The CyberWire Daily Podcast 8.17.20
Ep 1153 | 8.17.20

North Korea harasses defectors. Researchers exploited Emotet bug for six months. RedCurl APT conducts corporate espionage.

Transcript

Dave Bittner: Hey, everybody. Dave here. Before we start today's show, I want to make an introduction to all of you. Elliott Peltzman joined our team earlier this year. He heads up our audio editing. And when we hired Elliott, it was for two main things - first of all, to take some of the editing load off of me but also to improve the audio quality of all of our shows, something that he has done with great measure. Elliott, welcome to the show.

Elliott Peltzman: Oh, thanks, Dave. It's good to be on the side of the microphone. 

Dave Bittner: (Laughter) That's right. Now, some of you out there who arfe music lovers may recognize Elliott's name because he is a former member of The Stone Foxes, a well-known rock band. He is a composer, a keyboardist, a vocalist and had traveled the world with The Stone Foxes. So quite exciting element of your career there, Elliott, right? 

Elliott Peltzman: Yeah, absolutely, and now just full-blown podcast nerd. 

Dave Bittner: (Laughter) Well, welcome to the club. 

Elliott Peltzman: Yeah, yeah. 

Dave Bittner: Now, one of the things that really excited us about having Elliott join our team is the possibility of having new music composed for some of our shows. And I am excited to say that that is what we are premiering today. We have a new theme song for the CyberWire Daily Podcast. Now, Elliott, can you take us through - what was your process for that? - creating something new, replacing something that a lot of people out there probably have a high level of comfort with. 

Elliott Peltzman: Yeah. I mean, first and foremost, I like it as well. You know, it's something that is very comforting, like you said, and is very recognizable, you know? We're going on, I think, almost four years of people listening to this theme. And there's a lot that I like about it, so I really wanted to preserve those elements. I guess those would be kind of a feeling of uplifting, you know? It's - the original is a big rock band, you know, really rocking out and having a good time. And I didn't want to take that away from it, you know? I didn't want to jump into something, you know, spooky and minor or anything like that. 

Dave Bittner: Right. Right. 

Elliott Peltzman: So I think - yeah. I think listeners will definitely still be able to enjoy that same feeling, being able to, you know, turn on the show that they have come to love and appreciate and still feel at home. 

Dave Bittner: Now, Elliott, as you and I well know, there is nothing in this world that people like more than change. And so I think we're all bracing ourselves to the reality that I'm sure many people are going to be onboard and love the new theme music, there's no question that a handful of people out there are going to take issue with it. And I guess that's just part of the gig, right? 

Elliott Peltzman: It is part of the gig, but I'm really happy with what we've got. You know, obviously, the whole team has heard it. My parents have heard it. They approve (laughter). So... 

Dave Bittner: (Laughter). Right, right. Yeah. It's been a really... 

Elliott Peltzman: Yeah, and this has gone past, you know, a lot of my colleagues. And it's - I don't know. I like it, and I really hope everybody else does, too. And yeah, I would say just remember to keep a little bit of an open mind but also that it was designed with the original show in mind. So it's not... 

Dave Bittner: Yeah. 

Elliott Peltzman: ...Going to be, you know, jump out of the gate with some heavy metal guitars or anything. It's - (laughter) I think it's right in our wheelhouse. 

Dave Bittner: Right, right. Well, let's get right into it. Without further delay - thanks to our in-house composer extraordinaire Elliott Peltzman - our new theme song. Here it is. 

Dave Bittner: North Korea harasses defectors. Researchers have been exploiting a bug in Emotet to inoculate systems against the malware for the past six months. CISA warns of Konni spearphishing. RedCurl APT conducts corporate espionage. The U.S. announces more restrictions on Huawei's access to U.S.-made chips. Chris Novak from Verizon on the evolving role of cyber insurance. Rick Howard on data loss prevention. And Australian schools are without email after an unpleasant experience with reply all. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 17, 2020. 

Dave Bittner: The Wall Street Journal reports that North Korea is engaging in a campaign of online harassment against former DPRK subjects who've have defected to South Korea. The channels used to menace defectors include emails, texts, social media and voice calls. One defector told The Journal that he's been receiving spear-phishing emails since May, and another continued to receive intimidating phone calls even after switching phone numbers. 

