CyberWire Daily - Pyongyang’s new friendship with Moscow apparently only goes so far. Reptile rootkit in the wild. Cloudzy updates. Cl0p’s torrents. And notes on cyber phases of Russia’s hybrid war.
Episode Date: August 7, 2023North Korean cyberespionage against a Russian aerospace firm. The Reptile rootkit is used against South Korean systems. An update on Cloudzy. Cl0p is using torrents to move data stolen in MOVEit explo...itation. Andrea Little Limbago from Interos wonders about the dangers of jumping head first into new technologies? Rick Howard ponders quantum computing. And Meduza is back on Apple Podcasts. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/149 Selected reading. Exclusive: North Korean hackers breached top Russian missile maker (Reuters) North Korean hackers stole secrets of Russian hypersonic missile maker (Euractiv) Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company (SentinelOne) Reptile Rootkit: Advanced Linux Malware Targeting South Korean Systems (The Hacker News) UPDATE: Cloudzy Command and Control Provider Report (Halcyon) Reptile Rootkit: Advanced Linux Malware Targeting South Korean Systems (The Hacker News) Clop ransomware now uses torrents to leak data and evade takedowns (BleepingComputer) Ukraine may be winning ‘world’s first cyberwar’ (The Kyiv Independent) Apple has removed Meduza’s flagship news podcast ‘What Happened’ from Apple Podcasts, without explaining the reason (Meduza) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
North Korean cyber espionage against a Russian aerospace firm.
The reptile rootkit is used against South Korean systems. North Korean cyber espionage against a Russian aerospace firm.
The reptile rootkit is used against South Korean systems.
An update on CloudZ.
Klopp is using torrents to move data stolen in move-it exploitation.
Andrea Little-Limbago from Interos wonders about the dangers of jumping headfirst into new technologies.
Rick Howard ponders quantum computing.
And Meduza is back on Apple Podcasts.
I'm Dave Bittner with your CyberWire Intel briefing for Monday, August 7th, 2023. Solidarity against what Russian TV is calling the collective West is one thing, but Pyongyang isn't sentimental
enough to let that stand in the way of industrial espionage. Reuters reports that North Korean
operators have successfully penetrated NPO Machinostroyenia, a rocket design bureau
headquartered in a Moscow suburb. The apparent industrial espionage wasn't deterred by Russia's
attempts to cultivate closer relations with Pyongyang, which it views as a potential supplier
of ammunition and other material for the war against Ukraine. Sentinel Labs researchers are
the source for the technical details in the Reuters report, and they found two instances of a North Korean compromise. One, the compromise of
an email server was by ScarCraft. The second involved a Windows backdoor open carrot, which
has been associated with the Lazarus Group. The relationship between the two compromises remains
unclear. They could be cooperating, or Pyongyang may consider the target important enough to hedge its bets
by assigning the Russian firm two different intelligence groups to multiple independent threat actors, as Sentinel Labs puts it.
Sentinel Labs, in the course of its usual monitoring of North Korean cyber activity,
identified a leaked email collection containing an implant
with characteristics related to previously reported DPRK-affiliated threat actor campaigns.
This led to discovery of the larger campaign, its evidence of Pyongyang's determination to advance its missile development program,
a goal it probably considers more important than any new collaborative relationship with Moscow.
considers more important than any new collaborative relationship with Moscow.
Threat actors are using the open-source kernel module rootkit Reptile to target Linux systems in South Korea, the Hacker News reports. This isn't Reptile's first appearance in South Korean
networks. Companies there have seen it before. The UNLAB Security Emergency Response Center said in a report on
the malware that the initial point of access in this most recent wave remains unclear.
The researchers, however, were able to provide considerable information about the malware itself.
Several malicious tools were used by the attacker. These tools included the reptile rootkit,
a reverse shell, a command tool, and a startup script. These tools included the reptile rootkit, a reverse shell, a command tool, and a
startup script. These tools allowed the attackers to gain access and control over the victim's
computer. Additionally, the attackers used another malware string called ISH, which is a special kind
of shell that uses the ICMP protocol to communicate with the attacker. The reason for using ISH was likely to avoid detection by traditional network monitoring methods
that look for suspicious TCP or HTTP communications.
While the targeting of South Korean companies might suggest a North Korean operation,
there is at present no attribution.
The open-source rootkit is in principle available
to several distinct threat actors, and it's entirely possible that Pyongyang has nothing
to do with Reptile. Halcyon has published an update on CloudZ, an ISP that provides services
to various APTs and ransomware affiliates. Halcyon's researchers were contacted by the IPXO address
marketplace, which was leasing 14 IP ranges to Cloudsy. Halcyon says the IPXO representative
informed Halcyon that based on the research report, they're taking and will continue to
take action to prevent additional abuse. They asked for additional intelligence from Halcyon,
which was provided for their consideration.
