CyberWire Daily - The WatchDog Monero cryptojacking operation. “A criminal syndicate with a flag.” US Senator asks FBI, EPA for a report on water system cybersecurity. Cybercrooks placed on notice.
Episode Date: February 18, 2021Watch out for the WatchDog Monero cryptojacking operation. The US Justice Department describes North Korea as “a criminal syndicate with a flag.” CISA outlines the DPRK malware that figures in the... AppleJeus toolkit. The Chair of the US Senate Intelligence Committee asks the FBI and EPA for a report on the Oldsmar water system cybersabotage incident. Egregor takes a hit from French and Ukrainian police. Dinah Davis has advice on getting buy-in from the board. Our guest is Bentsi Ben Atar from Sepio Systems on hardware attacks. And the Netherlands Police advise cybercriminals to just move on. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/32 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Watch out for the watchdog Monero cryptojacking operation.
The U.S. Justice Department describes North Korea as a criminal syndicate with a flag.
CISA outlines the DPRK malware that figures in the Apple Juice toolkit.
The chair of the U.S. Senate Intelligence Committee asks the FBI and EPA for a report on the Oldsmar water system cyber sabotage incident.
Egregor takes a hit from French and Ukrainian police.
Dinah Davis has advice on getting buy-in from the board.
Our guest is Benci Benatar from Sepio Systems on hardware attacks.
And the Netherlands police advise cyber criminals to just move on.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 18th, 2021. Researchers at Palo Alto Network's Unit 42 yesterday outlined the activities of the large Monero mining operation they've called Watchdog. The criminal operation is notable for its longevity, having begun activity in January 2019.
activity in January 2019. Unit 42 assesses Watchdog's cumulative take at a bit more than 209 Monero, worth roughly $32,000. It's a cryptojacking operation using some 476 compromised
non-cooperating systems, mostly Windows or Nix cloud instances, to mine the coin.
The researchers say, quote, it is clear that the
watchdog operators are skilled coders and have enjoyed a relative lack of attention regarding
their mining operations. While there is currently no indication of additional cloud compromising
activity at present, i.e. the capturing of cloud platform identity and access management credentials,
access ID or keys, there could be
potential for further cloud account compromise. It's highly likely these actors could find IAM-related
information on the cloud systems they've already compromised due to the route and administrative
access acquired during the implantation of their cryptojacking software.
Watchdog is a nuisance, but its take amounts
to petty larceny when compared to the haul Hidden Cobra, the Lazarus Group, has pulled in for North
Korea. The U.S. Justice Department yesterday unsealed the indictment of three North Korean
operators belonging to that country's Reconnaissance General Bureau. They're charged
with conspiring to steal and extort more than $1.3 billion in cash and cryptocurrency from The Justice Department also said a resident of Ontario, Canada, had been separately indicted for laundering money on behalf of the conspiracy.
This amounts to more than a simple APT side hustle of the kind seen elsewhere,
when state operators either enrich themselves a little bit with their left hand, or when governments employ cybercriminals for state purposes and tolerate some theft as a side benefit,
or when a government operation pays its own freight by stealing online.
In this case, as we saw yesterday, the theft is the point, as important
as the espionage. And it's not just a side benefit lining some hacker's pocket, but it's a significant
source of revenue for a national treasury that's been impoverished by international sanctions.
U.S. Assistant Attorney General John Dimmers, who leads the Justice Department's National
Security Division, called Hidden Cobra a criminal syndicate with a flag, as he explained the role indictments play
in naming, shaming, and, one hopes, restraining nation-state threat actors.
CISA, the U.S. Cybersecurity and Infrastructure Security Agency, has issued alerts amplifying
its investigation of Hidden Cobra's apple juice
malware family, outlining the JMT Trading, CELOS Trade Pro, Ants to Whale, and Coupé wallet tools.
Congress has taken notice of the Oldsmar cyber sabotage incident. Senator Warner,
Democrat of Virginia and chair of the Senate Select Committee on Intelligence,
has formally asked the FBI and the Environmental Protection Agency for information on Oldsmar.
In a letter addressed to Matt Dorman, FBI Assistant Director, Cyber Division,
and Radhika Fox, Acting Assistant Administrator, Office of Water at the EPA,
Senator Warner pointed out that water is one of the 16 sectors Presidential Policy
Directive 21 designated as critical infrastructure, and that while Oldsmar is a relatively small town
with about 15,000 inhabitants, and that while the intrusion into the utility's control system was
detected before damage was done, the U.S. might not be so lucky the next time around.
