CyberWire Daily - SWIFT phishbait. DPRK hacking gets better; GRU hacking looks east. Coldroot RAT. Cryptojacking. Election cybersecurity.
Episode Date: February 21, 2018In today's podcast, we hear that SWIFT phishbait is hitting inboxes. North Korean hackers show fresh sophistication and new ambitions. Fancy Bear seems to be snuffling east. Monero miners in Word,... and why cryptojacking for Bitcoin is harder than it is for other currencies. The Coldroot RAT hides in plain sight. The US Departments of Justice and Homeland Security undertake new approaches to election security. Justin Harvey from Accenture on data-centric security. Guest is Scott Totzke from ISARA on the threat to encrypted data by quantum computing. And Facebook has a new verification mode: send in a postcard. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. hackers show fresh sophistication and new ambitions. Fancy Bear seems to be snuffling
East. There are Monero miners in Word. And why crypto jacking for Bitcoin is harder than it is
for other currencies. The cold root rat hides in plain sight. The U.S. Departments of Justice and
Homeland Security undertake new approaches to election security. And Facebook has a new verification mode. Send in a postcard. I'm Dave Bittner with your Cyber Wire summary for
Wednesday, February 21st, 2018. If you want to spot the coming trends in fish bait, just follow
the news. Over the weekend, news of a series of bogus SWIFT fund transfers affecting an Indian bank hit the wires.
Since then, the hoods have jumped on their main chance,
and so fraudulent transfers executed over the SWIFT network have prompted a new category of spam.
From their perch at the foot of Garrett Mountain,
researchers at Komodo Threat Research Labs report that criminals are using spam to distribute an attachment
whose payload is the Adwind Trojan.
The email's subject and text declare it to be a notice that there's been a swift transfer to the recipient's account,
and then refers the victim to the attachment for details.
This version of Adwind, once it's in a system, does a variety of things.
Registry modification, antivirus and other security software tool
installation checks, and if possible, AV software kills, and then connection with the Tor network.
It also seeks to disable the Windows restore option, and it will, if possible, turn off
user account control, which when enabled would prevent software from being installed without
the user's knowledge.
Komodo thinks the campaign is reconnaissance and preparation for further, more damaging
attacks.
Recipients have this going for them, however.
While the choice of subject may be clever, the approach is not.
The spam is a throwback to the days of non-standard English grammar and eccentric idiomatic control.
Be alert, and use all your literary critical skills when you read your email.
Slowly but surely, researchers are making headway with quantum computers.
The promise is one of a whole new class of computational capabilities,
but with those capabilities comes a threat to the encryption we rely on today.
Scott Totski is CEO at Isara Corporation,
a company specializing in creating
what they describe as quantum-safe cryptography, and he brings us up to speed. We're very much in
kind of the early days, even though we've been doing research for a couple of decades into
quantum computing, but we're starting to see real early applications and progress. I mean,
if you look at CES a couple of weeks ago, we had Intel
announcing their 49 qubit chip. So we're starting to see some milestones from major technology
vendors that are working on building quantum computers, even small ones, that'll solve
problems that we can't solve on the world's largest supercomputers today. And everybody
gets really excited about that because we can start to see a future where you can see quantum information science impacting all kinds of
innovation cycles around the world in different areas. We can look at pharmaceutical research
where we can start to do drug design much more efficiently. We can look at quantum chemistry
where we can take the one to three percent of the world's energy that we use to produce fertilizer so we can feed the planet.
And we can reduce that because we can more efficiently produce fertilizer in the future.
Or we can build superconducting materials that will let us be more efficient at transporting power over the electricity grid where we lose 10 to 12 percent of the electricity today
you know we can make that a much more efficient transaction in the future so we have less loss
of electrical power as we send it over the grid so all of those kind of speak to a new era of
computing where we'll be able to solve problems that are far beyond the grasp of what we can do
today and i think that's where people get really excited because they see you know the innovation
cycle that happened
starting in the 70s in Silicon Valley
and all of that technology and kind of wealth creation
and intellectual property and prosperity that happened
because of those investments and that focus
in building a technology industry.
Now we're on to the next phase of what's next
in the computing industry, and that's quantum computing. And again, we're on to the next phase of what's next in the computing industry,
and that's quantum computing.
And again, we're just on the cusp of being able to move into new areas
of research and design that people get really excited about.
And of course, the concern is that quantum computing
will be a threat to our traditional encryption algorithms.
Yeah, that's correct.