Halcyon's report said that CloudZ,
despite its self-presentation as a company incorporated in the U.S.,
is for the most part staffed by employees of a company based in Tehran.
CloudZ said in a statement to CSO that it's investigating the situation,
so we'll all await the outcome of Cloudsy's self-examination.
The CLOP ransomware group is using torrents to leak data stolen via the MoveIt vulnerabilities,
Bleeping Computer reports. Decentralized torrents offer a more efficient way for the group to
distribute the data while making it more difficult for law enforcement to shut them down. Bleeping Computer explains, even if the original
seeder is taken offline, a new device can be used to seed the stolen data as necessary.
If this proves successful for CLOP, we will likely see them continue to utilize this method to leak
data as it's easier to set up, does not require
a complex website, and may further pressure victims due to the increased potential for
broader distribution of stolen data. Yuri Shyshal, the head of Ukraine's State Special
Communications Service, has outlined their organization's war objective, to push Russia back into an intellectual and IT middle ages.
Achieving this goal involves a complex strategy, including effective defense measures and
international support for sanctions to disrupt Russia's IT supply chain. In an interview with
the Kyiv Independent, Shyshal reviewed the cyber phase of Russia's war, describing the relentless nature
of Russian cyber attacks. These cyber attacks began as preparations in January and February
of the previous year, leading up to Russia's conventional invasion. Notably, wiper attacks
were a significant component of this cyber preparation, with a major assault on state
authorities marking the starting point. Despite the initial successes of the cyber preparation, with a major assault on state authorities marking the starting point.
Despite the initial successes of the cyber attacks, Ukraine has managed to defend against
subsequent attacks attributed to the rapid application of lessons learned during the
lead-up to the war. These lessons were gained through prior experiences of Russian cyber
operations during the Crimea invasion in 2014 and the NotPetya
campaign in 2017. Successful defense has also been enhanced through improved cooperation
between the private sector, friendly foreign governments, and various Ukrainian government
agencies. Infighting over agency interests has given way to a more collaborative atmosphere.
Sanctions against Russia have proven effective and are encouraged to continue. Shyshal believes that excluding
Russia from international organizations and isolating the country from the rest of the world
will hinder their access to crucial technologies, ensuring future security for Ukraine.
technologies ensuring future security for Ukraine. Despite Russia's efforts to evade sanctions,
their dependency on Western systems, especially from the U.S., will likely impede their ability to launch attacks within the next six months to a year, favoring Ukraine's position in the conflict.
And finally, Meduza, an independent Russian-language news service operating from Riga, Latvia, said Friday that Apple removed Meduza's flagship podcast, What Happened, from the Apple Podcast streaming platform.
What Happened focuses on news affecting Russia, and Meduza isn't particularly sympathetic with the Russian regime.
and Meduza isn't particularly sympathetic with the Russian regime.
Apple's suspension notice read,
We found an issue with your show, What Happened?, which must be resolved before it's available on Apple Podcasts.
Your show has been removed from Apple Podcasts.
Meduza says that no further explanation was offered,
but the outlet says that it was effectively outlawed by Russia this past January
when it was designated an undesirable organization. According to Meduza, Roskomnadzor, Russia's
Internet Governance Authority, complained to Apple about Meduza earlier this summer,
and Meduza believes that Roskomnadzor's complaint may have prompted the suspension.
that Roskomnadzor's complaint may have prompted the suspension.
Whatever the cause, the ban was short-lived.
Meduza wrote in a Sunday update, Two days after it was removed,
What Happened is again available on the Apple Podcast streaming platform.
Apple did not provide a reason for suddenly removing and restoring the podcast.
It's an unusual incident.
Apple, like other companies, tries to comply with local laws
where it operates, but Cupertino isn't in the habit of saying how high when Raskadmanzor cries
jump. If nothing else, the incident illustrates the challenges platforms face as they try to
straddle the divide between publisher and common carrier. Perhaps Raskad Manzor should consider traveling to Riga itself.
Peacefully, of course.
Coming up after the break,
Andrea Little-Limbago from Interos wonders about the dangers of jumping headfirst into new technologies.
Our own Rick Howard ponders quantum computing.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Thank you. executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And it is always my pleasure to welcome back to the show, Rick Howard. He is the CyberWire's
own chief security officer, also our chief analyst. Rick, welcome back.
Hey, Dave.
So on this week's CSO Perspectives podcast, you are talking about quantum computing and the potential impact to enterprise security.
