Cybercrime pays, criminal tools are commodities, and some cyber gangs get sophisticated. The skid market for booters. Pyongyang unleashes the BeagleBoyz.
Dave Bittner: Attention to detail and good graphic design make commodity attacks pay. Several Magecart campaigns turn out to be the work of one gang; the unfortunate persistence of DDoS-for-hire services; ransomware's growing sophistication as a class of criminal enterprise; Andrea Little Limbago from Interos on supply chain attacks and risks. Our guest is Mark Testoni from SAP's NS2 on how COVID-19 has shaped classified work. And hey, kids, the BeagleBoyz are on a crime spree.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 27, 2020.
Dave Bittner: Group-IB says it's been able to link three Magecart JavaScript-sniffer campaigns to a single group, which they call UltraRank. UltraRank compromised over 700 sites over five years, selling its take in the ValidCC card shop, a well-known criminal market.
Dave Bittner: Group-IB threat intelligence analyst Victor Okorokov said, quote, "The cybercriminal market is offering better quality of service, fine-tuning and simplifying the instruments for solving specific tasks. In the coming years, we will definitely see the growth in the use of this malicious instrument since many online shops and service providers still neglect their cybersecurity, using outdated CMSs that have vulnerabilities," end quote.
Dave Bittner: We've heard, over the past week, about cyber mercenaries, hackers-for-hire. These groups or individuals have apparently been hired to collect commercial information on businesses, with law firms and financial services outfits commonly targeted. There are other kinds of illicit services on offer, too, like booters or distributed denial-of-service attacks delivered to paying customers. Security company Radware this morning published a look at the last two years of action in the booter criminal market, and their conclusions aren't particularly happy ones. Over that period, law enforcement agencies and companies have worked to take down DDoS-for-hire operations, and they've succeeded in doing so and in making a number of arrests.
Dave Bittner: But unfortunately, these make only a momentary dent in the DDoS-for-hire market, and the trend has been consistently upward. Radware points out that people offering booters used to advertise their services by stunt hacking, taking down a site or service to do some arch chest-thumping and Bob's your uncle. Well, that's no longer the case. And it's not so much that booter services have grown more professional but rather that they've sunk to their own level. For one thing, they now infest the gaming subculture the way half-witted trades in skins and loot boxes do. For another, DDoS code and the IoT botnets are now thoroughly commodified - cheap, available and with their use adapted to the meanest understanding.
Dave Bittner: There's more. Search engines commonly turn up results for booter services. And they also occupy what many perceive - or actually misperceive - as a legal grey area. After all, who's to say that you wouldn't want to use a stressor to test your own resilience? Could happen, right? This, of course, is playground lawyering on the level of the widespread opinion that if you took your boat beyond the 12-mile limit, anything would be legal. And anyway, if it popped up in your Google results, how illegal could it be. Right?
Dave Bittner: Britain's NCSC has tried to educate people to the fact that using a booter, even, say, against your rivals in Fortnite or Grand Theft Auto is against the law. But while Radware applauds the NCSC's intentions, there's little sign that denizens of parental basements are really paying attention.
Dave Bittner: It's worth mentioning that it's not just the gaming world that's afflicted by DDoS. Computing reports that New Zealand's NZX stock exchange continues to deal with disruption inflicted from overseas booters. Attacks yesterday made the third day in a row that the exchange had to shut down services.
Dave Bittner: So the booters-for-hires are the criminal equivalents of delinquents hanging out on street corners, sniping butts and throwing rocks at cars. But ransomware operators, they're more like the mob. WIRED takes a look at the DarkSide ransomware and its operators, whom it sees as corporate and cruel, a distillation of underworld trends toward careful target selection, careful calibration of demands to offer painful but tempting options to pay and with ruthless reprisal against victims who refuse them.
Dave Bittner: And hey, kids - I mean, kids of a certain age, I guess ex-kids, if you will - remember the Beagle Boys? They were a crew of hoodlums, gonifs and no-goodniks who served as villains in the Mickey Mouse comic books, those old Gold Key editions. And you remember those. Anywho, the Beagle Boys are back - at least in homophonic form.
Dave Bittner: CISA, NSA and the FBI have issued a joint warning against a North Korean hacking group they're calling the BeagleBoyz - that's boyz with a Z - which we're morally certain is an homage to the old Disney villains. The BeagleBoyz, the agencies assess, are a subgroup of Pyongyang's Hidden Cobra threat group, which itself overlaps to a large extent the bad actors industry tends to call the Lazarus Group. The BeagleBoyz, like their Disney originals, are bank robbers. But they're not a freelancing criminal gang. No, they steal on behalf of the Great Successor, the Dear Respected Marshal Kim Jong Un his very own self. Unlike their Disney originals, however, they don't drill, blast or safecrack their way into vaults, but they loot the banks through hacking.
