CyberWire Daily - State cyber-espionage. Influence operations and coordinated inauthenticity. Add Lucky Elephant to the menagerie. ASUS supply chain updates. Notes on Norsk Hydro’s recovery. Reactions to the Mueller Report.
Episode Date: March 27, 2019In today’s podcast, we hear that the Spanish Defense Ministry has been reported to have suffered cyberespionage. The Lazarus Group’s life of crime. Facebook takes down “coordinated inauthenticit...y.” Add Lucky Elephant to the bad actor menagerie: it’s harvesting credentials in South Asia. Notes on the ASUS supply chain backdoor. Updates on Norsk Hydro’s recovery from its LockerGoga infestation. Russia says, hey, the Mueller Report totally exonerated us, too. Emily Wilson from Terbium Labs on data collection and protecting PII. Guest is Matthew Montgomery from Verizon on their Mobile Security Index report. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/March/CyberWire_2019_03_27.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Spanish defense ministry's reportedly hacked the Lazarus Group's life of crime.
Facebook takes down coordinated inauthenticity.
Add Lucky Elephant to the bad actor menagerie.
It's harvesting credentials in South Asia.
We've got notes on the Asus supply chain backdoor.
Updates on Norsk Hydro's recovery from its Lagergoga infestation.
And Russia says, hey, the Mueller report totally exonerates us too.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Wednesday, March 27th, 2019.
The Spanish Defense Ministry's intranet has been affected by what is thought to be a cyber espionage attack
aiming at stealing defense secrets.
That's according to Reuters, since the ministry itself has been tight-lipped about the incident.
But sources say that an unspecified nation state is thought to be behind the activity.
North Korean hackers are again in the news with the Lazarus Group or associated actors,
continuing their efforts
to redress the DPRK's financial shortfalls by theft and fraud.
The UN panel of experts has finally reported on the looting of ATMs belonging to the Pune-based
Cosmos Cooperative Bank last year.
The thieves got the equivalent of about $13S. dollars in the campaign, which extended beyond
India to 27 other countries. The UN panel concluded that the theft was motivated by Pyongyang.
The India Times says that the Pune police and the Maharashtra cyber cell have made a dozen arrests,
but haven't yet identified the mastermind behind the looting.
Whoever the masterminds the looting. Whoever the
masterminds were, they're more likely to be found in Shinnonju than in Pune.
Kaspersky Lab has been tracking the Lazarus Group's evolving approach to cybercrime,
and they think various tech startups, particularly those involved with cryptocurrency,
are now more heavily represented than before on Pyongyang's target list.
The Lazarus Group is said to be using custom PowerShell scripts,
with command and control server scripts often disguised as WordPress files.
Any immunity Mac users may have felt to the ministrations of DPRK hackers
is no longer well-founded.
The crooks know that a lot of tech startups are Mac shops,
and they haven't forgotten about you Windows users either. Facebook has closed some 2,600 accounts for
coordinated inauthentic behavior, that is, for illegitimate political influence operations.
The accounts were based in Russia, Kosovo, Iran, and Macedonia. The accounts from Iran, for the most part,
addressed audiences in Egypt, India, Indonesia, Israel, Italy, Kazakhstan,
and various other places in the Middle East and North Africa.
Facebook says that these actors, quote,
represented themselves as locals and made-up media entities,
often using fake accounts,
and they impersonated real political groups and media organizations.
Their posts usually amplified material being pushed by Iranian state media
with takes on Indo-Pakistani tension, Israeli-Palestinian conflict,
fighting in Yemen and Syria, various Islamic religious topics, and the ongoing crisis in Venezuela.
The accounts based in Russia for the most part had
to do with Ukraine, allegations of corruption in Kiev, and the general righteousness of Russian
claims to Crimea. The Balkan outfits in Kosovo and North Macedonia were mostly interested in
representing themselves as members of American and Australian groups. Their topics were more anodyne, along the
lines of what one might read in a grocery store checkout line, astrology, celebrity news, beauty
tips, and political gossip. That choice of topics might be consistent with longer-term battle space
prep, attracting followers who could be pumped with sunshine and swamp water at some appropriate later time.
In any case, the takedown is more evidence that finding and checking inauthenticity
might be an easier and more beneficial approach to influence operations
than direct content moderation.
After all, you wouldn't want to take down celebrity gossip, right?