And Rick, I have to say, I think I will join a lot of people out there who say that I do not understand a whole lot about what quantum computing really is or how it works under the hood.
But what I do know.
It's a big club.
Yeah.
I think it was like Richard Feynman, you know, like there's the quantum mechanics man.
So he didn't even like he didn't understand quantum dynamics.
So I don't feel that bad about my limited understanding.
dynamics. So I don't feel that bad about my limited understanding. But what I do know is that when it finally gets here, we're going to have computers that are much faster than the computers
we have today. But I'm reminded of like what we say about fusion energy, you know, like it's always
20 or 30 years away, no matter when you ask. Are we in that mode with quantum computing?
That's what it feels like most of the time, you know, because you're right about that, Dave.
Quantum computing is in a class of near-future technologies that, when and if they ever get here,
are going to fundamentally change how we all live our lives, not just in the cybersecurity and tech worlds,
but for, you know, everybody on the planet.
But for as long as I can remember,
like you said, these technologies have always been just over the horizon, like, you know,
artificial general intelligence, AGI, 5G networking, autonomous vehicles, and abundant solar energy.
And like you said, it doesn't matter how many years go by, it's always just 30 years away.
But what I've noticed this past year or so,
that a collection of quantum experts have started to cautiously reduce their estimates about when quantum will be ready for the masses. Some are saying it's like by the 10 years away.
So it might be time for the general security practitioner to do a little planning.
So what is the risk here, Rick? I mean, I know it has something to do with breaking
modern day encryption algorithms, which sounds bad. I mean, is this the end of times? Should we
shut down the internet, go back to the Pony Express, smoke signals, all that kind of stuff?
Just say that was a bad idea and we should never do that again? Well, I would say that'd be plan B, Dave, right? Okay. An alternate plan,
plan A, if we're going to, you know, label things, okay, might be to really think about what's at
stake here. So, thanks to quantum characteristics of, get this, superposition and entanglement,
and I don't even pretend to understand what those two words mean. Quantum computers are massive parallel processing
machines. And as my friend, Dr. Georgie Anashe says, not a new supercomputer, but a new super
duper computer, right? So I really love that characterization, right? Because by the way
these things are designed, they won't be able to easily break all encryption schemes, but they will be exceptionally good at breaking modern-day asymmetric encryption schemes. These
are all the things that are the engine behind everyday internet commerce and probably the
linchpin to protecting many government secrets worldwide. And when we get there, the world is
going to change. So in this episode, we're going to explain all of
that in detail and talk about some of the ongoing efforts to buy down the risk before we get to that
milestone. All right. Well, I will look forward to checking that out for sure. The podcast is CSO
Perspectives. You can learn all about how you can access that on our website, thecyberwire.com,
also n2k.com. Rick Howard, thanks so much for joining
us. Thank you, sir. And joining me once again is Andrea Little-Limbago.
She is Senior Vice President of Research and Analysis at Interos.
Andrea, it is always my pleasure to welcome you back to the show.
I, over the years, have become convinced that we are a reactive species,
that humans by our nature are not good at getting in front of things,
that things have to get really bad before we're willing to change. And that's a long way around
of saying that's something I want to check in with you on. When it comes to technology and security,
are we always catching up or do we even have the ability? Is it in our DNA to get ahead of things?
It's a great question.
And I think in general, I tend to agree with you on that.
But I think we need to try not to be.
And so we have aspirations.
We have to have aspirations not to be.
And so much of it goes back to whether it's the
cycle and companies
have to report on that quarterly
earnings versus two years
out. So it's short-term, long-term thinking,
which I think always dampens our ability
to think longer term. But
I'm slightly optimistic that
we're starting to have some of these thoughts and
considerations, at least in cybersecurity.
These were discussions that weren't had at all during some of the previous big booms
and our technological shifts for the industry.
But the one that I'm keeping an eye on right now a lot, because I'm not, the jury is out
on this one on generative AI, it's going to have a big impact.
We're already seeing that.
It was enormously, some people say that machine learning
advanced more in
six months than in the previous decades.
It really was a significant shift
with the chat GBT and all the other
large language model that were out there.
But my concern
is that we're seeing, because of that,
it's almost like the gold rush. Everyone's jumping onto it
and putting it into their
products, using it into their products,
using it in different ways, both personally and professionally.
And there's a whole lot of concern about what is the security of that data?
How's data privacy?
What's occurring with that?
There are copyright infringement lawsuits going on right now over the training data.
There's a whole lot going on around that.
