CyberWire Daily - US warns of DPRK threat to cryptocurrency holders, and indicts four on conspiracy charges. Centreon says Sandworm affected unsupported open-source tools. Big Hack skepticism. Patch notes.
Episode Date: February 17, 2021High Bitcoin valuation draws the attention of cybercriminals, and a number of those criminals work for Mr. Kim, of Pyongyang. Alleged criminals, we should say. Centreon offers an update of its investi...gation of the Sandworm incident ANSSI uncovered. Reports of the Big Hack are received with caution. Patches applied, pulled, and replaced. Joe Carrigan describes a legal dustup between Proofpoint and Facebook over lookalike domains. Our guest is Sinan Eren from Barracuda Networks on their state of cloud networking report. And Florida’s water system cybersabotage provides a good reminder to stay away from unsupported software. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/30 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
High Bitcoin valuation draws the attention of cyber criminals,
and a number of those criminals work for Mr. Kim of Pyongyang.
Alleged criminals, we should say.
Centrion offers an update of its investigation of the sandworm incident ANSI uncovered.
Reports of the big hack are received with caution.
Patches applied, pulled, and replaced.
Joe Kerrigan describes a legal dust-up between Proofpoint and Facebook over look-alike domains.
Our guest is Sinan Aron from Barracuda Networks on their State of Cloud Networking Report.
And Florida's water system cyber-sabotage provides a good reminder to stay away from unsupported software.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 21st, 2021. Criminals respond to market pressures and chase market opportunities as much as do participants in legitimate trade.
Kaspersky published a study yesterday that sees a shift in the focus of much criminal activity over the latter part of 2020.
One of the incentives the underworld saw late in the year was a significant rise in the value of Bitcoin,
and so criminals repurposed much of their infrastructure
away from less lucrative efforts,
notably distributed denial-of-service attacks,
and turned to coin mining.
That's where the money has been.
Among the criminals who took note
were the state-sponsored hoods being run from Pyongyang,
that is, the North Korean threat crew the U.S. calls Hidden Cobra.
Cybercrime has long been attractive to the DPRK,
as the Kim regime seeks to redress its general economic failure
and sanctions-driven isolation from international markets.
In this case, however, Hidden Cobra is more interested in direct theft than it is cryptojacking,
that is, installing coin miners on non-cooperating systems.
This morning, the U.S. Cybersecurity and Infrastructure Security Agency
issued a joint alert with its partners in the FBI and the Department of Treasury,
the alert's goal being to
highlight the cyber threat to cryptocurrency posed by North Korea and provide mitigation
recommendations. The tools Hidden Cobra has used in this campaign are collectively referred to as
Apple Juice. The alert explains, quote, the North Korean government has used multiple versions of
Apple Juice since the malware was initially discovered in 2018.
Initially, hidden Cobra actors used websites that appeared to host legitimate cryptocurrency trading platforms to infect victims with Apple Juice.
However, these actors are now also using other initial infection vectors, such as phishing, social networking, and social engineering techniques,
to get users to download the malware. So, trade with caution and armor yourself
with appropriate skepticism in the face of social engineering.
The U.S. Justice Department has gone one better than simply participating in a joint alert.
The Washington Post today reported that Justice has unsealed
charges against three North Korean espionage officers. They're accused of conspiring to steal
and extort more than $1.3 billion in cash and cryptocurrency from banks and businesses around
the world. The conspirators are alleged to have been active since 2014 at least and to have pursued a state policy of revenue enhancement
with a bit of revenge thrown in.
The indictment was filed on December 8, 2020,
in the U.S. District Court of Los Angeles.
The three defendants are identified as belonging
to the North Korean Reconnaissance General Bureau,
the RGB intelligence service.
