she allegedly got away with
and is no doubt using to live it up
in parts unknown. Anywho, Ms. Ignatova is out there in the wind, and the feds want her for
one count each of conspiracy to commit wire fraud, wire fraud, conspiracy to commit money laundering,
conspiracy to commit securities fraud, and securities fraud.
So be on the lookout, citizens.
The Bureau says there's a $100,000 reward for information leading to determination of her whereabouts. If you know where she is, or if you'd like to cop to being one of the marks,
she allegedly, we say, allegedly swindled, dial 1-800-CALL-FBI.
Operators are standing by, so act now.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when
it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000
companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io. Over the past couple of years through COVID and the ascension of threats like
ransomware, security pros have found it necessary to be more flexible than ever, to adapt to the
needs of the people they are charged with protecting to meet them where they live. Jason Clark is chief security and strategy officer at security firm
Netscope, and I asked him for his perspective on the new normal. What I'm seeing is definitely
this hybrid work is becoming a very, you know, very important term where we were, you know,
we were all on-prem and then we were 100%
off-prem, which obviously accelerated the movement of cloud modernization and the adoption of SaaS,
right? We saw people go from, you know, 100 SaaS apps to 2,000 SaaS apps in one company,
as an example, right? So just a massive shift in that. Now people are kind of going to, well,
it's really two days in the
office, three days in the office for certain industries, right? Not retail or manufacturing,
but most other industries are in some type of a, I work from home sometimes, I work from the office
sometimes, or I work from, you know, Starbucks other times, right? And so I think that's one
big thing that's probably, I'd say, is a change in making people rethink, you know, it's not one or the other.
Now it's something in between.
And as they do an operating model, right, they look at their security stack and make sure that, you know, they're kind of integrated in the execution of that.
These aren't two separate systems, right? They kind of have one brain overlooking the way that their employees are, you know,
driving, right, and enabling the business and, you know, from a technology standpoint.
And what sort of recommendations are you making for folks to make that as seamless
and friction-free for the employees, to be able to make that switch and have it be effortless?
So I kind of talked to it like that, you know,
you have, look at how much spend
and technology for security you have for the on-prem, right?
And come back with a percentage and numbers for that.
And then look how much you're spending for,
let's call it, you know, the hybrid aspects
when they're off the network. And then how how much you're spending for, let's call it, you know, the hybrid aspects when they're off the network.
And then how much are you spending for just cloud in general, cloud security?
And what you'll find is the majority of the spend in any global 2000 is still pretty heavy on-prem, right?
But yet you're kind of in this, you know, 90% of your users are mobile.
And generally most every organization, more than 50% of their apps is in the cloud now when you start adding SaaS.
And so I tell them it's kind of like a rubber band.
You're stretching your security, you know, far out, which also creates friction on your team, creates friction on the business because you're trying to secure from one location.
or you have three disparate solutions for each of those three scenarios,
and that you really need to do what, you know,
I think Gardner did a brilliant job of coming out with Security Service Edge,
as an example, SSE, to really recenter and get leverage in your security model and kind of center yourself with a cloud solution that can fulfill the on-prem scenarios
of everything outbound or egress,
right? And also solve the hybrid worker scenario while at the same time solving the cloud security
issue. Let me ask you this. I mean, does the organization who is starting up now, who's
taking a fresh approach, you know, a blank sheet of paper and looking at all the
options available for securing their organization, are they at a bit of an advantage now, you know,
being on the other side of things where we've had this huge shift to the cloud, that they're not
sort of dragging along some of that legacy stuff? Is that a fair way to look at it?
legacy stuff. Is that a fair way to look at it? 100%. Yes. I mean, I think anytime you can be Greenfield and you're in a company that was started in the last 10 years, but you've just
had tremendous growth and success, right? That is, you know, you're in a much better spot.
You don't have, you know, all of that technical debt. You don't have a funky architecture, quite frankly, right? That
you're trying to piece together because of stuff that was built 20 and 30 years ago.
So anybody in a greenfield scenario is going to be, and honestly, most likely they're going to be
almost all in the cloud. And that allows you to get a lot more visibility, a lot more data, a lot more kind of trajectory
to see what's going on.
And so that security program is simpler.
Complexity is the enemy of security.
And so when you have any of the legacy stuff,
you have a lot of complexity,
trying to get to one identity solution as an example.
Most companies, even if you ask people how many data protection systems you have,
they'll tell you 10 to 12, right? But they're all trying to do the same thing, protect data.
You really want one brain to do that. And when you're a greenfield and you're all cloud,
you can have one brain. When you've got a lot of legacy systems, you have to find ways to
bring it all back to one brain that can make those decisions.
That's Jason Clark from Netscope. There's a lot more to this conversation. If you want to hear
more, head on over to the CyberWire Pro and sign up for Interview Selects, where you'll get access
to this and many more extended interviews.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, Thank you. run smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And joining me once again is Chris Novak.
He is Managing Director of Security Professional Services for Verizon Business.
Chris, always great to welcome you back to the show.
