CyberWire Daily - Patriotic hacktivism? Cryptomining worm steals AWS credentials. Carnival discloses data incident.
Episode Date: August 18, 2020Suspected patriotic hacktivists are defacing websites. A cryptomining worm is stealing AWS credentials. Cruise company Carnival suffered a ransomware attack that involved data theft. US measures again...st Huawei are expected to make things much more difficult for the Chinese company. Ben Yelin on new tools tracking cyber data on US borders. Our guest is Jesse Rothstein from ExtraHop on what happens to enterprise security when the network goes dark. And a look at the organizational structure of North Korea’s hacking units. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/160 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Suspected patriotic hacktivists are defacing websites.
A crypto mining worm is stealing AWS credentials.
Cruise company Carnival suffered a ransomware attack that involved data theft.
U.S. measures against Huawei are expected to make things much more difficult for the Chinese company.
Ben Yellen on new tools tracking cyber data on U.S. borders.
Our guest is Jesse Rothstein from ExtraHop on what happens to
enterprise security when the network goes dark, and a look at the organizational structure of
North Korea's hacking units. From the CyberWire studios at DataTribe, I'm Dave Fittner with your
CyberWire summary for Tuesday, August 18th, 2020.
It's difficult to distinguish spontaneous hacktivism from government-run cyberattacks, but two current campaigns look more like patriotic hacktivism than espionage.
The Greek reporter says that government websites in eastern Macedonia and Thrace
have been defaced with blue homeland messaging that evidently came from Turkish operators.
And Zee News trumpets the activities of the Indian cyber troops
who've hoisted the Indian tricolor on some 80 Pakistani websites.
Researchers at Cato say they've found a crypto mining worm that steals credentials for Amazon Web Services when it infects Docker or Kubernetes instances running on AWS.
The worm also swipes local credentials and scans the web for misconfigured Docker instances.
The malware is used by a cybercrime gang that calls itself Team TNT. The researchers have
observed these attackers successfully compromise a number of Docker and Kubernetes systems.
The group's activities were also described by Trend Micro in May when they were targeting open Docker
ports with a crypto miner and DDoS bot.
The team TNT Worm installs the XMRig crypto miner to mine Monero.
The malware isn't particularly sophisticated, but it seems to be relatively successful as
far as crypto mining operations go.
The method by which the malware steals AWS credentials is simple. The AWS command
line interface stores credentials unencrypted in a file called credentials, and the malware simply
uploads this file to the attacker's server. It also steals the AWS configuration file for
additional information about the setup. The Cato researchers note that this is the first worm they've seen that has AWS
credential stealing functionality, but they expect to see more malware using this tactic in the near
future. Cruise Line Company Carnival Corporation and Carnival PLC disclosed a data incident to the
U.S. Securities and Exchange Commission in an August 15th 8K filing.
The company says the incident was a ransomware attack that accessed and encrypted a portion of one brand's information technology systems.
The incident also involved exfiltration of some of the company's data.
The incident was discovered on August 15th,
the same day the company reported it to the SEC,
and the investigation is ongoing. Carnival's
subsidiaries include Princess Cruises, Carnival, the Holland American Line, Seabourn, P&O Cruises,
Costa Cruises, Aida Cruises, P&O Cruises, and Canard. Carnival's SEC filing states that,
while the company doesn't expect the incident to have a material impact on its business,
operations, or financial results,
we expect that the security event included unauthorized access to personal data of guests and employees,
which may result in potential claims from guests, employees, shareholders, or regulatory agencies.
Although we believe that no other information technology systems of the other companies' brands have been impacted by this incident based on our investigation to date,
there can be no assurance that other information technology systems of the other companies' brands will not be adversely affected.
End quote.
According to the Wall Street Journal, new U.S. measures are making it harder for Huawei to get chips made with American technology.
new U.S. measures are making it harder for Huawei to get chips made with American technology.
The Washington Post sees the new measures as evidence of the difficulties in stopping an inherently complex trade. Huawei has continued acquiring chips that contain U.S. technology,
despite increasingly tight restrictions. The Commerce Department's restrictions announced
yesterday are thought to be broad enough to cut Huawei off from these workarounds.
