CyberWire Daily - UN Security Council looks at North Korean cybercrime. Notes on PsiXBot and BITTER APT. The state of spearphishing. Election security. A final look back at Black Hat and Def Con.
Episode Date: August 13, 2019More on the UN Security Council’s report on North Korean state-sponsored cyber crime. PsiXBot evolves. BITTER APT probes Chinese government networks in an apparent espionage campaign. A study looks ...at the state of spearphishing. It’s not just the three-letter agencies out securing US voting systems; it’s the four-letter agencies who are taking point. And a last look back at Black Hat and Def Con. Jonathan Katz from UMD on Apple’s clever new cryptographic protocol. Guest is Mike Overly from Foley and Lardner LLP on the House’s hold on the State Department’s proposal for a Bureau of Cyberspace Securities and Emerging Technologies. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
More on the UN Security Council's report on North Korean state-sponsored cybercrime.
CyExpa devolves.
Bitter APT probes Chinese government networks
in an apparent espionage campaign.
A study looks at the state of spear phishing.
It's not just the three-letter agencies
out securing U.S. voting systems.
It's the four-letter agencies who are taking point.
And a last look at Black Hat and DEF CON.
From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Tuesday, August 13th, 2019. The UN Security Council panel studying North Korean hacking
concluded, according to the AP, that Pyongyang has made at least 35 financially motivated cyber
attacks against 17 countries as it works to fund its weapons of mass destruction programs.
This is the report which the Associated Press saw a fragment of last week.
They've now seen the whole thing.
In terms of targeting, South Korea received the most attention,
sustaining 10 North Korean cyberattacks.
India came in second with three, and Bangladesh and Chile received two attacks each.
A single attack was determined to have cut a wide international swath,
with victims in Costa Rica, Gambia, Guatemala, Kuwait, Liberia, Malaysia, Malta, Nigeria, Poland, Slovenia,
South Africa, Tunisia, and Vietnam.
The most common operations have been attacks against the SWIFT international banking funds transfer system,
then attacks against cryptocurrency exchanges, most of these in South Korea,
and finally cryptojacking to mine altcoin directly.
Monero was Pyongyang's preferred altcoin.
Anything they succeeded in mining went to servers at Kim Il-sung University in the
nation's capital. These three families of attack share the common feature of being well-adapted
to quick, difficult-to-trace or interdict money transfers and money laundering. The report also
emphasized that the attacks were low-risk and high-yield efforts. Money laundering would be
essential to North Korea, hemmed in as it is by international sanctions,
designed mostly to choke off the nuclear weapons and ballistic missile programs
the Kim regime is pursuing.
Given the seriousness of the hacking campaign's goals,
nuclear weapons, after all, not generally being a good thing,
the sanctions recommended by the UN panel are surprisingly light.
They basically come down to measures against half a dozen North Korean merchant ships caught smuggling red-handed.
This is probably more an indication of how little there is that remains to be sanctioned
than it is a sign of indulgence toward Mr. Kim and his regime.
Anomaly said last week at Black Hat that it had observed the Bitter APT operating against Chinese government targets.
It's engaged in email phishing designed to extract email credentials from users within China's government.
The apparent motivation is espionage, and the effort probably represents the first stages of a larger, more extensive campaign.
Bitter APT has been seen in action in the past against targets
in Pakistan, Saudi Arabia, and China. Anomaly stopped short of any attribution firmer than
believed to operate from South Asia, but the Bitter APT has for some time been regarded as
being in all likelihood an Indian operation. Proofpoint has released a study of CyXBot,
a modular information stealer described earlier this year by Fox IT.
A new version of the malware is out in the wild,
turning up in both phishing campaigns and exploit kits.
The malware has added additional modules and a new way of connecting to DNS servers.
Proofpoint regards the upgrades as evidence of the threat actor's determination
to compete in the competitive criminal-to-criminal market. They don't identify the gang responsible,
but they observe, without comment, that CyXbot checks a potential victim to see if that target
is likely to be Russian. If it is, CyXbot exits. So we figure you don't exactly have to be Sherlock
Holmes to figure that one out.
Here in the U.S., there's bipartisan agreement that cybersecurity deserves to be a national priority.
How exactly to accomplish that remains a point of contention,
and that played out recently when Representative Elliot Engel, a Democrat from New York,
placed a hold on the State Department's plans to establish a Bureau of Cyberspace Securities and Emerging Technologies. Michael Overly is a partner at Foley & Lardner LLP and a member of the firm's information technology and outsourcing team.