And there are, though, not the most vocal voices in the room,
but there are voices talking about not the most vocal voices in the room, but there
are voices talking about the security of it and advising companies that if you're looking at
implementing generative AI, which plenty of benefits, make sure security is part of it
and not an afterthought. And I think that those companies that do, when they think about
integrating generative AI, that do look at the security
components of it, they'll be the ones
that are less surprised going forward.
We're going to see everything.
We've seen data leaks because
an engineer is putting source code into it
from a company. We've seen that.
There are regulations around Europe
talking about potentially halting the use
of some of these.
The US has a whole AI working group to look into how to properly regulate going forward.
So whether it's the regulatory risks or data leaks, data breaches, malicious uses of the generative AI,
there's at least discussions going on now warning people to take security into account and not as an afterthought.
I don't think we had that as much, you know, 10 years ago.
So I think that at least the discussion is there.
We'll see if people heed the advice or not, or they just want to jump in too quickly.
It's a really interesting point, and I agree with you.
And I think lots of folks are saying that the release of these large language models was an inflection point, perhaps even for society.
And I think there's something to that, as opposed to like social media, which I think was more diffuse.
It's sort of, you know, it oozed into our society.
That's right.
Rather than being a big, rather than capturing everyone's imagination all at once.
So there's a difference there.
I'm curious, you know, you and I often talk geopolitics,
and I worry that I'm being a bit provincial in my thinking here.
I mean, are there nations who part of their culture
is being more cautious about these sorts of things?
You know, I think we have here in the U.S.,
we have this, you know, move fast and break things cliche, but are there cultures who take a more measured approach?
Well, I think for sure the European governments are most vocal in raising concerns about it and
wanting to make sure data privacy is implemented into it. There's been much more action at that
level, but I would say, I think you're back to your initial point on human nature. I think for the most part, we're seeing organizations trying to jump on this and to get
that lead because boards are asking the company, their executives, what is your plan to integrate
this and to make sure that your competitors are not, they don't get the head start on it.
And so it's framed. And so as long as it's a competitive global economy, we're going to see a lot of jumping on it. But hopefully
it's jumping and looking
before leaping, as opposed
to just jumping and then
looking backwards after and thinking, oh, we probably
should have secured that. Or we probably should
not put our IP into a question
for a chatbot.
There remains a big European
and US gap.
And then I'd say on the other end, on the authoritarian side,
it's consume as much data as possible by the governments
and have government control of it.
So this very likely will just be another way to try to be used
to gain control over information within their,
actually I'd say within their geographic domains
and within their cyber domains.
What about the regulatory component here?
I mean, when something happens this quickly,
is the regulatory regime in a position to be able to be nimble?
Not yet. At least not in the U.S., not yet. No.
But at least they're talking about it.
And I think you make a good point as far as social media really to kind of take a bit of time to diffuse
and really take over our lives.
This happened really with a shock.
Government is talking about this way more than they hopped on.
Social media discussions took a very long time to really gain traction.
But we're seeing some traction on this already.
And part of it's due to some of the lawsuits, especially for the training data.
especially for the training data, we've seen defamation lawsuits, because if you ask a question into it, it could give false information about a person.
We've seen that in Australia, there's a lawsuit from a mayor who,
I think the question basically said that he was someone that was a whistleblower put in jail,
was the one actually as a whistleblower and put someone else in jail.
So there's been a bunch of different defamation lawsuits as well that are going into it.
And then one thing I haven't even talked about was just some of the wrong information that gets produced through it
and being concerned about that.
It's a huge potential vector for disinformation or just for continuing to exacerbate or amplify wrong information
because that's what's been fed into it by the training models.
And we see that with the Hulu citations or the fake citations
that basically are made up. They sound credible, they look like they're credible,
but they're entirely made up.
Right, that's the thing. It'll give you
wrong information with absolute confidence.
Yeah, and so the notion of
are we learning and being more proactive?
And that's just one area, right?
So we've got 5G looking ahead to 6G.
We've got secure by design.
This is pushing forward.
And I think that would not have happened 10, 15 years ago.
So thinking about security by design
as we're building out these new technologies,
those are the kind of things I see that give me optimism
that at least some people are thinking about it now
when I'm not entirely sure that a few decades ago
security was on anyone's radar for that
because there was a lot more optimism
about the positive aspects of these technologies
as opposed to them being used or weaponized.
Right. All right.
Well, Andrea Little-Limbago, thanks for joining us.
All right. Thank, Andrea Little-Limbago, thanks for joining us. All right. Thank you, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker. For links to all of today's stories, And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com. Your feedback
helps us ensure we're delivering the information and insights that help keep you a step ahead in
the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like
The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your biggest investment, your people. We make
you smarter about your team while making your team smarter. Learn more at n2k.com. This episode
was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester with
original music by Elliot Peltzman. Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.