CyberWire Daily - Operation Shadow Web rolls up carding gang. Fancy Bear sightings. DPRK buying zero-days? Cryptojacking ICS. Huawei, ZTE get Congressional razzing. Jita scams.
Episode Date: February 8, 2018In today's podcast we hear that Operation Shadow Web has tken down the Infraud criminal carding gang. Two more Fancy Bear sightings—one in voter databases, one in Defense contractor emails. Nort...h Korea may have purchased its Flash Player zero-day from a third-party. Cryptojacking hits a European water utility. US Senate considers banning Huawei and ZTE from Federal use. Johannes Ullrich on cryptocurrency theft, and advice for protecting your virtual currency. Guest is Christopher Doman from AlienVault on their discovery of a Monero cryptocurrency miner linked to North Korea. And no, Messrs. McAfee and Musk aren't Nigerian princes, and they're not giving away Bitcoin. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Operation Shadow Web takes down the in-fraud criminal carding gang.
We've got two more fancy bear sightings, one in voter databases, one in defense contractor emails. North Korea may have purchased its Flash Player Zero Day from a third party.
Crypto jacking hits a European water utility. The U.S. Senate considers banning Huawei and ZTE
from federal use. And no, Mr. McAfee and Musk aren't Nigerian princes, and they're not giving away Bitcoin either.
I'm Dave Bittner with your CyberWire summary for Thursday, February 8, 2018.
A U.S.-led international effort has taken down the long-running infraud carding gang,
thought responsible for more than $530 million in losses to consumers over the last seven years.
36 alleged hoods have been indicted, 13 of them are in custody.
The rest are on the lam.
Infraud, known for its motto, Infraud We Trust, began as a run-of-the-mill carding forum,
moved into the sale of fools, and eventually became a large and influential full-service criminal market where hoods traded and refined their attack techniques. It was hierarchical and cellular,
with participants often not known to one another. Allegedly run by one Sviatoslav Bodorenko,
also known as Obnon, Rector, and Helkern of Ukraine. The other people charged come from Pakistan, France, Serbia, Egypt, Kosovo, Macedonia,
Bangladesh, Russia, Moldova, Italy, Australia, the Ivory Coast, Canada, the United Kingdom
and the United States.
They range from kingpins to moderators to low-level stiffs.
The takedown is called Operation Shadow Web.
Police in Australia, France, Italy, Kosovo, Serbia, the UK, and the US all made arrests.
Authorities in Albania and Luxembourg were there for the assist.
Three quick updates on investigations into apparent state-sponsored cyber operations.
The US Department of Homeland Security's cybersecurity lead, Jeanette Manfra,
said that Russia's GRU,
that's Fancy Bear, targeted voter registration data in 21 states and succeeded in a few cases.
She said data were not manipulated during the incidents, which have been discussed on and off
since late 2016. That there were intrusions into state voting records has been strongly
suspected for a long time. The latest statement, which DHS declined on security grounds to discuss further,
revives a long-standing concern. An AP report describes another Fancy Bear campaign,
this one a fishing expedition against mostly U.S. defense contractors for technical intelligence.
The technical areas Fancy Bear pawed at include aircraft stealth,
rocket and missile systems, and, interestingly, cloud computing platforms.
And the third is an update on North Korea's exploitation of a flash player Zero Day against
South Korean targets. Investigators believe Pyongyang purchased the Zero Day from some
so-far unidentified third party. It might be criminals, it might be another state,
it might be a zero-day broker.
Researchers at Rataflow report finding a crypto-miner infestation
in a European water utility,
marking crypto-jacking's long-expected approach
to the industrial Internet of Things.
Researchers at AlienVault recently took a look
at an application compiled in late December 2017,
an installer to mine Monero cryptocurrency.
Christopher Doman is a security researcher at AlienVault, and he joins us to share their findings.
So it's pretty obvious the way that we found it.
It was a piece of software that was talking to a university in Pyongyang.
So we could see from a domain that ended.kp for North Korea, it might be something worth looking at. And we see a lot of, well,
a fair amount of North Korean software, but this stood out being potentially malicious.
So take us through what was going on here. What was it doing?
It's really simple, actually. It installs a Monero miner. So Monero is a bit like Bitcoin,
but a bit more anonymous. And it installs it on the computer. And then the funds are then sent
off to a server at the university in Pyongyang. And anonymous. And it stores it on the computer, and then the funds are then sent off to a server
at the university in Pyongyang.
And in terms of it installing itself on the computer,
is it doing this surreptitiously?
Is it a piece of malware where it tries to hide itself?