Dave Bittner: ZDNet reports that researchers at Binary Defense discovered a bug in Emotet back in February that enabled them to develop what they describe as a combination of a kill switch and a vaccine for the Trojan. The flaw was introduced by Emotet's developers on February 6, and it involved the way the malware uses a Windows registry key for persistence, as well as for various code checks during its execution. This key was predictable since it was based on each device's volume serial number. Binary Defense researchers wrote a PowerShell script dubbed EmoCrash that generated a malformed version of this registry key and triggered a buffer overflow vulnerability during Emotet’s installation, which would crash the malware before it finished installing. The crash also generated two easily detectable event logs, enabling defenders to identify systems where Emotet was incapacitated. 

Dave Bittner : Binary Defense worked with security research nonprofit Team Cymru to distribute the tool to national computer emergency response teams around the world. Everyone with knowledge of EmoCrash kept its existence secret to prevent the Emotet crew from finding out about it. Emotet's developers patched the floor on August 6, which is why Binary Defense is revealing the operation now. It's not clear if the developers found the flaw or fixed it by accident, but they were most likely aware that there was a bug somewhere in the code. The researchers don't know how many organizations deployed their tools since they intentionally didn't collect telemetry, but they believe EmoCrash made a significant dent in Emotet's operations over the past six months. 

Dave Bittner : The U.S. Cybersecurity and Infrastructure Security Agency warns of widespread use of malicious Microsoft Word documents carrying the KONNI remote access Trojan as a payload. The documents contain VBA macros that can change the font color from light grey to black in order to trick users into enabling content, while using the command line to download KONNI in the background. KONNI has all the expected functionalities of a capable RAT. The malware has in the past, been linked to North Korean cyber operators, although CISA doesn't attribute this campaign to any specific actor. 

Dave Bittner : Group-IB describes a previously undisclosed Russophone APT dubbed RedCurl, which has been conducting corporate espionage since at least 2018. The security firm has observed 26 attacks against 14 victim organizations distributed across Russia, Ukraine, Canada, Germany, the United Kingdom and Norway. The group sends well-crafted, spearphishing emails, often posing as real HR employees and targeting specific departments within the companies. The emails contain links to download the group's custom Trojan, which is hosted on legitimate cloud infrastructure. The malware also uses legitimate cloud services to convey communication to the attackers' command-and-control server. Group-IB thinks RedCurl is a hired gun, possibly working to collect business intelligence on behalf of victims' competitors. The researchers say, quote, "in all campaigns, RedCurl's main goal was to steal confidential corporate documents, such as contracts, financial documents, employee personal records, and records of legal actions and facility construction," end quote. 

Dave Bittner : Threatpost warns that a proof-of-concept exploit for two known bugs in Apache Struts 2 was published to GitHub on Friday. One of the vulnerabilities can lead to remote code execution, and users of Struts 2 are urged to update to the latest version. 

Dave Bittner : A U.S. executive order issued Friday takes note of ByteDance’s acquisition of Musical.ly, and the integration of that acquisition into TikTok. The order served notice that ByteDance had 90 days to divest itself of TikTok and to delete any data it had collected from U.S.-based users of TikTok and Musical.ly. 

Dave Bittner : The U.S. Commerce Department, this morning, announced more restrictions on Huawei’s access to U.S.-made semiconductors. A new amendment to the foreign-produced direct product rule applies the restrictions to any transactions, quote, "where U.S. software or technology is the basis for a foreign-produced item that will be incorporated into or will be used in the production or development of any part, component or equipment produced, purchased or ordered by any Huawei entity on the Entity List, or, two, when any Huawei entity on the Entity List is a party to such a transaction, such as purchaser, intermediate consignee, ultimate consignee or end user," end quote. 

Dave Bittner : The amendment also adds 38 additional Huawei affiliates from 21 countries to the Entity List. The U.S. State Department said in a press release that the amendment will prevent Huawei from circumventing U.S. law through alternative chip production and provision of off-the-shelf chips produced with tools acquired from the United States. This measure follows the more limited expansion of the foreign direct product rule in May, which Huawei has continuously tried to evade. 