The Post cites an anonymous industry executive as saying,
This kills Huawei. Any chip made anywhere in the world by anyone is subject to this.
Many North Korean government hackers operate from locations in other countries, according to a U.S. Army assessment.
other countries, according to a U.S. Army assessment. The report, summarized by ZDNet,
says North Korea's Cyber Warfare Guidance Unit, also known as Bureau 121, had more than 6,000 members in 2015, up from 1,000 in 2010. The U.S. Army believes the number is probably much higher
than 6,000 by now. These hackers frequently work from other countries other than North Korea,
including Belarus, China, India, Malaysia, and Russia. The report also details the organizational
structure of Bureau 121. The unit has four subdivisions. Three are focused on cyber warfare,
while one is responsible for traditional electronic warfare, such as jamming equipment.
is responsible for traditional electronic warfare, such as jamming equipment.
The three cyber-focused subdivisions are known in the industry as the Andariel Group,
the Bluneroff Group, and the Lazarus Group.
Andariel is made up of approximately 1,600 members and primarily focuses on reconnaissance of targeted networks
and identifying exploitable vulnerabilities.
Bluneroff consists of around
1,700 members who are tasked with conducting financial cybercrime by concentrating on
long-term assessment and exploiting enemy network vulnerabilities. Lazarus consists of an unknown
number of operators and is the group the government uses to create social chaos by weaponizing enemy
network vulnerabilities
and delivering a payload if directed to do so by the regime.
ZDNet clarifies that the industry often uses the Lazarus Group
as an umbrella term to refer to any hacking associated with North Korea.
And finally, Pyongyang's hackers may have also adopted a technique
well-suited to extracting payment in ransomware attacks as they dip their toes into the ransomware game.
NK News says the Lazarus Group, its eye on insurance coverage, is pricing its ransom below the cost of backup and restoration.
Thank you. with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. Thank you. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Learn more at blackcloak.io.
Emerging standards like TLS 1.3 and DNS over HTTPS make good use of encryption to keep data from prying eyes online,
but they also present challenges for enterprise security, who may have a harder time monitoring network traffic.
Jesse Rothstein is co-founder and CTO at ExtraHop,
and he explains what can happen to enterprise security when the network goes dark.
I think anybody responsible for the security posture of an enterprise environment thinks about these things in the broader context of visibility and how do I secure the environment. So I'll just
jump right in and say that I believe very strongly in network security. I think it's a very valuable
source of data. One of the few, maybe three most fundamental sources of data that we have.
We can always instrument specific endpoints and run endpoint protection platforms. We can always aggregate and gather log files and telemetry, and we should do all of those things.
But a fundamental source of data and truth is all of the network traffic, all of the communication that exists.
It's extremely difficult to tamper with, and it's basically impossible to turn off.
difficult to tamper with, and it's basically impossible to turn off. And that's why network security has been really a fundamental kind of tool in the toolbox for so very long.
Well, as more and more folks shift their attention towards encrypting the data that
flows through these networks, how does that affect visibility?
Well, it can make it more challenging. First and foremost, I'll mention that there's a
lot of traffic analysis that we can do even with encrypted traffic. We can analyze communication
paths and flows of data. We can run some heuristics, traffic analysis heuristics, to determine
if we're looking at interactive traffic or bulk downloads. We can do some amount of
fingerprinting, even for encrypted traffic. These are where fingerprints like JAW3 and JAW3S and
the HASH fingerprints can all provide some visibility into encrypted traffic. But at the
end of the day, nothing beats actually inspecting the payload itself.
If encrypted traffic analysis were to provide too much information, then encryption wouldn't
be doing its job.
So when we're talking about environments that we control and when we are ourselves the defenders
of these environments, we have a couple of choices.
For campus environments, we can certainly perform some
sort of SSL-TLS interception. There are a variety of ways of doing this, but this basically means,
you know, breaking and inspecting the traffic, you know, and there are some pros and cons to
doing that. But if the goal is to actually analyze user traffic and maybe even with the hope of looking
for rogue and unmanaged devices and compromised credentials that might be very very important.
We can take a very different approach with services that we control and applications that
we ourselves are delivering because in those, we manage all of the infrastructure
that's actually terminating the encryption.
That's Jesse Rothstein from ExtraHop.