Somewhat. It puts itself into the Windows folder,
so that's not normally where you get a legitimate piece of software installed.
And there's some somewhat related malware
that seems to be by the same people that is even more cunning it hides itself as a scheduled task.
Can you tell us about that?
Yes, after we released this report on this Monero miner sending off funds to that
university in Pyongyang, a friend of Palo Alto found another piece of malware
talking to the same Monero wallet so presumably the same people and that's a
bit more cunning. It comes in through as an archive that's password protected,
that comes built in with the password. It's got a couple more methods in there, a bit
more evolved to try and avoid antivirus.
In your research you say that it was looking for a particular host name which
doesn't resolve. Can you describe what's going on there?
Yeah, so the host name is a server at the University of Pyongyang. I think it's
called Kim Il-Sung University, if I got that right. And yeah, it doesn't resolve for us. We don't see any records ever
resolving. But the way that DNS and that kind of stuff works is that if you're within North
Korea, within the university, perhaps it would work. So one theory about where this has come
from is maybe this was running within North Korea itself.
Another one of the theories is that it might just be a prank to fool security
researchers?
Yeah, there's definitely something to put in there in case that happened and we had egg on our face.
Obviously, it is quite blatant. The fact it's got that North Korean domain in there,
it's not exactly subtle about that. I think the prank hypothesis we have is a bit less likely
now we've found that related malware, which we're seeing installed on machines in South Korea,
a number of machines that have made about $40,000.
So if it is a prank, it's quite an elaborate one.
But yeah, that's possible.
And that's also because we saw some, again, slightly related malware that probably isn't
linked to this, but shares some code.
So we weren't really sure how to interpret that.
And this sort of Monero mining, this is something that you see linked to North Korean people
quite often, yes?
Yes.
I mean, two other reports. One was with Kaspersky. They found Lazarus, quite an infamous
group of North Korean hackers. They installed some minero mining on a bank that they'd hacked
into. So they were trying to steal millions of dollars worth of cash from the bank, and
they risked it all and partly got caught by installing a minero miner. And there's also
a report by the South Korean government last month where they found a very related group
of attackers installing minero miners on South Korean networks.
What are the takeaways here? What are the conclusions from what you found?
Well, I guess this isn't the biggest threat for people to worry about.
But given that it's something involving North Korea, it's kind of topical, it's kind of interesting.
And it fits into the wider kind of economic situation where obviously they're going under sanctions, they need money to fund all their programs.
And this is just one more piece of evidence
that North Korea is investing resources in cryptocurrencies.
And so if people want to protect themselves against this,
what are your suggestions?
Well, antivirus picks us up pretty well.
Monero miners are well known,
and you can detect this on the network quite easily too.
Again, it just uses standard Monero mining, Monero protocols.
So for most people, this isn't a threat they've got to worry about.
Perhaps more of a threat is, again, related groups doing things like WannaCry to get cryptocurrency cash.
That's got a far longer set of recommendations.
That's Christopher Doman from AlienVault.
You can read their full report on the North Korean cryptocurrency miner on their website.
Two U.S. senators, Republicans Tom Cotton of Arkansas and Marco Rubio of Florida,
have introduced a bill that would ban Huawei and ZTE devices from U.S. government use.
The measure is similar to one recently introduced in the House.
Senator Cotton said, quote,
Huawei is effectively an arm of the Chinese government,
and it's more than capable of stealing information from U.S. officials by hacking its devices. There are plenty of other companies that can meet our technology needs,
and we shouldn't make it any easier for China to spy on us, end quote. Finally, we've been wondering
if there actually are Nigerian princes, so we consulted our Africa desk and found out that yes,
yes there are. There are traditional rulers of old constituent states that form modern Nigeria,
which itself is, of course, a republic. We call them princes
for short. There are naturally other titles in the 521 languages
native to Nigeria. Socially important as a mediating
institution, Nigerian royalty is roughly equivalent to European
nobility. Italian
counts, German princes, Scottish lairds, things like that. We're thinking about them because of
the way their names have been exploited in advanced fee cons, Nigerian prince scams we've
come to call them. No actual Nigerian princes, of course, are involved. So maybe you thought
the Nigerian prince scam was exposed and just totally
over? So 90s, right? You roll your eyes and think back about playing Los Del Rio doing the Macarena
on your Walkman, am I right? Well, techno-sophisticates, think again. A variant using Twitter is out and
about. And to add insult to injury, this one goes after altcoin. That's right, the cryptocurrencies
that are so
hard to understand that only true crypto hipsters like our technical director or those guys over at
Johns Hopkins can really be said to grok them. In fairness to the hundreds who've fallen for the
con, the fraudsters aren't tweeting that they're actual widows of Nigerian princes. Instead,
they're, wait for it, Bitcoin billionaires, Monero millionaires.