It is that time of year, I think, for a lot of security professionals, one of their favorite times of the year. And, of course, I'm referring to the release of the Verizon DBIR report that I
think lots of people look forward to. Can we start off with just a little background here for folks
who may not be familiar with it? What's the significance of this report? Sure, Dave. Always
a pleasure to be here. Thanks for having me back. Yeah. So when we look at the DBIR, this is,
I've actually had the pleasure and fortune to
be part of the DBIR's creation since the very first iteration or publication of it now going
back 15 years. So kind of hard to believe, but when we first put the report together, the genesis
for anybody who's not familiar or was reading it for the first time was nobody was talking about
breaches. Everybody knew they were happening and they kind of snuck up in the news, and people were freaked out and worried, and everybody wanted to know what happened to victim A, B, or C.
How do I prevent it from happening to me?
You know, I'm in a similar industry, or I probably have similar data.
I might be attacked by similar threat actors.
You know, everybody thankfully wanted to know what they could do to improve, but the challenge was they felt that there wasn't really a great outlet for them to find that data and really factual data, right? There's plenty of
information out there in terms of marketing material for silver bullet technologies that'll
solve all your security problems, but people wanted real evidence-based data. And so when we
created that first DBIR back in 2008, that was the idea was let's take data from real breaches, real investigations.
At the time, it was just based on the work that my team did.
So if we did an investigation for customer A, B, or C, we would anonymize and aggregate that data together and then pull out what the salient points were that we could say, look, I don't have to, you know, I draw a lot of analogies between cyber and healthcare. I don't need to necessarily tell you who patient A, B, or C is,
but if I told you, look, I looked at a collection of patients that are of similar demographics and
background as you, and this is what led to health problems, and this is what led to a long, healthy
life, you know, you could use that information to hopefully, you know, bootstrap your own health.
And so that was the concept of the DBIR way back then and still today.
And now one of the biggest differences going over that 15-year span is in 2008, it was just the data from our own casework.
Now we have 80-plus contributing organizations that are also providing their evidence and their data.
So it builds out a much more well-rounded big picture
of what that threat landscape looks like.
Well, let's dig into this year's version of the report.
What are some of the things that stand out to you?
Sure. So there's more data in it than ever before.
Contributing organizations are up.
Some key standouts, ransomware continues to be big.
I think anybody who is not tracking on ransomware, you're probably hiding under a rock.
But to put real numbers on it, it increased 13% over the previous year.
And this was a bigger jump than the last five years combined.
And I know some folks may be looking at that and going, 13% increase doesn't sound like all that much.
Looking at that and going 13% increase doesn't sound like all that much.
But when you consider that we're looking at, you know, over 5,000 breaches and almost 24,000 incidents, you know, that's a pretty sizable jump.
Anything in this year's report that is surprising to you?
Anything bubble up that wasn't expected?
You know, I would say that it's hard because when I look at it so closely, I feel like I expect a lot of what I see.
But I think if you're not knee deep in the data and in the incidents, there's a few things that I would say are really takeaways.
You know, one thing that jumped out, I thought, interestingly, was around supply chain.
You know, we've seen a handful of big supply chain events over the course of the last year to two years. And I think that's an area where we're just going to continue to see activity happen
as organizations bolster their own security.
And then also we see a lot of changes in the way organizations are working as it relates to COVID.
People are moving more things, more workloads to third parties.
They're relying on more as-a-service type of things.
And not necessarily that any of those things are inherently bad or present security problems in and of themselves.
But the more you rely on someone else, it also means the more you're relying on their security.
And we see that threat actors are getting smarter and realizing maybe I don't go headfirst right at the front door of my target, maybe I kind of take the side door or the back door through some supplier or third party that either has access to them, their data,
or some other connectivity. So the supply chain piece, I think, is something that is important
for everybody to be watching very closely. We've got some good kind of anecdotes and data points
in the report around that. You know, you mentioned how many more organizations are contributing to
the report this year.
And to me, that's one of the great success stories of this report.
As you say, it's been, you know, 15 years or so that you've been a part of it and that Verizon has been heading up the charge on this.
I'm curious, you know, behind the scenes, have there ever been, have you ever had to stand up and, I don't know, you know, beat back the marketing
department and say, no, we're keeping this report pure and here's why. That is a topic that comes
up often. I will say that that is something that, you know, I have to give the team a lot of credit.
You know, the team has worked very hard over the last 15 years to make sure that the report stays
open, freely accessible.
It's not behind a paywall or anything like that. And part of that also is, you know, promises and
commitments we make to our data, you know, contributing partners that, you know, look, if
they're going to contribute data, we agree that we're going to make this openly accessible
and freely available to the masses. Because the key here is, is it's not, you know, it's not
intended to be a marketing tool for selling an
object or a service or a product. It's really intended to be educational awareness. And in
order for that to be effective, we really need to kind of have a hands-off approach as it relates
to some of the, you know, maybe some of the marketing or sales angles. We really want people
to read it for the data that's in it and how it can be useful. And I think, honestly, that's why
we've seen an uptick in usage of it in college curriculums and various university
programs. They look at the data and there's really something there that they can sink their teeth
into and make good use of. And hopefully also we see the same thing from our CISO consumers of it
as well. When they're looking at it, they feel like they can actually take what they read and apply that to how they mature their security programs.
Well, congratulations on the publication of another year's DBIR and continued success in the future, Chris.
Thank you, Dave. Pleasure.
Chris Novak, thanks for joining us. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't miss this weekend's Research Saturday.
In my conversation with Larry Cashdaller from Akamai,
we're discussing a DDoS campaign claiming to be our evil. That's Research Saturday. Check it out.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Thanks for listening.
We'll see you back here next week. Thank you. into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.