CyberWire Daily - Stealing from the best? An enigma in the criminal-to-criminal market. CISA’s holiday caution. Someone’s impersonating the SEC. Three weekend cyberattacks.
Episode Date: November 22, 2021The Lazarus Group seems interested in learning from, by which they mean stealing from, some of the world’s leading state-sponsored cyber operators. Void Balaur remains an enigma, but it’s not the ...only player in the C2C market. CISA and the FBI warn all, but especially critical infrastructure operators, to remain alert during the holidays. Some scammers are impersonating the US SEC. Dinah Davis from Arctic Wolf on what security gifts to get your family this year. Our guest today is Carole Theriault on online gaming during the pandemic. And cyberattacks are reported on an airline, a utility, and a manufacturer of wind turbines. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/224 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Lazarus Group seems interested in learning from,
by which they mean stealing from, some of the world's leading state-sponsored cyber operators.
Void Ballar remains an enigma, but it's the only player in the C2C market.
CISA and the FBI warn all, but especially critical infrastructure operators, to remain alert during the holidays.
Some scammers are impersonating the USSEC.
Dinah Davis from Arctic Wolf on what
security gifts to get your family this year. Our guest today is Carol Terrio on online gaming
during the pandemic. And cyber attacks are reported on an airline, a utility,
and a manufacturer of wind turbines.
From the CyberWire studios at DataTribe, I'm Trey Hester with your CyberWire summary for Monday, November 22nd, 2021. In an apparent effort to up its offensive security game, The Daily Beast reports,
North Korea's Lazarus Group is fishing Chinese security researchers.
It's not clear whether they've enjoyed any success, according to researchers at security firm CrowdStrike,
which tracks the Lazarus Group as Stardust Colima, but they appear to be interested in obtaining zero days in particular.
Quote, for vulnerability research in particular, that would be interesting. It, in effect,
allows you to collect and steal weapons that you can use for other operations. It can also give
them insight into new techniques they're not aware of and how
research is being conducted, end quote. CrowdStrike's vice president of research, Adam Myers, told the
Daily Beast, quote, it also lets you know what the security posture looks like in other countries,
end quote. CrowdStrike reads the campaign as aimed at obtaining new attack tools that can be used for
the financially motivated hacks Pyongyang uses
to address the pariah regime's
chronic fiscal shortfalls.
The phishing techniques themselves
are nothing out of the ordinary,
either the threat group actors in general
or the Lazarus group in particular.
But they are interesting
in that they seek to instill
the kind of urgency social engineers seek
to induce in their victims.
The lures in this case aim at making the recipients uneasy, rushed, and fearful.
They warn of urgent tasks, they reference sensitive information about the recipient,
or they represent themselves as coming from the boss, and what, after all, is scarier than that?
The Lazarus lures, which referenced Chinese government security authorities,
were designed for Chinese security experts.
Quote,
End quote.
Vikram Thakur, a technical director at Symantec, told the Daily Beast, quote,
If a researcher gets a technical-sounding email from the government,
the chances of that researcher clicking on the lure is extremely high.
End quote.
If you're an active or aspiring criminal,
you could develop your own tools,
steal them,
as the Lazarus Group seems to be doing,
or you could buy them.
The Rocket Hack Group,
which security firm Trend Micro researchers have been tracking as VoidBalar,
is shaping up as an increasingly important player in the C2C market, CSO writes in an overview of the gang. VoidBalar is unusual in that it both advertises in russophone criminal circles
and hits Russian targets, which is an uncommon combination. CSO speculates about the possibility
that VoidBalar has succeeded in compromising
insiders at various Russian enterprises, but that of course remains speculation. The targets they've
been prospecting don't suggest any particular agenda beyond straightforward criminal financial
gain. It will be interesting to see how long they remain in business until the authorities shut them
down. It's Thanksgiving weekend in the U.S.,
and the Cybersecurity and Infrastructure Agency, CISA, and the FBI have issued a joint advisory
reminding organizations, and in particular their critical infrastructure partners, to be especially
vigilant during the holiday season. Organizations should be in a heightened state of alert for
phishing scams and fraudulent sites spoofing reputable businesses.
It is possible malicious actors will target sites often visited by users doing their holiday shopping online and unencrypted financial transactions.