So quantum computers solve certain classes of hard problems really efficiently. And I talked about a few of them, but one of the classes of
hard problems is the math that is the underlying component that protects us on the internet today.
And when you look at, you know, the technology industry in general, you know, we've been really
effective and efficient at building encryption into everything that we do on a day-to-day basis. So when you think about it, it's probably the biggest success story of the
technology industry over the last 30 or 40 years. We've taken something that is really complicated
and difficult in the use of strong encryption, and we've made it kind of ubiquitous and transparent.
And even if you're a non-technical user, you're going to use this type of technology a thousand
times a day and not even know about it. So as we think about quantum computing becoming a threat to this,
we also look at how we've embedded strong encryption into just about everything we use
on a day-to-day basis. And all of that needs to be updated to something that is going to be
resistant to an attack from a quantum computer or the integrity of everything from the data that we use
to manage kind of the environment within an office where we've got all kinds of sensors for managing
temperature and controlling the environment there to, you know, signing on and checking your bank
balance. All of that's going to be kind of challenged by quantum computers. And we need to
focus on how we shift the security model to something that's going to be more resilient
and safe to an attack from a quantum computer.
I'm intrigued by this notion that some people may be harvesting encrypted data, storing
it, looking toward the future for when we pass this quantum threshold, that they might
be able to break that data they can get their hands on today.
Yeah, I mean, that's very much a driving theme that we hear when
we talk to government customers is there, you know, at every level, it depends who your adversary is.
But when you're thinking about this at a state level, there's a lot of concern that whoever
your adversary is, if you're, you know, US or you're a five eye country, you're very concerned
that say Russia or China or North Korea is harvesting all this data and storing it in a data center someplace. And then when they do have a quantum computer,
they'll be able to go back and undo all of the kind of secrecy and encryption that we're using
to protect sensitive communications today. So if you're a government agency, you might have a
20-year, 25-year secrecy obligation on electronic communications that you are sending out on a day-to-day basis.
And when we look at the timeline for when we see quantum computers being a threat, you
know, this could be as early as 2026.
And so today you can't meet that 20 or 25 year secrecy obligation with state-of-the-art
encryption technology that we use today to protect all of our transactions.
So in some sense, you're
already creating an exposure where the information that you need to protect is already exposed to an
adversary, but it's maybe sometime in the next seven or eight years before that becomes actionable
on their part. But every day you continue to leak more information that can't be protected
in accordance with whatever your secrecy obligations are.
That's Scott Totski from ICERA.
The Olympics are in their final week, and the DPRK's Reaper operators are in contention for hacking gold.
They weren't involved, it seems, in the disruption that hit the Games' opening ceremonies.
The usual suspect in that escapade remains Russia, but they've shown a
considerable increase in capability. FireEye researchers report, with high confidence,
that North Korean government cyber operators are showing new sophistication and ambition.
Studies of the threat group, variously known as Reaper, APT-37, Group 123, that's Cisco's
TALIS unit's name for them, and SCARCRAFT, as Kaspersky called it,
suggest that it's aggressively targeting international corporations.
According to FireEye, most of Reaper's attacks are initiated with sophisticated social engineering.
CrowdStrike, which tracks the group as Labyrinth Colima,
says they've shown the ability to bridge air gaps by unspecified
means. Reaper is known for pursuing government, defense industry, and media targets, but it's
recently added the chemical, electronic, aerospace, healthcare, automotive, and manufacturing
verticals to its target list. Taking a look at the bears, Kaspersky Lab says that Sofosi, the threat group linked with Russian military intelligence,
also known as APT-28, Pondstorm, Sednet, Strontium, and of course our favorite Fancy Bear,
has begun to shift its focus eastward from NATO targets.
It's now taking a closer interest in Ukrainian and Central Asian networks.
taking a closer interest in Ukrainian and Central Asian networks.
Researchers at Israeli cybersecurity firm Votairo warn that they've determined it's possible to embed Monero mining script in Microsoft Word documents.
Why, one might ask, has Monero grown in popularity among cryptojackers?
After all, Bitcoin is still the most valuable cryptocurrency, even though it's fallen
off from its December highs.
And Bitcoin's transaction fees, which had become high enough to put criminals off the currency, have fallen from $34 to less than a buck.
The answer seems to be, according to what researchers at security firms Imperva and Checkpoint told ZDNet,
that mining Bitcoin requires a custom application-specific integrated circuit, an ASIC.
No ASIC, no mining.
But that's not an obstacle in the case of Monero and some other cryptocurrencies.