The senator asked the Bureau and the EPA to coordinate their responses with his office.
He gave no deadline for them to do so.
Dutch police are posting notices to hacker forums,
appealing to the conscience, caution, and criminal self-interest of forum participants who may find themselves tempted to engage in cybercrime.
In a message from the Netherlands police that Bleeping Computer reports
has appeared so far on both the Anglophone Raid Forums and the Russophone XSS Forum,
the police blandly recount the recent takedown of Emotet and then say,
quote,
Hosting criminal infrastructure in the Netherlands is a lost cause. Looking for a botnet? Think again. of Emotet and then say, quote, sources and the cybersecurity industry. We will leave no stone unturned in finding those committed
to cybercrime. You might lose your liberty and not just your bots and business. As you know,
the Netherlands police is always the first to see next season's catalogs. International law
enforcement continues to work against cybercrime wherever it's committed. Everyone makes mistakes.
We are waiting for yours. End quote. Well, that would
scare us straight if we'd been tempted to hire a botnet or cryptojack someone's machine. Good
hunting to the Netherlands police, we say. Their note isn't bad at all. Clear, direct, and calculated
to undermine that strange, disinhibited sense of immunity that tends to infect people in cyberspace,
disinhibited sense of immunity that tends to infect people in cyberspace,
from influencers to fans to crooks, creeps, and side-hustling spies.
The mentions of underground information and next season's catalog are particularly nice touches.
The Netherlands police also close with some news you can use. Quote, check where criminals host their infrastructure.
Avoid those that use the
Netherlands, end quote. It's law north of the Val, hackers, which in cyberspace is even scarier than
law west of the Pecos. You've been warned. Seriously. There have been other international
law enforcement operations, of course. This week, a joint Franco-Ukrainian action resulted in the arrest
of several Ukrainian nationals on charges related to operating the Egregor ransomware as a service
operation. The disruption may be temporary, as Dark Reading writes, but for now at least,
Egregor has taken a hit. And finally, as we speak to our listeners in Texas from our own greater Baltimore ice storm,
which isn't nearly as bad as yours,
we send warm wishes for safety and comfort to everyone in the Lone Star State
who's suffering from the effects of immoderate weather.
Stay safe and stay warm.
We'd add, look out for your neighbors, but you already knew that. It's a way of life. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time
visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time
checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io.
It's been a month and a half or so since the riot at the U.S. Capitol building in Washington, D.C.
Footage from that fateful day included shots of rioters ransacking and rummaging through the
offices of representatives, and there were additional reports of computer hardware being stolen.
It was a stark reminder that unauthorized physical access to hardware remains a serious risk.
For more on this, we checked in with Bensi Benatar, CMO and co-founder of Sepio Systems.
CMO and co-founder of Sepio Systems.
So I think that a lot of the actions being taken by the existing security teams are mostly related to the capabilities of the tools that are being deployed.
So I think the main issue is that they currently have very limited visibility to hardware with malicious intent.
So obviously they do have various visibility tools to get a kind of an asset inventory to
some of their tools, to some of their assets. But when you talk about the rogue aspects of
hardware devices, then they lack the capabilities and visibility into those.
Can you give us an idea of the spectrum of types of devices that folks may find hooked
up to their network, you know, from the, you know, the noisy ones through the ones that
are trying to stay hidden?
So the basic categories could be divided into two.
One would be the network implants or network spoofing devices,
and the other would be various USB HID emulating devices.
But they are not limited to that,
because every device can be an impersonating device,
whether it's a display or a serial device or any hardware device of
any interface could be that. When talking in specifics about the network options, then we
see a lot of men-in-the-middle attack tools that actually operate while exfiltrating the information
over a cellular connection, because attackers understood quite smartly
that some of the enterprises do monitor their Wi-Fi activities.
So their exfiltration path would be using a cellular connection,
which is much more difficult to intercept and to analyze,
especially regulation-wise.
And those devices that operate on the layer one,
on the physical layer,
act as a seamless passive cable
so that none of the existing solutions
in the upper layer,
mainly layer two and above,
whether these are NAC solution or IDS solution,
cannot detect the existence of these devices
because the switch itself,
which is their main probing device and source for information,
does not see those devices.
So they could be starting from a passive network implant,
going through a full-blown man-in-the-middle attack tool
that is based on a cellular router.