Cyber threats are evolving every second, Thank you. solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And I am pleased to be joined once again by Ben Yellen.
He is from the University of Maryland Center for Health and Homeland Security
and also my co-host over on the Caveat podcast.
Ben, it's great to have you back.
Good to be with you again, Dave.
Interesting article from CNET.
The title is Homeland Security Details New Tools
for Extracting Device Data at U.S. Borders.
What's going on here, Ben?
So the Department of Homeland Security
is required to release a privacy impact assessment
about its data collection practices
at U.S. border crossings.
They just released that report at the end of July.
What that report said is that people who are crossing the United States border,
and that includes U.S. citizens and non-U.S. citizens alike,
have been subject to pretty robust data collection practices.
alike have been subject to pretty robust data collection practices.
The DHS at least has had the capability to extract a lot of very valuable data from your devices.
So contacts, call logs, IP addresses,
previous GPS locations, cell site information,
pretty personal information. And over the past several years,
the number of device searches at the border has really multiplied significantly.
They noted that in 2018, there were 33,000 such searches of devices at U.S. border crossings.
Now, the good news for civil libertarians on this issue is that there was a court case.
I believe we talked about it on our podcast,
decided towards the end of 2019
that declared that,
at least as it applied to U.S. persons,
law enforcement or U.S. Customs and Border Patrol
requires reasonable suspicion
to search a digital device.
So they no longer can conduct warrantless searches at the
border. But what was going on before this case, I think was much more concerning from a civil
liberties perspective. There basically were no requirements. So Customs and Border Protection
would be allowed to conduct warrantless searches of your device and collect all this extremely personal information.
And obviously that's a major invasion of privacy.
A couple things struck me in this article.
One, the policy that they have means they retain the data for 75 years.
Yeah, that's a long time.
It seems like a long time.
years. Yeah, it's a long time.
It seems like a long time.
Also,
they point out that the data is saved to DHS's local
digital forensics network, but then
transferred to a company called
Penlink, which they describe as being
a phone surveillance software
company that helps manage this
metadata. So, perhaps a little
bit of third-party risk there?
Absolutely.
Whenever you're transferring data to a third party,
if you are not engaging in best practices in data protection,
you're going to introduce some vulnerabilities.
One thing they noted in this article that was interesting is that,
and this is purely a coincidence,
but in the same week that this report was released, the NSA released guidance to its own employees about how to protect information on their own employees' digital devices.
Saying, use your latest software patches, turn off Bluetooth, etc., etc. I think if you were to read these two guidance documents together,
the overarching message is,
protect your device from us, the federal government.
We, the federal government, are telling you to protect your device
from maybe a different federal department,
but from the federal government itself.
Right, right, right.
I love this statement here, too.
In the article, they say that DHS said,
the privacy risks of using the tools are low
because only trained forensics technicians will have access to the tools
and only data relevant to investigations will be extracted.
That's just, I know, that's just so funny.
It's hard to believe that a DHS spokesperson
would have the gall to put that in a statement
just because it's such an obvious...
Anybody who's well-versed in these issues would know that that's just such a thin line
that indicates that your data is not actually secure.
Because there are just so many potential vulnerabilities there.
You're transferring this data to a third party.
We've known not just from Customs and Border Protection,
but from other federal surveillance programs
that very frequently not just the particular data
relevant to a criminal investigation is being collected
when you're talking about a dragnet program.
And so anybody who is well-versed in these issues
would see that statement and their eyes would roll into the back of their head.
I mean, I suppose it's good that DHS has to publish these impact assessments, yes?
Absolutely.
You know, and that's, you know, where Congress comes into play when they authorize these programs.
Department of Homeland Security was authorized in 2002 and has been reauthorized since.
When you have these reauthorization programs,
one thing you can do is require a certain level of transparency.
So require semi-annual reports, annual reports.
That's often the only way we know about
what our government is doing as it relates to
digital data or frankly anything else.
So that is one stick that Congress has
that can really force agencies to be transparent.
All right, well, interesting stuff for sure.
Ben Yellen, thanks for joining us.
Thank you. And that's The Cyber Wire.
For links to all the stories mentioned in today's podcast,
check out our daily news brief at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, Thank you. Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard,
Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.