Netscout describes an ongoing credential harvesting campaign that appears to be prospecting
for the most part South Asian governments. They call it Lucky Elephant and say that, quote,
the attackers masquerade as legitimate entities such as foreign government, telecommunications,
and military, end quote. Netscout researchers haven't observed any malware associated with
Lucky Elephant so far, and so its activities appear at this stage to be concentrating on credentials.
The targets include agencies in Pakistan, Bangladesh, Nepal, Sri Lanka, the Maldives, and Myanmar.
attribution is too ambiguous to make a tentative call, but one of the IP addresses used, Netscout says, was used by the now apparently defunct Indian APT DoNotTeam, one of the credential
harvesting domains that had been earlier attributed to a Chinese government actor.
Verizon recently released the 2019 version of their annual Mobile Security Index.
The report surveys data from nearly 700 industry professionals to discover trends in mobile security and data use.
Matthew Montgomery is a managing director in the Verizon business group.
Last year's report, from my perspective, was somewhat of an aha.
We had many briefings with customers, and we would be talking about their wireline cybersecurity framework.
And we would then ask those questions about how are you securing the edge?
How are you ensuring that since more work may get done on a tablet than your laptop, how are you ensuring that that tablet has the same level of security? And I think the report in 18 really referenced that.
And it was an aha moment.
In fact, the big thing out of the 18 report was that more people, more organizations were
nervous about losing access to their device versus data breaches, which to me was astounding,
meaning work now is being done at a mobile phone and tablet level that the business continuity component was huge, I think like 80% or something.
So this year's data really continued to follow the same trend.
So nothing really new.
We did take a couple of steps back in that we expected since we had outlined and showcased some of the risks that these companies were facing.
We expected them to take more aggressive action, and in some cases, they haven't.
So really, the key findings is I'd call it the mobile threat is real.
We've seen about 70% were less confident in their own security around mobile device. And frankly, about 70% feel that the risk has also grown year over year.
So affirmation back from our customers.
And the impact for sure is that, you know,
we're up about 5% year over year
in terms of organizations admitting a compromise
via mobile device.
And then, and I think it was around 60% or so
described that breach or compromise as major, and it had lasting repercussions.
It's interesting to note, there's a fortune, I read this over the weekend, there's a fortune article out there that talks about the risk to small businesses now.
And more and more small businesses are doing their business from a mobile perspective.
They're using payment technologies that are attached to tablets and how a simple breach could really destroy their business.
I think our data spoke to that.
The whole idea of employee misuse really kind of stood out to me.
37% were confident they could spot employee misuse, while 95% of the organizations had employees, they admitted accessing things like adult content, gambling areas, inappropriate areas. They felt like they had the right profiles and security, yet the involvement of public Wi-Fi grew year over year.
So just the acknowledgement of the threat, the actions they're taking to mitigate the threat, yet we're still seeing the growth of the threat increase on the mobile side.
So, again, you know, a little bit more work to do, I think, on the organizational side, but certainly the analysis and understanding of the findings that the report had, as well as the gaps in mitigation techniques are in place. Now, are you seeing an alignment where when folks are recognizing that this is a growing threat,
are they also increasing their funding and their spending on that side as well,
or is there a gap there also?
Well, that's a great question.
And about 70% said their mobile security spending was increasing year over year.
So of the respondents, we see the growth in mobile spending. So they are doing that.
But then when you dig below the lines, okay, so yes, I'm going to spend more money. I may add
threat detection. I may do something more aggressive with my container. I may add more
training for my employees about changing passwords and not using public hotspots and things like that.
Only 12% had four of the most basic precautions in place. And that was down year over year.
I mean, so yes, they're increasing their spending, yet only 12% had the four. And those basic things
are like encryption, obviously, stress testing your security profiles, restricting access. That's really simple,
common cybersecurity hygiene, even things like changing default passwords. So year over year,
those four basic precautions actually went down, yet the dichotomy is about 70% said they were
increasing their mobile spending.
That's Matthew Montgomery from Verizon.
The report is the Mobile Security Index Report for 2019.
Norsk Hydro has largely returned to normal operations after last week's Locker Goga ransomware attack.
Production in its Extruded Solutions division, one of the most affected by the attack,
had yesterday reached 70 to 80 percent of normal capacity.
The company is headquartered in Norway but operates internationally,
and the attack disrupted operations in many places around the world.
Secondary attacks, whether opportunistic or planned, remain a concern.
Norsk Hydro warns against spoofs, urging anyone receiving an email that appears to be from Norsk should contact the company before taking any action the email might
suggest. There seem to be some emails going out to customers, partners, and suppliers suggesting
that they change their banking information. Norsk says you should ignore these requests.