This has been sort of in the making for almost two years. That is, there was the proposal to
create such a department, organization, what have you, about two years ago,
and it's kind of languished. And it looks like, in light of the events in June, that it's going
to continue to languish for some time until there's agreement on exactly what it's going to do.
You know, it's one of those things where there's a good idea. Let's foster economic development online and cyberspace. Let's
prove online privacy. Let's certainly address cybersecurity. These are all things that I think
no one will disagree with. But nonetheless, we're two years plus out right now, and we still don't
have a formed organization, department, etc. to do this.
And what do you suppose is holding things up here? As you read between the lines,
what do you think's going on?
Well, I think that, you know, there's a fundamental problem of, as is common in the
government, we have competing interests. We have sort of a bipartisan effort, which is underway.
That's Elliot Engel is working on with the
Cyber Diplomacy Act. Engel is arguing that the proposed group focuses far too much on
cybersecurity issues to the detriment of fostering online commerce, to avoiding disputes online,
and to better promoting sort of a digital economy.
And is there an unspoken subtext here? Have political interests seeped into what's really going on or not? Is that not a factor?
Well, it's interesting. You know, if you think about the Trump administration, one of their
hallmarks is, or one of his hallmarks is, let's avoid excessive regulation.
Let's avoid big government.
So nonetheless, though, we have a new group being created, which, mind you, I think is a good thing.
I think both sides of the aisle would agree that getting sort of a uniform approach to these many issues that comprise cyber security, the digital economy,
etc., are all good. The problem is how to make that happen. The proposed new organization would
have, as I understand it, 80 employees with only about a $28 million budget. That's not a lot of money to fundamentally impact online activity.
Yeah, it doesn't really seem to reflect what I suspect most people would recognize as the
importance of the issue.
It's true.
And I think everyone agrees, very important issue.
The question is, and you know, as so often happens, there are lots of lines being drawn
as to who's going to do what.
And the problem is that we're not getting those lines drawn in a rapid fashion.
And so some people look at this and say, you know, the world is potentially passing us by with regard to things like digital economy, with regard to, you know, activities on privacy.
In fact, many people would say that Europe's well ahead of us on privacy.
And so I think we need to do a little bit of catch-up.
And I don't think this is a situation where one side or the other is saying,
it's got to be my way or the highway.
I think the problem is that everyone needs to agree on what the form is
and then get that constituted as quickly as possible.
So unlike many things that are pending in Congress right now,
I don't think there's a fundamental disagreement as to as between the two parties.
If there is one area that moves quickly and potentially can change overnight fundamentally what it's doing,
it is online activity.
What we understand today may not be our understanding in three months.
we understand today may not be our understanding in three months. Yet we've had a situation here where we've got a two-year gap thus far without activity in this area. That is a travesty.
And I don't think anyone's assigning blame to anyone at this point. The problem is something
needs to be done sooner rather than later, or we are going to miss the boat substantially. I think that this is a very important, if not fundamental, area that we need to have
an established presence in, because if we don't lead, the world will, and that may not
be what we want.
That's Michael Overley.
He's a partner at the law firm of Foley & Lardner, LLP.
GlassWall Solutions issued a report this morning in conjunction with Forcepoint
on spear phishing trends. They find that it's growing more evasive. An analysis of 25 million
email attachments concluded that IP theft and compromise of client confidential data
represent the highest risks. Some of the report's conclusions will surprise no one.
The finding that users are
more likely to click or open documents that appear familiar from a known source, for example,
confirms conventional wisdom about social engineering. Others show trends that,
while unsurprising, are nonetheless interesting. The study found that technology was the most
targeted sector and that it was followed by legal services and industrial
control system providers. Influence operations targeting next year's U.S. elections are arguably
already underway, NextGov notes. They're inexpensive and low-risk, as Russian operators
have demonstrated since the 2016 election season. Iran has shown a willingness to crib from the Russian playbook using what
Facebook calls coordinated inauthenticity to amplify messages online. Iran's operators have
shown a preference for pushing particular lines of thought. There are things they'd like people
to believe and positions they'd like to persuade them into. That's less the case with the Russian
operators who aim at disruption in an opportunistic way.
The trolls of St. Petersburg tend to be chaos artists like Batman's antagonistic The Joker.
Several observers note that Chinese intelligence and security services have been more comfortable with traditional espionage and propaganda,
but there's no reason to think that Beijing would necessarily pass up a chance at the new school of influence operations.
DEFCON's voting village saw some attempts at voting machine hacks,
but these were troubled by some logistical fumbles and not everyone had time enough to take a good crack at the targets.