Cybersecurity firm Digita Security is warning about a remote-access trojan, a rat, called Coldroot.
Coldroot is a cross-platform rat that installs a keylogger and is used mostly to steal
banking credentials. What's curious about Coldroot is that it's been around for about a year and has
been traded in dark web markets. Its code has been on GitHub for roughly a year too, yet Coldroot
still escapes detection by signature-based antivirus tools, indicating how easy it can be to hide in plain sight.
And finally, as midterm elections approach in the United States, the U.S. Department
of Homeland Security is increasing its cybersecurity aid to state election officials as they prepare
for midterm voting.
The assistance includes classified threat briefings.
The Department of Justice has also organized an anti-election hacking task force.
And the private sector is thinking about what it might do to help.
Facebook has introduced a new low-tech method of verifying that people who purchase political ads
are who they say they are, and not, say, employees of, oh, we don't know,
the Internet Research Agency or the Voppercoin impresarios operating from the Arbot.
They'll verify their
bona fides by returning a physical postcard. As Facebook says, that won't solve everything,
but they think it's a simple step in the right direction. all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off. Well, look no further, honey, because Sunwing's Best Value Vacays has your budget-friendly escapes all the way to five-star luxury.
Yes, you heard correctly. Budget and luxury all in one place.
So instead of ice scraping and teeth chattering, choose coconut sipping and pool splashing.
Oh, and book by February 16th with your local travel advisor or at...
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Justin Harvey. He's the Global Incident Response Leader at Accenture.
You know, Justin, I've been hearing lately about data-centric security, and I was hoping you could shed some light on how exactly people go about implementing this and how the architecture
differs from what we've
done traditionally. Data-centric security is really about identifying your high value assets,
maybe your data, maybe your business processes, and building up your defenses from the inside out.
For the last decade, the focus has really been on how high can you build your walls? How high can you build your perimeter
to create resistance or friction for adversaries so that if you're able to repel them, they won't
get into your organization and steal your data. But what we're finding is it's getting easier,
or at least it is easy for adversaries to bypass the perimeter. And it's happening over and over.
to bypass the perimeter. And it's happening over and over. In fact, I've even told a lot of my clients, build your cyber defense program in such a way that you are surrendering the perimeter.
Now, don't get me wrong. I'm not saying go out and divest all of your perimeter controls. But
what we're seeing is a race with the industry. How high can you build your wall? And it's a race
condition. But what's happening every time is the adversary is leaping over the wall. And then you're in this softer center,
you're in your intranet, or you're inside of your organization, and it's very easy for them to move
laterally and steal data. So data centric security is first identifying what your high value assets are.
And of course, if you can't identify them,
how can you protect them?
Secondly, building from the inside out.
So having all of the necessary encryption,
having all of the necessary privilege access monitoring,
and even going as far as to create an enclave.
So a hardened center within your organization
with your crown jewels and
increasing the focus and the scrutiny on those assets. And then being able to monitor that
effectively in a continuous response model. Data-centric security is not that different
from the approaches that many organizations are taking today. It's just really focusing on what is important to your organization and being able to secure from
the inside out. So having a concentric circles of walls and moats and protections all the way
around with the most valuable stuff in the middle. Yes, but I wouldn't say that more walls is the
answer per se. But I would say, let me give you an example.
Let's say data-centric security really comes into focus when we consider some of the latest vulnerabilities that organizations have been hit with.
Let's consider the Struts vulnerability with Apache.
Apache was hit, and an adversary, perhaps a scanning your perimeter, finds an Apache server that's vulnerable, exploits that, and then moves
through the system in order to achieve their objective by grabbing the data and leaving.
And what is different in a data-centric security approach is a few things. Number one is being able
to know where your high-value assets are, just like I said before. So in this case, you would
already know that you have some sensitive data on your perimeter. The next would be being able to have
a threat intelligence team that's examining the wire or the press or Twitter up to date so that
when this vulnerability is exposed or hits the wire within the first 30 minutes, an hour or two,
your team knows, hey, this is now a vulnerability.
And because you have a good vulnerability and patch management system that's reactive,
now you know exactly, well, there's 13 Apache websites in the perimeter.
And by the way, we also have privileged access monitoring, and we have a security operations team
that is essentially orchestrating the mitigation of this risk,
either through installing new web app firewall rules.
Maybe it's even taking the Apache system down.
So by being able to take more of a data-centric approach, that leads to a better response capability.
Good advice as always. Justin Harvey, thanks for joining us.
Thank you.
Cyber threats are evolving every second
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. For more stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.