They advise organizations to review their response plans and remind them that CISA has made playbooks available that should be helpful in keeping those plans up to snuff.
CISA has made playbooks available that should be helpful in keeping those plans up to snuff.
CISA has also issued an infrastructure dependency primer intended to help state and local governments in particular improve their resilience by understanding and planning for the ways in which dependencies shape risk.
What do we mean by dependencies? If you're not familiar with the concept, CISA offers this brief account,
quote, dependencies are relationships of reliance within and among infrastructure assets and systems
that must be maintained for those systems to operate and provide services, end quote. Dependencies
can be unidirectional or bidirectional, and they often cross functional and jurisdictional boundaries,
which make them easier to overlook than one might wish.
In any case, if you're reviewing your response plans, consider taking a look at CISA's primer.
The U.S. Securities and Exchange Commission warned late Friday of spoofed communications
that appear to come from the SEC, but in fact originate with scammers.
The communications arrive in many
modalities, including phone calls, voicemails, emails, and even old-school physical letters.
The caution they offer is familiar, but unfortunately, as always, worth remembering.
Quote, SEC staff do not make unsolicited communications, including phone calls,
voicemail messages, or emails, asking for payments related to enforcement actions, End quote. shareholdings, account numbers, PIN numbers, passwords, or other information that can be used
to access your financial accounts. End quote. Apply the same caution to calls that claim to
be from other agencies, especially if the phone call has all the background noise you'd expect
from someone phoning it in from a low-rent boiler room. And finally, there were several criminal
cyber attacks over the weekend that deserve mention.
Mahan Air, Iran's largest private airline, said that they successfully stopped an attack on what it characterized as internal systems.
Bloomberg reports that Mahan's website went offline for a while Sunday, but the domestic flights continued without disruption.
In this case, text messages claimed responsibility for the attack. A group calling itself the Observance of Fatherland claimed that they were behind the incident,
which they represented as a reprisal against Mahan Air for cooperating with Iran's Revolutionary Guards.
The text said, according to the Daily Sabah,
quote,
cyber attack against Mahan for complicity by the terrorist Guardian's Corps.
End quote.
There was no evidence provided in
support of the claim, and just two of the observants of the fatherland might be
hacktivists, or a deniable cat's paw for hostile intelligence services. Remains unknown.
Riviera Utilities told Fox 10 News on Friday that its email systems were under attack.
The Alabama utility said that no other systems were affected
and that operations continued normally. And Vestas, the world's largest manufacturer of
wind turbines, disclosed that it sustained what Reuters describes as, quote, a cybersecurity
incident and has shut down its IT systems across multiple business units and locations to contain the issue, end quote.
The incident took place on November 19th,
but beyond that, Vestas has provided little in the way of details.
The company is investigating, working to restore its systems,
and is cooperating with law enforcement. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Our UK correspondent Carol Theriault joins us to discuss online gaming during the pandemic.
So when I was a kid, we had a ColecoVision as a gaming console.
And us three kids would save up our allowances from summer jobs like mowing the lawn or weeding the garden to buy games like Pac-Man and Donkey Kong.
And we only had two handsets, so you can imagine the fights we had
and the deals we made to get extra time with the controller. Like, we loved playing. But as we only
had a single television for us all to share, we were naturally limited to how often we could play.
I mean, The Muppet Show or Magnum PI or Moonlighting took precedence, obviously.
Now we all have our own devices, and that gives us unlimited access to all manner of online gaming.
Now we can game during commutes, in bed before we sleep, and after we wake, even during toilet breaks.
And we all took to gaming like fish to water. We fit it around our lives,
school, work, the gym, hobbies, outings with friends, family. But my, oh my, did the pandemic
change things. No real surprise, most of us faced some pretty strict lockdowns,
meaning you had to find some distraction somewhere. And online gaming welcomed millions
of new players and saw existing players
play tons more. The University of Glasgow published a report in May on the impact of the pandemic on
online gaming. Pre-pandemic, 10% of those that took part in this research played several times a day.
Post-outbreak, that number skyrocketed to 40%. But the research reveals that overall the impacts of gaming were positive on the subjects.
Gaming seemed to provide stress relief through escape.