Dave Bittner: They're responsible for the FASTCash ATM looting campaign and other assaults on bank payment systems. Their principal motive is financial gain for a regime that's been unable to deliver economically and that labors under the international sanctions and odium appropriate to a rogue state.
Dave Bittner: But CISA, NSA and the Bureau point out that the BeagleBoyz pose risks that go beyond obvious financial loss. There's also reputational damage, the opportunity costs of increased security and, above all, erosion of the confidence on which the international financial system depends. So far, the BeagleBoyz have been fairly successful, but we hope they turn out to be as dim-witted and prone to failure as their Disney originals. But so far, at least, FASTCash doesn't look like a Mickey Mouse operation.
Dave Bittner: Those of us who are a certain age grew up laughing at the bumbling antics of a certain Agent 86, Maxwell Smart on the TV show "Get Smart."
(SOUNDBITE OF IRVING SZATHMARY'S "GET SMART THEME")
Dave Bittner: Pretty sure by the time I was watching it, it was in reruns. Maxwell Smart was a secret agent for the fictional intelligence agency Control, and a running gag on the show came up whenever classified information was under discussion.
(SOUNDBITE OF TV SHOW, "GET SMART")
Edward Platt: (As Chief) Now, here is my plan. And I'm glad we're not in my office, or you would insist on our using the cone of silence.
Don Adams: (As Maxwell Smart) Oh, I've already taken measures for that, Chief. I've brought along the portable cone of silence. It was in my car.
Edward Platt: (As Chief) Max, we don't need that. Besides, it doesn't work.
Don Adams: (As Maxwell Smart) Look, Chief - according to the handbook, you've got to take some security measures if you're going to talk about a plan away from Control headquarters.
Edward Platt: (As Chief) All right, Max.
Dave Bittner: Funny stuff for sure - but of course in the real world, secure communications are no laughing matter, a fact that's been brought into focus as the global pandemic has made it more difficult for people who need to discuss classified information to get together face-to-face in secure facilities.
Dave Bittner: Mark Testoni is CEO of SAP's NS2 national security arm, and he shares how COVID-19 has reshaped classified work.
Mark Testoni: Obviously, like everyone else, people that are employed in the intelligence community and parts of Defense have been deployed to home. And because of the nature of the current classification of some of the work, it's presented challenges for them to work and not only them but even the supporting contractors. We've had - we have a number of people who operate either in government facilities or in SCIFs that we own. And it's because of - because of the pandemic, it's changed the whole dynamic. So much like an office in many office buildings across business where people are - very small numbers are going to work, the same thing has happened in some of these other areas. So it's required some adjustments. And we're still working through some of that.
Dave Bittner: In the work that you are doing with folks inside the intelligence community, are you finding that they're open to these sorts of evolutions? Are these conversations that you see happening?
Mark Testoni: We are starting to have them. And we've had a couple of cases where we've actually been able to work, you know, in a very small practical (ph) way to move some work into the unclass environment, some pieces of it. So you know, I'm actually comforted by the fact that we're seeing that. And hopefully, when we get through this pandemic - although given what we're witnessing right now, I'm not sure it may be as fast as some people have thought - that we don't just kind of fall back into our own operational (unintelligible) - because beyond the pandemic and kind of the productivity issues, there are really longer-term issues, as I said earlier, with recruiting, with leveraging commercial technology - and that's the business that we're in - that could very much more be enabled if we had a much more collaborative, open environment to do a lot of this versus everything being - or many things being done behind walls.
Dave Bittner: Yeah.
Mark Testoni: So I mean, there's also second- and third-order factors. You and I have heard for years about the backlog of clearances and reinvestigations. And there's some work going on there. But we have over 4 million clearances in this country, which is a shocking number to me. And if that's more than 1% of the U.S. population, that's a rather large number. Do we really need all that? Do all these, you know - do all these organizations need these? And how do we drive change? To me, that's really what's going to be critical.
Mark Testoni: Things like security clearances and SCIFs are what I would consider to be basically symptoms of the larger challenge, which is, what do we really need to hide behind walls today and secure? What is really important? If we go back to sources and methods and HUMINT and those things that are really - or some of the technical things that are really, really important, let's get those and secure the living dickens out of those. Let's look at some of these other business operations and even the approaches that we use to solve some of the mission (ph) operations. And can we do some of the work - 70, 80% of the work outside? If we can do that, we're going to provide better capabilities to the intelligence community. They're going to get them faster. And we won't - when we have work disruptions like this, we won't be suffering.
Dave Bittner: That's Mark Testoni from SAP's NS2 national security arm.