On the USB side, it's a different game
because some of the attacks that we've seen are attacks that exploit vulnerabilities within existing USB devices.
So it could be a wireless combo keyboard, which is known to be vulnerable, or a certain mass storage device.
A rubber ducky device, which is a device that impersonates as a legitimate keyboard with the same facade of a legitimate keyboard, while in real life it's actually an attack tool that runs a script that could significantly harm the enterprise's capability of doing business.
That's Bensi Ben-Attar from Sepio Systems. and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And joining me once again is Dinah Davis. She's the VP of R&D for Arctic Wolf.
Dinah, it's always great to have you back.
I want to touch base with you today about interacting with a company's board of directors
and kind of making that case to get funding for security.
What can you share with us today?
making that case to get funding for security. What can you share with us today? Yeah, it's really important, right, that the board buys in and actually funds the security program in your
company, right? So the first thing you really need to get around is how to get them engaged, right?
You can't just, you know, walk into the board one day and say, hey, I need
some money. Can you give me some money? Because they're going to be like, no, what are you going
to do with it? Right. Who are you and what are you doing here? Yes, exactly. So a great place to
start is with the fact that cyber risk is actually organizational risk, right? What are the risks that your board
cares about? So you can highlight that it's not only the company's reputation, but there are
massive commercial implications to a breach. In fact, I was reading yesterday that about
40% of the losses, like the financial loss that companies go through during a breach is because
of customer loss, because they're not trusted anymore. So that's the first thing, you know,
make them understand the importance of the reputational and commercial implications.
And also remind them that directors and officers of the company are liable for misrepresenting
their security measures, right? So if they fail to
disclose things, if they're not doing what they need to do, there could be heavy fines for them.
They've got skin in the game.
They do. They do. And then you got to hit them where it hurts most.
Money. Money. So, you know, what would it cost their organization if ransomware shut them down so walk them through
that the costs include like um the cleanup the loss of customers like i said uh compliance fines
all kinds of things right and if you're in health care it's even worse right you've got
hipaa to deal with and all these other things like that. And so you can show them that adding security
after will cost you, after development and after something like that will cost you about 100 times
more, right? And then you can show them, you know, some statistics on the likelihood that they will get breached. So, and the average cost.
So the average cost of a data breach in 2020
was $3.8 million.
So that's kind of crazy.
And then on average,
it takes about 280 days to spot and contain a breach.
So the more stuff you have in place at the beginning,
the faster you're going to find that,
the more you're going to detect it,
the less money you're going to lose.
And then, as I mentioned before, the largest factor is the loss of business, which is about 40%, right?
Yeah.
So now that you've scared the crap out of them and showed them all the bad things, now you want to show them what you've done for good.
So you want to go in there and say, hey, look, this is what we've put in place already. It's decent. It's not
going to cover everything, you know, that we are worried about, but it's covering good. Here's what
we need more so that we can do this, this, this, and this, and it's going to cost this much.
so that we can do this, this, this, and this, and it's going to cost this much.
That's what we need your funding for.
So you can also remember to keep it simple, practice your pitch,
and if needed, go get marketing to help you with your slides.
Make them look amazing.
That's what marketing is for.
Right.
It's interesting to me, like, you know, as you mentioned at the outset,
the importance of speaking to them in their own language, of taking the time ahead of time to do your homework. So when you walk in there, you're talking to them as, you know, in terms of risk, which is what they, that's what resonates with them.
Yes, absolutely. Right. And it's money risk, it's reputation risk, it's fines, it's all kinds of different risk for them.
And ultimately, it's up to them to decide how they're going to dial things in.
It can't be total risk elimination, but it's risk management.
Exactly. It's that medium ground.
Because if you did everything to the nth degree, you might bankrupt the company spending all the money doing that.
Right. Right. Or making it so hard that your customers can't use your product. Right.
That's that classic security problem of usability versus security. Right.
And it's the same when you're looking at a business on how much to put in place to protect yourself and how much you have to just go, OK, let's accept that risk and make sure we have good, you know, response plans if it happens.
Yeah.
No, I think it's really important stuff.
All right.
Good information.
Dinah Davis, thanks for joining us.
No problem. And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
A palatable confection and a most nourishing food.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Kirill Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Ivan,
Rick Howard, Peter Kilpie, and I'm Dave Pittner. Thanks for listening. We'll see you back here tomorrow.
Thank you.