And they're using names you know, posing as verified tweets.
Here's a sample, quote,
By the way, I'm giving away 20 bitcoins to my followers.
Just send 0.02 bitcoins to the address below, and I'll send you 0.02 bitcoins back
through the same address you used in the transaction.
This is my way of thanking all my friends and followers.
Thank you. And who's that from? Well, who else but John McAfee, naturally. Of course, it's a spoof.
It's not the real Mr. McAfee, but admit it. I had you going there for a second. Another one looks
as though it came from Elon Musk for sure, doesn't it? Well, read this one and weep, Rocketeers.
To celebrate the event, I'm giving away 100 Ethereum and 20 Bitcoin to my followers.
Send 0.2 Ethereum or 0.1 Bitcoin to the address below and receive 2 Ethereum or 1 Bitcoin.
Sounds good, right?
I mean, Mr. Musk did just send a Tesla Roadster into space aboard his first Falcon Heavy,
so maybe that's the event he's celebrating.
According to Mr. Musk, who's of course not the real Elon Musk at all, adds,
So hey, hop to it, Twitterati.
There are other tech celebrity impersonators, too.
What the Khans have in common is that they're tweets.
In fact, they're replies to other tweets, and that the imposture is accomplished by typo spoofing.
So, no tech celebrity, not even the famously out-of-the-box Mr. Musk or Mr. McAfee,
is going to ask you to deposit cryptocurrency so he or she can send you more in return.
Mark Twain would have recognized the bogus offer at once.
He even put a royalty scam into Huckleberry Finn.
We'll update it for the 21st century.
If that don't fetch them,
I don't know hashtag Arkansas.
Don't get fooled again.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life. You'll be solving
customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Thank you. for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, targeting your executives and their families at home. Black Cloak's award-winning digital
executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Johannes Ulrich. He's from the SANS Technology
Institute, and he's also the host of the ISC Stormcast podcast. Johannes, welcome back.
We've been seeing a lot in the news about the theft of
crypto coins. What sort of advice can you offer us here? Yeah, probably the first thing to realize
is if you are owning crypto coins and if you're keeping them in a wallet, this wallet isn't your
traditional wallet that holds currency, whether it's electronic or not it's really just a private key so it's not
that you need a bigger wallet if you own more coins it's still the same private key that
authenticates you to these blockchains that you're the owner of these coins so you really have to
safeguard this private key very carefully first of all from theft so you may want to keep it not online
one option actually you have is you can create a paper copy of this private key either as a qr code
or there's even software that allows you to turn it into an english word passphrase kind of so what
you can do then is if there are some crypto coins that you're just holding on to
that you're not sort of using on a day-to-day basis to buy your burgers or whatever, in that
case, you can just transfer them into this paper wallet and keep them safe. Of course, you definitely
want to make sure that you keep a couple of copies in safe places off this piece of paper,
a couple of copies in safe places off this piece of paper.
Because if you ever lose this particular paper,
well, with that, you also lose whatever crypto coins are associated with it.
Yeah, so this is the kind of thing you store in your safe deposit box, I suppose.
What is the level of security with these hardware wallets?
Does it vary from device to device,
or are they all pretty secure? It certainly varies from device to device. And I have seen some of these hardware wallets actually store the private key on like a little micro SD card.
While this is not necessarily insecure, from my own personal experience, I had a lot of them fail over the year.
And if this device fails, then, well, again, you're losing your cryptocurrency.
So you definitely want to make sure, again, that you do keep backups of the private key as those with it, that you actually can get that key in some archivable format out of
these hardware wallets.
Now, with mobile wallets,
there are a lot of mobile applications
that implement wallets.
They actually go beyond the bare bones wallet functionality.
What's sometimes called a wallet
is not just the part that holds your crypto coins,
but also software that sort of synchronizes
with the blockchain.
So you can look it up to see how many coins you actually have in your account.
Now, they often are vulnerable to just the same vulnerabilities that all software is vulnerable to.
So again, be careful.
Check the reputation of some of the software that you're using
and make sure that you definitely keep backups of everything.
And I would actually recommend to write down any passwords that you're using
because the password should be complex, definitely,
but there is no password recovery for these systems.
So if you lose it, it's gone.
There's nobody really to complain to and ask for your money back
if you lose your crypto coins.
Right. All right. Good advice as always.
Johannes Ulrich, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, the cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri,
Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.