Dave Bittner: And joining me once again is Andrea Little Limbago. She is the vice president of research and analysis at Interos. Andrea, it's always great to have you back. I want to touch today on supply chain risks, some of the things that you've been tracking when it comes to that. What sort of things are on your radar these days?
Andrea Little Limbago: Yeah. So there are a couple of different areas when it comes to supply chains, and, you know, again, supply chains is one of those areas that, you know, for so long, no one really cared that much about. And now it's, you know, front-page headlines and - whether it's from the food supply chain to more of the manufacturing side. You know, the digital supply chain is something that also is starting to garner a lot of attention. And so that's really the area I'm looking at is sort of - is that intersection of both the physical supply chain and the digital supply chain since, you know, they're just so interwoven right now. And when we think about the supply chains, you know, we think more so about the lack of toilet paper or flour in our food markets. But we don't...
Dave Bittner: Right.
Andrea Little Limbago: ...Necessarily - and rightly so, by the way, right now. I mean, that's obviously what hits us, you know, on a daily basis.
Andrea Little Limbago: But you know, the broader issues that have manifest in light of COVID and even well before that, as well - or just that notion of third-party risk and extending that risk modeling into the supply chains as well. If you think about, like, financial institutions, their supply chains are more so on the digital supply chain aspect of it. And so we're seeing that, you know, the digital supply chain intersection with physical supply chains and really looking at, you know, what the range of vulnerabilities are and how to think about risk in that regard.
Andrea Little Limbago: And, you know, I think, you know, in our industry, for a while, we've talked about the perimeter being gone. And we've understood what that meant and, you know, a lot of it, especially now with the distributed workforce and cloud-based systems - you know, that's where most of that discussion goes. But when you think about expanding the perimeter - and it's also really important to think about, you know, who your partners are and who you're collaborating with and not just your, you know, immediate suppliers and those companies but - who are their suppliers and who are their suppliers' suppliers? And that's where I think a lot of - you know, that's where I'm keeping an eye on and doing - you know, a lot of my research is really looking at that extended supply chain and how to mitigate those risks that may come along with it.
Andrea Little Limbago: The example that I think is unfortunately always given, you know, I think unfairly to Target, but, you know, it's Target and the HVAC system - right? - as far as that kind of attack. Now, they're by no means alone or an anomaly. They're just the ones that, you know, happen to be a well-known brand, and so that's the example that always gets used. But supply chain attacks continue to be on the rise. And so - and the reason for that is because you have these companies that do have the resources - you know, spend the resources. They've created very robust security systems. So that makes it, you know - if you're an attacker, you're not going to be going there. You're going to be going to the easier route, which might be either, you know, small company that's not even their initial supplier but the small company that's supplying a supplier but then, you know, feeds into the larger company. And that might be the easiest pathway to go - and especially during these times now, where - with a distributed workforce and not all companies, you know - companies lessening up on some of the security standards. You know, those might be the ways to get in. And so that's why we're continuing to see a rise of supply chain attacks.
Andrea Little Limbago: And so you know, that's one big area of it. And the other one, it gets into sort of the software and hardware that's used by the companies. And where those come from would be another area - and thinking about, you know, ensuring trusted applications and technologies are within your system.
Dave Bittner: Yeah. You know, and, as you and I have talked about, the touchy situation that some companies find themselves in particularly with China. And I can't help thinking about Apple, who, unlike some other companies who are mostly running in the software world, it strikes me that Apple has this situation where so much of their business is dependent on hardware that is manufactured in China. And surely, obviously, that affects their relationship, the types of ways that they feel as though they can push back.
Andrea Little Limbago: You know, we hear a lot about, on the physical side, the reshoring or onshoring. Again, this is especially over the last few months, given the supply chain disruptions that we've seen. And so I think that's one of those things that we're - that's going to continue to be a boardroom discussion that, you know, sort of in the past it was, no, it doesn't make sense financially. But as geopolitical tensions continue to rise and as, you know, other countries start to step up and provide some of those same environments for reshoring and as governments begin to incentivize that movement - you know, I think Japan is a really good example.
Andrea Little Limbago: Japan has invested billions of dollars to reshore companies from China back to Japan or to another - with a, you know, trusted country. So governments are stepping in to help switch that incentive and risk calculus before the companies themselves. And even, you know - and Apple has been moving away some aspects from China. They've been moving largely to Vietnam. But in many cases, they're still working with Chinese companies just in Vietnam, so it's not necessarily avoiding the exact same problem.
Dave Bittner: Yeah. All right. Well, Andrea Little Limbago, thanks for joining us.
Andrea Little Limbago: Great. Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed, and it's kid-tested and mother-approved. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.