Presidents Day may be history, but our Presidents Day sale is still a current event, with an opportunity to accelerate your cybersecurity awareness and education. For this week only, our Daily Briefing and Week That Was subscribers can enjoy 40% off on their first year of an annual CyberWire Pro subscription. That includes exclusive content, live event participation, and access to our extraordinary archives, all within one clean platform. This offer expires on February 19th and is for new customers only. Visit the CyberWire Pro page, select Annual Subscription, and enter code YDHVORO22L during checkout.
Do you know if your organization should be worried about advanced persistent threat actors, cyber criminals, or hacktivists? Do you know the different capabilities or attacks each group might use? LookingGlass can help you build customized, evolving threat models to assess cybersecurity threats that your organization could actually face and inform which cyber investments would improve your defenses. Find out how you can build tailored threat models in our white paper.
WatchDog's Monero cryptojacking. Updates on the US indictment of DPRK RGB operators. AppleJeus tools described.
Congress has taken notice of the Oldsmar cybersabotage incident. Senator Warner (Democrat of Virginia, and Chair of the Senate Select Committee on Intelligence) has formally asked the FBI and the Environmental Protection Agency for information on Oldsmar. In a letter addressed to Matt Dorham, FBI Assistant Director, Cyber Division, and Radhika Fox, Acting Assistant Administrator, Office of Water at the EPA, Senator Warner pointed out that water is one of the sixteen sectors Presidential Policy Directive 21 (PPD-21) designated as critical infrastructure, and that, while Oldsmar is a relatively small town, and that the intrusion into its control systems was detected before damage was done, the US might not be so lucky the next time around. The Senator asked that the Bureau and the EPA coordinate their responses with his office; he gave no deadline for them to do so.
Researchers at Palo Alto Networks' Unit 42 yesterday outlined the activities of the large Monero mining operation they've called "WatchDog." The criminal operation is notable for its longevity, having begun activity in January 2019. Unit 42 assesses WatchDog's cumulative take at a bit more than 209 Monero (XMR), worth roughly $32,056. It's a cryptojacking operation, using some four-hundred-seventy-six compromised, non-cooperating systems (mostly Windows or NIX cloud instances) to mine coin.
WatchDog is a nuisance, but its take amounts to petty larceny when compared to the haul Hidden Cobra (the Lazarus Group) has pulled in for North Korea. The US Justice Department yesterday unsealed the indictment of three North Korean operators belonging to that country's Reconnaissance General Bureau. They're charged with “conspiring to steal and extort more than $1.3 billion in cash and cryptocurrency from banks and businesses around the world.” The Justice Department also said a resident of Mississauga, Ontario, had been separately indicted for laundering money on behalf of the conspiracy.
This amounts to more than a simple APT side hustle: the theft (done to enrich an impoverished national treasury) was as important as the espionage. US Assistant Attorney General Demers of the Justice Department's National Security Division, called Hidden Cobra "a criminal syndicate with a flag" as he explained the role indictments play in naming, shaming, and (one hopes) restraining nation-state threat actors.
Today's issue includes events affecting Australia, Bangladesh, Canada, China, France, Indonesia, Jamaica, Malta, Mexico, the Netherlands, Pakistan, Russia, Slovenia, Taiwan, Ukraine, the United States, and Vietnam.
Join Rick at the CSO Perspectives Hash Table as he and our table of experts discuss Identity Management, its role as a first principle idea, and what they worry about as authentication becomes an increasingly complex issue. To learn more about Pro and listen to all CSO Perspectives episodes, visit our CyberWire Pro page and click on the Contact Us button.