CyberWire Daily - The Shadow Academy schools anglophone universities. Turla’s Crutch. Cryptojacking as misdirection. Cyberespionage against think tanks. DPRK tries to steal COVID-19 treatment data.
Episode Date: December 2, 2020The Shadow Academy prospects universities in a domain shadowing campaign. Notes on Turla’s Crutch, an information-stealing backdoor. Bismuth was using crytpojacking as misdirection. CISA and the FBI... warn think tanks that cyberspies are after them. North Korean cyberespionage is interested in COVID-19 treatments. Our guest is Carey O’Connor Kolaja from AU10TIX on combating fraud in the financial services and payment industry. David Dufour from Webroot has 2021 predictions. And a member of the Apophis Group gets eight years in prison. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/231 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Shadow Academy prospects universities in a domain shadowing campaign.
Notes on Turla's crutch and information-stealing backdoor.
Bismuth was using cryptojacking as misdirection.
CISA and the FBI warn think tanks that cyber spies are after them.
North Korean cyber espionage is interested in COVID-19 treatments.
Rian Cyber Espionage is interested in COVID-19 treatments.
Our guest is Kerry O'Connor Colajay from Authentics on combating fraud in the financial services and payment industry.
And a member of the Apophis Group gets eight years in prison.
From the Cyber Wireire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 2nd, 2020.
Risk IQ this morning released a report on a threat actor it calls the Shadow Academy. While it walks and quacks like the Iran-linked Mabna Institute and Silent Librarian and shares a number of their targets,
researchers don't think the overlap in TTPs and targeting sufficient for definitive attribution.
The name Shadow Academy alludes to the group's use of domain shadowing
to gain access to its victims' networks and to the fact that its targets were universities.
The attacks hit 20 institutions in Australia, the United States, and the United Kingdom.
Also this morning, ESET reported finding a backdoor and information stealer in the systems
of a European Union member country's foreign ministry.
The malware is not new, as it seems to have been in use between 2015 and 2020,
but it had been undocumented.
ESET calls the backdoor Crutch,
and they're confident it belongs to the threat group Turla,
which has been using it to pull stolen files into a Dropbox account Turla controls.
Crutch isn't a first-stage backdoor, but is installed into previously compromised networks.
Turla, of course, is also known as Uroboros and Venomous Bear.
It's a Russian cyber-espionage outfit that specialized in former Soviet republics
and former members of the Warsaw Pact.
in former Soviet republics and former members of the Warsaw Pact.
The cryptojacking associated with the threat actor Microsoft calls Bismuth,
also known as Ocean Lotus or APT32,
cryptojacking associated with the government of Vietnam,
appears to be misdirection for more conventional cyber espionage.
As TechNadu points out,
defenders who see cryptojacking are likely to dismiss the incident as the work of a commodity botnet, deal with it,
move on, and overlook the possibility that a more sophisticated attack is underway.
The U.S. Cybersecurity and Infrastructure Security Agency and the FBI have issued a
joint warning that unspecified threat actors are pursuing think tanks.
They are significantly, but not exclusively, prospecting individuals and organizations
that focus on international affairs or national security policy,
and they're using social engineering to gain access.
Given the important role think tanks play in informing and shaping national policy,
CISA and the Bureau recommend that these
organizations take steps to improve their resistance to cyber espionage. The advice
could well be applied to other organizations under this kind of threat as well. Leaders should
implement a training program to familiarize users with identifying social engineering techniques
and phishing emails. Staff should apply that training and stay vigilant
against highly tailored spear phishing attacks that target them through not only organizational
accounts but through personal accounts as well. They should be particularly careful about opening
email attachments and using removable media like thumb drives. The caution about email attachments,
CISA and the FBI comment, should extend even to emails the recipient expects and even to emails from senders the recipient knows.
They add a number of other recommendations for sound cyber hygiene, and the warning is worth a look whether you work at a think tank or not.