The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, CISA,
did put in a noteworthy appearance at the voting village to describe how NCATS,
CISA's National Cybersecurity Assessment and Technical Services,
is supporting election security.
NCATS offers its services free to eligible federal, state, and local authorities.
CISA is still a relatively young agency,
and it's interesting to see the portfolio of services it's evolving.
If you're running an election stateside, it would be worth your while to get to know NCATS.
Before we leave Black Hat and DEFCON until next year, we'd like to offer our congratulations to the Plaid Parliament of Poning.
Yes, Carnegie Mellon University's competitive hacking team took top honors for the fifth time in seven years at DEFCON.
DEFCON's capture the flag is generally seen as the World Cup of Hacking, its Super Bowl,
its World Series, almost its pay-per-view pro wrestling cage match. Congratulations to the
Triple P and may Pittsburgh give you a parade. Finally, we close with some notes from Las Vegas
on swag and booth diversions.
Socks continue to be a popular giveaway.
If you left black hat barefoot, you did so by choice and not out of necessity.
T-shirts remain another standby.
CrowdStrike had a big line at their booth for shirts emblazoned with the company's cartoon representations of threat actors.
Too long, in fact, for our reporter to get himself a shirt.
And if you're listening, Crowd our reporter to get himself a shirt,
and if you're listening CrowdStrike, he wears a men's size large and is partial to Fancy Bear.
And if you weren't able to get to Las Vegas, ask those colleagues who made the trip if they spent any time in DeMisto's ball pit. Trust us, admit it or not, they probably did.
Farewell to Las Vegas, until next year.
did. Farewell to Las Vegas. Until next year. You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center.
Jonathan, it's always great to have you back. We had a story come by from Wired,
written by Andy Greenberg, and this was about some clever cryptography that's going on
with some features
that Apple's including in some of their devices. Can you shed some light on what's going on here?
Yeah, this is basically a mechanism that Apple has integrated into their hardware,
which will allow people to be able to find their hardware in case it gets lost or in case it gets
stolen. And the problem with the previous schemes that they had was that they would only work when they were powered on. And so, of course, if you had somebody who stole your
laptop, for example, your phone, and then just didn't turn it on or didn't turn it on when it
was near a Wi-Fi connection, then you'd have no way to locate that device. And so what they've
done is they've changed things a little bit and they've come up with what seems to be a new
cryptographic protocol that has the device actually transmit
certain information even when it's in sleep mode. So what's going on with the protocol itself? Can
you share some details about that? It's quite fascinating also. I mean, I haven't seen the
technical details of the protocol. I've just seen the public reports about what the protocol does.
And one of the concerns, of course, with anything like this is that if you have a device that's
constantly transmitting information about where it is, then that opens up huge privacy
concerns because it means that somebody could potentially follow you around or follow your
device or listen for the device and thereby track your location over time.
So they've developed this protocol that will allow them to be able to broadcast information
about a device's location in such a way
that it remains hidden to everybody, both eavesdroppers
as well as even Apple itself, but will
allow the owner of the device to still locate it.
So it's pretty impressive, actually,
that they've been able to do that.
And any sense for what dark magic
is taking place under the hood to make that happen?
Well, so like I said, I haven't seen the technical details, but the basic idea is that you set
up, say, two devices that have, let's say, matching cryptographic keys.
And what those devices will do is they'll remain in sync over time.
So think about, say, each device updating its key, let's just say for the sake of argument, every hour.
And the key will be updated in such a way that anybody who doesn't have one of the keys won't be able to trace this evolution of the key over time.
So imagine that you have your phone and your laptop, and your phone and laptop are going to always be updating their keys.
are going to always be updating their keys.
And if the phone is stolen, it's going to be broadcasting something that's correlated with its key at every moment in time.
Somebody from the outside listening in won't even be able to tell that it's the same key
from the same device.
But the owner, the original person with the laptop that they paired with that phone, will
be able to tell not only that that's their key, but also they'll be able to use that
information to then decrypt and find the location of the phone.
So it's pretty impressive, actually, and I'd be curious myself to really see the details of the underlying protocol.
So it really seems like a best-of-both-worlds kind of thing here, where you get privacy where even Apple doesn't know where the devices are.
Yeah, that's right. And like I said, it's pretty impressive.
There isn't a
published protocol yet, but I'm hoping that they'll publish it and open it up for peer review. I think
the devil is always in the details with these kinds of protocols. There are all kinds of things
that could go wrong, and it would be great if they really allowed experts the opportunity to look at
what they're doing and then to evaluate it. All right. Well, Jonathan Ketz, thanks for joining us.
Thanks again.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. For today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.