It allowed people to socialize in a way that did not contravene the rules.
It is a welcome distraction from the news.
There's a feeling of control within the context and confines of the game.
Something that we were all missing when news was coming out every day about the pandemic. Now, the University of
Glasgow just looked at adults. But what about kids? According to National Geographic, it seems the
findings were the same. Pre-pandemic, most kids in the United States were already clocking in at
least an hour a day on games, with Roblox and Minecraft among
the most popular for kids. But with schools closed and in-person socializing limited, those numbers
exploded. Quote, the Pew Research Center of Internet and Technology found that video games are a major
venue for creation and maintenance of friendships, especially for boys. According
to the study, more than half teens made new online friends and a third of them came through video
games. So why has China further restricted access to online gaming for kids and teens to one hour a
day on weekends and holiday evenings? The Chinese administration said, according to the New York Times,
quote,
Recently, many parents have reported that game addiction among some youths and children
is seriously harming their normal study, life, and mental and physical health.
So is online gaming good for kids?
I think only time will tell.
But gosh, ask any parent or adult living alone during the pandemic.
I suspect they'll say that online gaming was a lifesaver.
I mean, why not ask the kids and teens in your immediate circle?
How many of them could cope with just a few hours a week
access to online gaming platforms or services?
I bet many a jaw will drop.
In fact, I bet many would offer to eat plain gruel every morning
than have to give up their online gaming practices.
Feel free to tweet us their answers.
This was Carol Theriault for the Cyber Wire.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. And I'm pleased to be joined once again by Dinah Davis.
She is VP of R&D Operations at Arctic Wolf and also the founder and editor-in-chief at Code Like a Girl.
Dinah, it is always great to have you back.
You know, we're coming up on the holiday season here, and I know for me personally, there's
nothing I like to have in my Christmas stocking than some sort of security gift.
And I thought maybe you and I could go over how to be the most popular person in your
family.
What sort of security gifts do you have in mind this year?
I can help you be that person this year.
Terrific. Go on.
I mean, security is important,
and I think we do want to help,
gently help our friends and family
improve their security, right?
So there's a couple things that we can do.
You can gift someone a password manager subscription.
That might be great for your parents.
They may not want to spend the money on that or understand the value in it.
Right.
But it is quite important, and you can help them with that.
Another one is, especially maybe for your teens, a webcam cover.
They may not realize how often people could actually see what they're doing,
and maybe they don't want that.
Well, we should be helping them understand that they don't necessarily want that.
And then another one, which is security-related but not cybersecurity-related, is an RFID-blocking wallet.
It's really easy.
Think about all the tap-and-pay that happens today.
It would not be hard for people
to get close enough to your wallet if they know where it is and bring up a device and do a tap
and pay from your Visa card, right? You can get really nice ones now. I have a beautiful RFID
wallet from Fossil. I'm just saying, you don't have to get something ugly.
Right, right. Oh, that's interesting.
You know, I mean, I suppose you could make sure that everybody gets a YubiKey in their stocking
this year. But I guess that part of the downside is for those of us who give out those sort of
gifts, I'm thinking of the password manager, for example, that also puts you on the hook for being
tech support, right? Yes, but you were going to be tech support anyway, let's be real.
Yeah, that's true.
There's no getting away from that.
There's no getting away from that.
If you have cybersecurity professionals in your life,
then what you must do is you must buy them a kitschy mug for Christmas.
It's a must.
You know, like Yoda best cybersecurity expert
or packing cheat sheet on a mug or something like that.
Uh-huh.
Yeah, that's good.
I saw one for my caveat co-host, Ben Yellen.
I saw a mug that had the names of all of the great Supreme Court cases.
You know, that's perfect for him, right?
Yeah, exactly.
Exactly.
There's all kinds of stuff out there today.
Yeah, yeah.
All right.
Well, good ideas, thoughtful gifts as always.
Dinah Davis, thanks for joining us.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It will save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland at the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technology.
Our amazing CyberWire team is Elliot Peltzman, Brandon Karp, Puru Prakash, Justin Sabey,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm
Trey Hester, filling in for Dave Bittner. Thanks for listening, and we'll see you tomorrow. Thank you. ambitious, but also practical and adaptable. That's where Domo's AI and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.