The Wall Street Journal has the story on another cyber espionage campaign, this one targeting pharmaceutical companies working on COVID-19 vaccines.
In addition to the British firm AstraZeneca,
the affected companies were U.S.-based Johnson & Johnson and Novavax,
and three South Korean companies, Genazine, Shinpung Pharmaceuticals, and Celtrion.
The attackers were North Korean, and while it's unknown whether they had any success,
it appears that they fell short of getting whatever they were after.
Even if they had succeeded in stealing detailed information on COVID-19 treatments,
it's not unlikely that Pyongyang would be able to produce the vaccines or pharmaceuticals.
It's likelier that the DPRK would sell the information
to some third party who could, perhaps China.
So start snitching.
No, seriously, start snitching on Pyongyang
and win valuable prizes.
Foggy Bottom will make it worth your while.
The U.S. State Department is offering rewards
of up to $5 million for information that leads to the disruption of financial mechanisms of persons engaged in certain activities that support North Korea,
including money laundering, exportation of luxury goods to North Korea, specified cyber activity, and actions that support WMD proliferation.
The offer is made under the department's Rewards for Justice program.
Consensus in the security sector seems to be that extortion will dominate cybercrime during 2021,
primarily ransomware in increasingly virulent forms involving the now-routine sweetener of
data theft and the prospect of doxing and a probable resurgence of shakedowns
by threatened distributed denial of service. Acronis has a useful summary of the grounds
for expecting this trend, and Asigra distills five predictions relating specifically to ransomware.
First, expect ransomware attacks on Kubernetes containers. Second, SaaS-based applications will be targets
as remote work remains widespread.
More attacks will be enabled by artificial intelligence.
Legislators are increasingly moving
toward making ransom payments illegal.
And managed security service providers
should expect more government regulation,
including requirements to register with the government.
Recognizing this trend, IBM's Security Intelligence blog offers five lessons learned from 2020
that organizations ought to consider applying in 2021.
First, build a cybersecurity incident response plan,
a formal plan, not seat-of-the-pants, stick-and-rutter improvisation.
Next, understand that the SERP is a living document.
The adversary adapts and shifts, and so must the defenders.
Test and exercise your cybersecurity incident response plan.
And when you test and exercise it,
make sure the right people participate
and design the exercise to engage and profit them.
And last, try online crisis simulation training, an important kind of exercise, and try to gamify it.
So, do these predictions come true?
If the Black Friday and Cyber Monday experience is any indication, many of the forecasts are accurate, at least in broad outline.
Cyber Int has found, as expected, a high volume of criminal activity
during the holiday shopping season. TransUnion connects the rise in fraud to another trend,
bluntly writing, holiday fraud concerns during pandemic come true. The crooks have their own
holiday sales. SpyCloud sees the bad guys offering bargains galore in the criminal-to-criminal market.
sees the bad guys offering bargains galore in the criminal-to-criminal market.
Among the small coterie of jerks who styled themselves the Apophis Squad was one Timothy Dalton Vaughn, now 22, formerly of Winston-Salem, North Carolina.
On Monday, Mr. Vaughn received a sentence of eight years in prison for conspiracy,
conducting computer attacks, and possession of child pornography.
Mr. Vaughn and the other malign losers
of the Apophis Squad specialized in website defacements,
bogus threats of school violence,
false reports of airline hijacking, and so on.
Their motives ranged from just the lulls to money.
In one 2018 case, the U.S. Department of Justice describes
in their account of the sentencing,
Mr. Vaughn demanded 1.5 Bitcoin,
then worth about 20 grand,
from a company in exchange
for not shutting down their site
with a distributed denial of service attack.
They didn't pay,
and he followed through with the DDoS.
In his salad days,
Mr. Vaughn gloried in his hacker names WantedByFeds
and HackerRUs, which he might now consider changing to GottenByFeds and InmateRUs.