It's noteworthy, perhaps, that the three were sometimes posted
outside of the DPRK itself, including tours in China and Russia. The range of what the Justice
Department press release calls schemes is indeed impressive. The list of criminal activity alleged
in the indictment includes some familiar and famous capers, including cyber attacks on the entertainment
industry. That includes the famous November 2014 Sony Pictures hack. Cyber-enabled heists from
banks from 2015 through 2019. These involved fraudulent SWIFT transfers from banks in Vietnam,
Bangladesh, Taiwan, Mexico, Malta, and various African countries, cyber-enabled ATM cash-out thefts, ransomware
and cyber-enabled extortion, including creation of WannaCry 2.0 in May 2017, creation and
deployment of malicious cryptocurrency applications, targeting of cryptocurrency companies and
theft of cryptocurrency, spear phishing campaigns, and finally, marine chain token and initial coin offering,
a 2017 and 2018 scheme that sought to evade sanctions by peddling fractional ownership in maritime fishing vessels.
This operation was, of course, supported by a blockchain.
A Canadian resident has also been charged with abetting the conspiracy with money laundering.
Centrion, a firm whose IT resource monitoring tool France's ANSI identified as compromised in what appears to be a Russian operation, yesterday provided an update on its own investigation.
The software in question is an older version of the tool that's been unsupported for the last five years.
There have been eight updates
since that version reached its end of life. The company says that none of its current customers
were affected and that the 15 entities that were afflicted by Sandworm's backdoor were all using
open-source versions of the obsolete software. ZDNet reports that the backdoor found in the
open-source version of Centrion software was Xaramel, a malware that bears some similarity to Indestroyer.
ESET offers some background and context describing how they found Xaramel at the heart of Indestroyer during their 2018 investigation of Russia's 2016 cyber-sabotage of Ukraine's power grid. As Bleeping Computer reports,
it's unclear how the threat actor succeeded in compromising the software.
Fortune summarizes the current state of opinion about Bloomberg's renewal of its story
on alleged discovery of Chinese hardware backdoors into super microchips.
Fortune notes that the current version relies on second-hand
and anonymous sources, which, according to Fortune, does not inspire confidence.
It's a curious story that Bloomberg first ran in October 2018. Supermicro has vigorously disputed
the report, most recently in a statement it issued this week, and industry sources cited in the initial article did not confirm their statements when queried by other media outlets.
U.S. government officials said in 2018 that they had seen no evidence of the compromise Bloomberg reported
and that they would welcome being shown evidence that it had occurred.
The present version of the big hack story is being received by most observers with a heavy dose of caution.
Some news on patches and updates.
Microsoft has pulled one of its Patch Tuesday fixes for Windows 10 version 1607 and has issued an update to replace it.
CISA yesterday issued four new advisories on control systems. The affected products include
the Hamilton T1 ventilator, the Open Design Alliance drawing software development kit,
Rockwell Automation's Alan Bradley Micrologics 1100 programmable logic controller, and Wago M&M
software FDT container. Update B. Authorities in Florida continue their inquiry into the Oldsmar water utility cyber sabotage incident,
but beyond expressing the hope that they'll be able to discuss the attack more once the investigation is complete,
they've had little to say.
Water systems in other parts of the U.S. continue to look to their defenses
and seem to be using recent federal advice as
their guide for doing so. Calling all sellers. Salesforce is hiring account executives to join
us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving
customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Sinan Aron is VP of Zero Trust Access at Barracuda Networks.
He joins us with takeaways from their recently published report on
the state of cloud networking.
I mean, it's always helpful
for us to have a
cohesive product strategy, looking
into the future, what our customers
want, whether their
infrastructure has been, as
we predicted, has been
shifting away from
on-prem and data centers to cloud infrastructure, public cloud infrastructure.
So it's always helpful to probe a diverse set of customers and organizations on all verticals
coming from different compliance and regulatory frameworks to find out what its future looks like for them,
what is the digital transformation looks like for them, what his digital transformation looks like for them,
and how they're going on about it.
So what were some of the key findings here?
What were some of the things that stood out to you?
Yeah, I mean, one of them actually stood out impressive
in a sense that I wasn't expecting to hear that.