Dave Bittner : And finally, the Register reports that 94 public schools in Australia's Capital Territory will be operating without email for the rest of the week after some naughty students abused a global distribution list to send smut and other unwanted content to all of their peers. Many recipients of the emails used reply all to complain about the issue, which further clogged up the system. The local Education Directorate has blocked access to Gmail, Google Drive and Google Classroom while they clean up the mess. And joining me once again is Rick Howard. He is the CyberWire's chief analyst, also our chief security officer, and he is the host of the "CSO Perspectives" podcast. Rick, it's always great to have you back. 

Rick Howard: Hey, Dave. 

Dave Bittner: So this week on "CSO Perspectives," you're covering data loss protection. Let's dig in here. First of all, definitions. What does that mean? 

Rick Howard: Well, that's a good question, right? It is not a universal answer. I don't think there's one clear answer of what everybody thinks, OK? And also, it's not clear what we should be doing, OK? I say that because it always comes down to this idea of a risk equation. And what I mean by that is we have tools and processes, you know, that can help us reduce the impact to our organization if a hacker steals or corrupts our data somehow, you know? These things have been around forever, like creating backups in multiple locations, destroying unused data, labeling data that might be material so at least we know what it is and then encrypting it at rest and in transit and wherever the backups reside, right? But we still have to be aware of the business requirements. 

Rick Howard: You know, the risk of some of the data that flows through our networks getting out or getting destroyed has to be weighed against what the business leaders need to run the business, you know? They might even understand the risk but decide anyway that the more important task is to keep the business running at high velocity without any friction that I might inject because I need my DLP program to function, you know? 

Rick Howard: So I was talking to Tom Quinn about this yesterday. He is the CISO at T. Rowe Price. He's been there just over four years. And he's also one of our subject matter experts that comes to the Hash Table to discuss these kinds of issues. Here's what he said. 

Tom Quinn: You really need to understand what the business expects from its data, right? It may be more important to have the data be high velocity and moving where it needs to without a lot of restriction even though it is sensitive. You know, data wants to be free. And the faster the velocity of data, the better - you know, often, it's the better outcome because you want to get the right data at the right time to the right people. So velocity really does matter. But eventually - right? - data needs to be opened, right? Data needs to be available to people that do the work that they can. 

Dave Bittner: Interesting stuff, Rick. What do you make of that? 

Rick Howard: Well, I think the bottom line here is that, first, not all data is important or as least as important as all the CISOs think it is, right? And even protecting the data that is may not overrule the business requirements to deliver it at high velocity. 

Dave Bittner: You know, it makes me think back, you know, to my days in creative fields where there'd be this chart that's very popular. People would say, you know, good, fast, cheap. Pick any two... 

Rick Howard: (Laughter). 

Dave Bittner: ...Right? 

Rick Howard: It's exactly right, yeah. 

Dave Bittner: And I wonder, is there a version of that for what we're talking about here, you know? Could it be, you know, safe, fast, cheap - pick any two? I don't know if that works or not, but it's something to think about, maybe. 

Rick Howard: It's going to be my new model going forward, right? 

Dave Bittner: (Laughter). 

Rick Howard: I do think that, you know, as a CSO, I have to make the case to the business leader that this is something we need to do something about, this particular situation. And either I make the case to the business leader and we all decide that something has to be done, or I don't, and that's OK because he's the one running the business, and he has to make that call. And I'm OK with that. 

Dave Bittner: Yeah, that's interesting. I mean, how much of - I don't know - you know, covering your tail happens with these sorts of things, too, where as a - the practical reality of the person who's the CSO being able to say, I told you guys? You didn't listen, right? I told you. (Laughter). 

Rick Howard: (Laughter). I'm not going to admit here in public that I've used that in my own mind or anything. I told you about the risk, OK? 

Dave Bittner: Right. 

Rick Howard: And you guys decided not to do it, right? So... 