The Bureau of Prisons will host Mr. Vaughn during the sabbatical he's been granted by
the U.S. District Court for the Central District of California.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families
24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Carrie O'Connor Colage is CEO at identity intelligence firm Authentics.
She shares her experience combating fraud in the financial services
and payment industries. What we found, Dave, is that in the last six to nine months, there's been
a 300% increase in fraud in general, a majority of that definitely happening within the financial
sector. And the evidence of that is based on what we're seeing, particularly right
now in the U.S. with unemployment fraud, PPP fraud, identity fraud being at the core of all of this.
And the growth, you know, is bringing us to a state of where there could be close to $42 billion
in fraudulent activity that is committed in 2020. And one of the big reasons for that is this move to society,
and particularly in the COVID age, moving more and more online.
And every moment of our lives, whether it's we're looking at our watch
or we're logging into our computer or we have a connected appliance in our home,
is when we're transferring information.
And each time we transfer that information with the endpoint,
you know, opens up a potential door for a fraudulent attack.
And so this, you know, this year, the growth in fraud has been tremendous
because of each of us living our lives, whether we work, we play, we live online.
Can you give us some insights on two
things? I mean, sort of the bread and butter fraud prevention that fintech organizations rely on,
but then also where are we in terms of the cutting edge?
The big trajectory over the last couple of years is all around KYC, KYB.
Know your customer.
Know your business.
We're now seeing an emergence of know your employee.
The fraud checks that have happened in the past tend to open up an account to move money to a friend, a P2P transaction,
there's a set of checks and balances that are put in place in order to reassure the
institution or that fintech that I am who I say I am.
And there's been a lot of advances in how do you make that determination, everything from capturing your driver's license
or a government-issued ID to checking to see whether you're a live person and if your selfie
matches the picture on the ID to triangulating geolocation and behavioral-based data.
But what's really shifted is these checks don't just need to happen at the
beginning of a customer relationship with an entity, whether it's a fintech or any enterprise,
but it has to happen in a continuous way. It may not be enough to just submit who I am and
some information about me, but I may also need to submit my, you know, a year's worth of financial information for my business.
Maybe I have to do a selfie check.
Maybe I have to share something else.
And so these different layers of defense
are effectively what's becoming the new norm
in the world that we live in.
That's Keri O'Connor-Colajay from Authentics.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And joining me once again is David DeFore. He's the Vice President of Engineering at Webroot.
David, it is always great to check in with you.
I don't know about you, but I am wondering where this year has gone.
At the same time, I will admit 2020, not going to miss it.
Not going to miss it.
How about you?
It's great being here, David. And I got to agree with you. I'm not going to miss it. Not going to miss it. How about you?
It's great being here, David.
And I got to agree with you.
2020 is one for the record books.
I am not going to miss it either.
It has been pretty crazy both, you know, with everything going on.
So absolutely.
Yeah.
Well, I mean, it's that time of year when we start looking towards 2021.
What sort of things are on your list? What's on your radar for what we might see in the coming year? Well, let's kind of start with boring obvious,
and then we'll work our way from there. Way to sell it, Dave. Way to sell it.
Go ahead. I mean, the most obvious thing, all your listeners are going to be like ransomware.
Of course, it's going to continue to be a threat.
We're going to continue to see problems there.
They're just making so much money, the cyber criminals with ransomware, that we've just got to stay focused on ensuring we've got good're going to execute if you fall victim to a ransomware.
Because it's just so pervasive and makes so much money.
I don't see that going away next year.
Do you think we might see any movement on, for example, we've seen some policy decisions where perhaps we could have some regulations forbidding folks from paying the ransom?
where perhaps we could have some regulations forbidding folks from paying the ransom?
Well, so I fear that because I'm kind of afraid
that if you forbid somebody to pay a ransom,
are they going to be able to run their business after the fact?
And if you make a government policy like that,
are you literally shutting down someone's business?
But it's a fair question.
And I don't have an answer for that, by the way, because it literally is what did you do before the attack that will help you survive afterwards?