But more than three quarters of the participants,
the organizations mentioned that they use multiple cloud providers.
To be completely fair, I mean, and transparent here, I always assume that you kind of take a bet, right?
Microsoft Azure, Amazon Web Services, to hear that three quarters of organizations have multi-cloud,
meaning that they kind of pick the best for whatever the functionality and the service that they're looking for, whether it's storage, whether it's compute or networking.
They pick and choose.
They pick and choose whichever is more optimized, whichever offers the best SLAs and best quality of service.
They tend to go with that, which was refreshing and it's brilliant, but at the same time, it was surprising.
Yeah, fair enough.
What were some of the other things that stood out to you?
surprising. Yeah, fair enough. What were some of the other things that stood out to you?
I would say that also this was a positive surprise. And it was nice to hear that about 90%, 89% to 90% of the respondents say that they understand the share responsibility model
when it comes to cloud security. When they're using Amazon, Microsoft, or Google,
they know that the vendors are responsible for the security of the cloud infrastructure itself, right? But then they are responsible for the security and the posture
management of everything that they put on the cloud, right? So that's, unfortunately, a lot of
the breaches came through, you know, misconfigurations on the cloud and, you know, all kind of
customer-driven, perhaps, I would say, perhaps not quite understanding their responsibility model.
We've been hearing data breach after data breach over the years,
but it seems like it's finally that folks are aware
that the responsibility is shared between
infrastructure security is on the vendor
and how you configure and how you protect the data
and the configurations that you upload to the cloud
is the customer's responsibility.
So that's refreshing to hear.
You mentioned the fact that there was so much
multi-cloud use was a bit surprising.
Was there anything else that was unexpected when you
read through things that you weren't expecting?
One other thing, I mean,
I would say that we all have a healthy bit of
skepticism about SaaS applications scaling super fast.
Take your mail and productivity suites or your favorite CRM.
So we heard from our 800 participants that they endure latency and they were not very happy with the performance, right?
So there could be many reasons.
This was taken back in October, 2020, the survey.
And, you know, of course, shelter in place
and lockdown was in full force.
So there might be an outcome based on that,
that our basic utilities were not meant to take on this a lot, take on this super increased load of everybody working from home and hitting Salesforce or Office 365.
But we did hear 70% of the participants mentioning that their SaaS workloads seem to enter a lot of latency.
That's Sinan Aron from Barracuda Networks.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
Interesting story from the folks over at ZDNet.
This is written by Katalin Simpanyu,
and it's titled,
Proofpoint sues Facebook to get permission to use lookalike domains for phishing tests.
What's going on here, Joe?
So what has happened is Proofpoint has a phishing test product that they offer to companies, right?
This is a product to increase security awareness for the employees,
and they'll send links out to people that when they click on them,
the people will see a message that says, okay, you just clicked on a phishing link.
Right.
But these domains look very much like Facebook domains. In fact, they are, uh, one of them is factbook.a-login.com. Um, which is just Facebook login without the,
uh, without the E another one is really good. Uh, this one actually made me look twice in the text of the article.
It's Instagram.ai.
Now, from looking at it here with my old eyes, old man eyes, this looks to all the world like Instagram.
I mean, the R and the N at the end make that M.
And when I look at it, I see Instagram.
It's a good name.
Right, right.
They also have Instagram.org and Instagram.net. Now, Facebook is using a process called UDPR,
and that stands for Uniform Domain Name Dispute Resolution. And that is where they make a request
to get control of the name, the domain name from the registrar under the auspices that
this is somebody acting in bad faith and somebody trying to impersonate Facebook, right? Or Facebook
intellectual property. Now, here's the thing, Dave, I don't know where I come down on this one,
right? Because Proofpoint has a good point that they didn't register these in bad faith. They're
not harming anybody by using them.
They're actually using it for education.
Right, right.
It may be better for Proofpoint to have them than have them be available to a bad guy.
Exactly.