The aluminum manufacturer is sending out no such requests.
Bogus communications could represent attempts to either spread the ransomware
or defraud third parties through social engineering.
And finally, Russian reaction to the U.S. Attorney General's letter to Congress
outlining the conclusions of Special Counsel Mueller's investigation into election interference
has generally been muted, but Moscow's been offering more of its opinions at midweek. The report, the Attorney General rendered to Congress explicitly calls out Russian influence
operations, and the special counsel's work resulted in indictment of 12 Russian intelligence
officers, which hardly looks like exoneration.
We're not lawyers, but we've seen TV, and extradite me if you can, Yankee, seems a pretty
weak defense, but hey, innocent until proven guilty, right?
In the meantime, if you've made a career in the Internet Research Agency,
think twice before honeymooning in the Maldives or changing planes in, say, Guam.
Pro travel tip, Chelyabinsk is lovely this time of year. challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Emily Wilson.
She's the VP of Research at Terbium Labs.
You recently wrote a piece for The Next Web,
and you were focusing on data collection here.
Can you take us through what were you getting at?
This article came out of a conversation I was having with someone right after one of the
many Facebook data breaches a few months ago, or news of misuse. Some are breaches,
some are just negligence. When someone asked me, what could somebody have done to avoid this
happening? Or what could people do going forward to avoid being caught up in breaches?
And I made a joke, right? You know, they could not use Facebook, but they're not going to do that. Right. Because we get into situations with things like Facebook or these other tech giants where
you can't really opt out. Now, this is certainly true for things like financial services. If you want to transact in the economy, you have to participate in the economy. And so that's true for financial data. If you want to have a line of credit, if you want to have money short of finding a bartering system where you're trading precious metals in exchange for dry goods, you have to give your information to financial services.
Right. But we've extended that now. We've gotten to the point now where it isn't just financial
services where you are forced to share data or where you are required to share data. Facebook
has become this behemoth organization that for better or for worse, and we would say for worse in most cases,
is the best way that people have to connect with their friends and family around the world.
Right.
Social media has become something people expect. They expect you to have social media accounts.
They expect you to have email addresses. There's all of the convenience of shopping online.
So there's more information there.
You're not going to stop using e-commerce platforms.
So there's more information.
There's information being spread there.
We think about things like entertainment services.
Whether you're sharing your information with a video streaming site or with your cable provider, again, you're opting into sharing your data there. And none of these companies, none of them have robust, ethical, transparent
data sharing practices. Yeah. Well, it seems like the non-option option they give you is
either we're going to share your data or don't use our service. That's what it comes down to.
And you're lucky if you get that much from them.
Right.
You know, we see stories, you know,
it feels like every other week now of some company being sued
because they were sharing information.
I just saw the Weather Channel is being sued because their app,
they were sharing information with IBM and others in their partnership network.
And they come out and say, you know, in defense of their app, they were sharing information with IBM and others in their partnership network. And they come out and say, you know, in defense of their practices,
well, you agreed to the user agreement, you checked the box on the privacy policy,
and we were very clear about the fact that we're doing this.
And no one's reading all 18 pages of those.
There's some expectation that if you share your information with a company,
they are going to use it to provide you the service that you have signed up for.
And that's the end of it.
But that's not happening because, again, data is a commodity.
It's valuable.
It's being monetized and not just by cyber criminals.
It's being monetized in the mainstream economy.
It's fuel for the economy.
It's fuel for the economy. And companies don't want you to focus on that because they require your data to make more money. Yeah. Well, is it all doom and gloom? I mean, are we looking at pushes to maybe right this ship and get us going in the right direction?
Certainly not an optimist in this camp. I'm at best a pragmatist.
not an optimist in this camp. I'm at best a pragmatist. The one thing that I have that I'm holding on to, and I mentioned this in the article, is that we are all in this together. So because
everyone is opting in, everyone is required to opt in, that means that no one is opting out.
So it's not just you and me. It's politicians. It's world leaders.
It's influential figures.
It's people with resources.
It's people who are also being hit by this.
And the point at which one of them is unhappy and decides to devote resources to making it better, then we might see a change.
But, of course, that also relies on those people deciding that data privacy is
more important than profit. And I'm skeptical that that's going to happen. Well, the article
has the sunny title, Depressing Lessons, 2018's Endless Data Breaches Taught Us.
It is over on the Next Web. Emily Wilson, thanks for joining us.
Wilson, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Thank you. see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.