And so if the government comes through with something like that, we absolutely have to make sure we're prepared to recover if we're not allowed to pay the ransom.
That's very interesting.
Right, right.
What else do you see coming along in 2021?
You know, this one is arguable. There's a large discussion happening around,
will people stay remote for the rest of their lives? I think there's a lot of people that want
that office home life balance. I don't think people would have ever thought they really wanted
that until they were forced to work at home with their family 100% of the time.
So I think there will become some equilibrium that we reach around how we work from home or remote,
what that looks like, what those expectations are. And then in terms of cybersecurity,
as that equilibrium is reached, then we'll be able to really see what the cyber criminals are
able to take advantage of
based on the tools that people are using, etc. That'll take a year or two to bake in. I think,
you know, out the gate, we saw the attacks on video conferencing and things like that.
But right now, it's still kind of up in the air. The pendulum's still swinging, hasn't settled in
yet. So until we see that, I can't exactly say what we're going to see in terms of the cyber
attacks. But I do think we'll see that normalization of work that'll be more remote than it was, but won't be 100%.
Do you think we're going to continue to see this movement towards the cloud?
100%. And not only that, like cloud, everything we do, everything, you know, I'm doing in my work and everything I hear from different people, cloud is the focus. And I, you know, take this one step further and you may or may not know this,
but in 2017, I bought a two-in-one laptop. I put a SIM card in it and for 12 months,
I did not use a wired network. I was either using, you LTE network, or I wasn't even using Wi-Fi. I
stayed on a SIM card for a year. Why am I saying this to you? I believe that over the next 10 years
and by 2030, we're going to see a transformation of not just cloud for our servers and our
applications, but I believe there's going to be a huge push for a cloud network infrastructure
where we don't have the level
of network infrastructure we have today, the physical layer. All of this will exist in the
cloud. We're going to connect to the network with our 5G SIM card and off we go to the races. And
we're going to have a lot of security implications around that. But I got to wait for the cyber
criminals to figure out how to attack that. Then we can defend against it. Yeah. What about the people side of things?
I mean, we have this perceived skills gap.
Do you think we're going to see any relief there in the coming year?
Well, you know, I don't know what you're talking about here, skills gap.
I think we got plenty of cybersecurity people, David. We're covered there, so we don't even need to talk about that.
No, honestly, you know, I don't know what we're going to do.
You know, there's a lot of automation going on.
I know a lot of the solutions we try to focus on are about automating so you don't have to bring people in.
But when you're in an enterprise situation, you're investigating at such a level that you need more and more people.
So there's a huge, huge skills gap. And something that I keep chewing on, and it might be fun to talk about sometime, David, is it's not only a skills gap on a reverse engineer who can break down a piece of malware that
understand it so you can build a tool to protect against it. It's about the analysts. It's about
the data, the machine learning specialists. You don't have to have a PhD in particle physics to be
part of the solution here. Maybe you're training models that someone else came up
with, or maybe you're analyzing things in a new way that lets you, you know, report things out.
There's such a spectrum of jobs that could be filled to assist this whole thing. It's not
having everyone know about every type of malware. And I think we need to have that conversation.
Yeah, that to me, I think you're really onto something here because I hear folks saying that, yeah, you know, there might be a skills gap, but really it's those higher level folks who are able to walk in and hit the ground running.
That's the folks we have a shortage of.
But at the same time, we don't seem to be willing to train up the people to fill in from below.
And that is exactly the point. What is the model for bringing in an
intern, someone out of school that's just really looking to cut their teeth on cybersecurity?
How do we get them involved and then move them up the ladder as we backfill all the way up?
Because that's the road to success, I think, in this industry. Yeah. All right. Well, we'll have to check in a year from now and see how you did.
See how horribly wrong I was.
Ransomware's gone and we've solved it.
Right, right.
Yes, yes, exactly, exactly.
All right, David DeFore, thanks for joining us.
Take care, David. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
The pause that refreshes.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Your AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.