But Facebook has a good point here, but these are still out there and available, and Facebook doesn't control them, right?
So what happens if Proofpoint, let's say, I don't wish this on Proofpoint. I
don't have any, I don't think this is going to happen, but let's say Proofpoint gets acquired,
right? And that business gets shuffled off and they stop renewing those domains. Those domains
become available for anybody, right? I wonder if there's a resolution here where Proofpoint could
say, you know what, Facebook, we will reach an agreement.
We'll reach a settlement here where we'll give you these domains.
These will become your domains as long as we can continue to use them in our phishing exercises in an agreement for as long as we're a company and we never use them maliciously.
Yeah.
Yeah. Yeah, it's, you know, this can be a prickly thing where, you know, we've seen examples of folks, companies spinning up some of these fake phishing examples where they've used things like where they've said, click here for your Christmas bonus.
Right.
And it's a phishing test.
And on the one hand, it's compelling, right?
Right. it's a phishing test. And on the one hand, it's compelling, right? Everybody wants a Christmas
bonus. But on the other hand, in the midst of a pandemic, when there's lots of bad things going on,
getting someone's excited about a Christmas bonus that does not exist, it's not very sporting.
Yeah, that is not very sporting. I think that's bad form in these phishing tests. But I think
these phishing tests actually target social media, right? Like there was a phishing test I got one time that it was
just somebody going, Hey, is this you on Instagram? And, um, and it was just, you know, a link,
you know, there's the, you was highlighted and I moused over the link and I was like,
that's not Instagram. But if, if somebody said, is this you on Instagram and use one of these Instagram things?
And I said, while reading the article, I couldn't tell the difference. I couldn't tell it. It looked
to me like Instagram. The only thing that would have tipped me off is a top level domain being
.net,.org, or.ai instead of.com, which I know Instagram is Instagram.com. This is an excellent tool for people. It could further
increase the granularity. And it's not that malicious or, I don't know, I wouldn't say
malicious, but ill-planned idea of saying, hey, look at your Christmas bonus. And then now the
employee is really mad that first off, they got caught by a fish test. And second, and more
importantly, there is no Christmas bonus. You're just enrolled in the jelly of the month club now.
And second, and more importantly, there is no Christmas bonus.
You're just enrolled in the jelly of the month club now.
So I wonder how far this goes.
To what extent can Facebook request these takedowns and to what extent are they granted?
You know, how far a field can a name look?
And could folks who have legitimate businesses that just happen to resemble an organization like Facebook's, could they accidentally fall into this net? Uh, that is a good question. Uh, and I actually thought about
that question and I thought about, um, you know, if I had a, if I had a company that was maybe
something, I don't know, let me think of something really stupid, just a picture book of faces that
I have. Right. Right. Right. And, uh, and, uh, I called it Facebook
book. Right. And that, and that was what I did is I sold a book of faces. Um, is that a legitimate
business? Uh, yeah, I think that is, I think that Facebook shouldn't be allowed to, uh, infringe
upon that. But that being said, if I'm just publishing a book and I'm just some guy in my
house publishing a book, I don't have the resources to fight the millions of dollars or billions of dollars that Facebook
spends on lawyers every year. I'm not going to win that court battle. No, no, no. It's, you know,
I guess it's just a matter of who ultimately has authority in a takedown request like this. And
will Proofpoint be successful in pushing back on it? I think it's
interesting. It's worth watching. Yeah, it is worth watching. Well, this is part of the uniform
domain name dispute resolution process. So there is a process that's defined. So we'll have to see
how this goes. We'll have to follow this one. Yeah. All right. Again, the article's over on
ZDNet. It's titled Proofpoint Sues Facebook to Get Permission to Use Lookalike Domains for Phishing Tests.
Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Everything you want, nothing you don't.
Listen for us on your Alexa smart speaker too. The Cyber Wire podcast is proudly produced in Maryland out of the startup
studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and
technologies. Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Kelsey Bond, Tim
Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.