Dave Bittner: Yeah, yeah. All right, well, it's "CSO Perspectives." It's part of CyberWire Pro. Do check it out. Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And I'm pleased to be joined once again by Chris Novak. He is the director of the Verizon Threat Research Advisory Center. Chris, it's great to have you back. I wanted to touch today on cyber insurance and particularly how people are coming to rely on it in responding to data breaches and some of the things that you and your team are tracking when it comes to that area. 

Chris Novak: Absolutely. Yeah, pleasure to be with you. Yeah, cyber insurance is kind of a funny topic that started to really peak. In fact, we're seeing more and more organizations leaning heavily on their cyber insurance when they have an incident. And I think one of the key things that really stands out - in fact, we get this question a lot - is, well, do I need incident response if I have cyber insurance? And the way I really approach it is, in fact, that a lot of times when I talk about cybersecurity, I draw analogies to health care. And I say it's much like health care. You may have a medical insurance company, but you do not go to the insurance company to have a surgery done. They may tell you who's approved under that health care plan. They may tell you what your coverage limits are. And you would then typically go to your doctor or your surgeon to actually have whatever the procedure is taken care of. 

Chris Novak: And you know, sometimes there's some confusion in the industry around that - that, well, I've got insurance. I don't need to plan or prepare, or I don't need playbooks or policies. I'll just rely on my insurance to make everything right. And obviously, that can sometimes trip people up when they actually have an incident and find out, oh, my insurance company isn't actually the one doing the investigation or the incident response. I now need to, quote, "find that doctor." 

Dave Bittner: And how much back and forth is there between, say, the incident response team and the insurance company, you know, of - OK, here's what we think. Here's what we think this is going to cost. You know, is that a collaborative process when these things kick into gear? 

Chris Novak: Yeah, it typically is. In fact, generally speaking, when an incident response would kick off, you know, it's not uncommon for our incident responders to actually outright ask the customer, hey, do you have cyber insurance? If you do, you should probably give them a call. Just make them aware of the fact that you have an issue that you might be making a claim on because, generally speaking, they want to be involved, just like your health insurance typically wants to understand what you're doing from a health care perspective so they can understand how to, you know, handle the claims and all that kind of stuff. 

Chris Novak: And typically, you know, most of the incident responders out there - you know, for example, we work with dozens of cyber insurance companies around the world. We're pre-vetted, so we know what the process typically looks like and help kind of guide customers through it. But at the same time, their insurance company may have input that they want to impart as things go along in terms of understanding the size, the scope. And ultimately, obviously, like anything, they'd like to understand, you know, the root cause as well to determine whether or not certain things may or may not be covered. 

Dave Bittner: You know, to that point, do you have any tips for folks who are out there shopping around for cyber insurance, any questions they should be sure to ask their insurance agents to make sure that what they think they're getting is what they're actually getting? 

Chris Novak: Yeah, that's a great point. And one of the things that I always recommend organizations do is, you know, just like, you know, with health care insurance, you want to make sure that your health care insurance gives you the coverage that you want and feel that you need. So obviously, you want to kick the tires on the coverage limits, understand any potential exclusions. And then, also, if you're an organization that may have a global footprint, you want to understand whether or not it's going to cover you in all the places that you may actually have, you know, people, data and facilities. And then, also, you want to make sure - just like in health care, if you have a doctor or a facility that you want to be able to use, you want to make sure that they're, quote, "in network," if you will. You want to make sure that you don't run into a situation where you have a health scare or you have a cyber incident that pops up, only to find out that the incident responder you were planning to use isn't one that's working with your insurance company. 

Chris Novak: So you always want to kind of bring those together. In fact, a lot of times, what we'll even do is work collaboratively with a client and their insurance and say, hey, maybe we'll do a tabletop exercise or something like that together so that all the parties can kind of get a feel for what it looks like in the event of an actual live incident how we would all actually work together and make that process as smooth as possible. 

Dave Bittner: Yeah, 'cause the last thing anybody wants is surprises when you're in the midst of an incident. 

Chris Novak: Exactly. 

Dave Bittner: Yeah. All right. Well, Chris Novak, thanks for joining us. 

Chris Novak: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: Don't forget to check out the "Grumpy Old Geeks" podcast where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. Every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.