The CyberWire Daily Podcast 2.18.21
Ep 1272 | 2.18.21

The WatchDog Monero cryptojacking operation. “A criminal syndicate with a flag.” US Senator asks FBI, EPA for a report on water system cybersecurity. Cybercrooks placed on notice.


Dave Bittner: Watch out for the WatchDog Monero cryptojacking operation. The U.S. Justice Department describes North Korea as a criminal syndicate with a flag. CISA outlines the DPRK malware that figures in the AppleJeus toolkit. The chair of the U.S. Senate Intelligence Committee asks the FBI and EPA for a report on the Oldsmar water system cyber sabotage incident. Egregor takes a hit from French and Ukrainian police. Dinah Davis has advice on getting buy-in from the board. Our guest is Bentsi Ben-Atar from Sepio Systems on hardware attacks. And the Netherlands police advise cybercriminals to just move on.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 18, 2021.

Dave Bittner: Researchers at Palo Alto Networks' Unit 42 yesterday outlined the activities of the large Monero mining operation they've called WatchDog. The criminal operation is notable for its longevity, having begun activity in January 2019. Unit 42 assesses WatchDog's cumulative take at a bit more than 209 Monero, worth roughly $32,000. It's a cryptojacking operation, using some 476 compromised, non-cooperating systems, mostly Windows or Nix cloud instances, to mine the coin. 

Dave Bittner: The researchers say, quote, "It is clear that the WatchDog operators are skilled coders and have enjoyed a relative lack of attention regarding their mining operations. While there is currently no indication of additional cloud compromising activity at present - i.e., the capturing of cloud platform identity and access management credentials, access ID or keys - there could be potential for further cloud account compromise. It's highly likely these actors could find IAM-related information on the cloud systems they've already compromised due to the root and administrative access acquired during the implantation of their cryptojacking software." 

Dave Bittner: WatchDog is a nuisance, but its take amounts to petty larceny when compared to the haul Hidden Cobra, the Lazarus Group, has pulled in for North Korea. The US Justice Department yesterday unsealed the indictment of three North Korean operators belonging to that country's Reconnaissance General Bureau. They're charged with conspiring to steal and extort more than $1.3 billion in cash and cryptocurrency from banks and businesses around the world. The Justice Department also said a resident of Ontario, Canada, had been separately indicted for laundering money on behalf of the conspiracy. 

Dave Bittner: This amounts to more than a simple APT side hustle of the kind seen elsewhere, when state operators either enrich themselves a little bit with their left hand, or when governments employ cybercriminals for state purposes and tolerate some theft as a side benefit, or when a government operation pays its own freight by stealing online. In this case, as we saw yesterday, the theft is the point, as important as the espionage. And it's not just a side benefit lining some hacker's pocket, but it's a significant source of revenue for a national treasury that's been impoverished by international sanctions. 

Dave Bittner: US Assistant Attorney General John Demers, who leads the Justice Department's national security division, called Hidden Cobra a criminal syndicate with a flag as he explained the role indictments play in naming, shaming and, one hopes, restraining nation-state threat actors. 

Dave Bittner: CISA, the US Cybersecurity and Infrastructure Security Agency, has issued alerts amplifying its investigation of Hidden Cobra's AppleJeus malware family, outlining the JMT Trading, Celas Trade Pro, Ants2Whale, and Kupay Wallet tools.

Dave Bittner: Congress has taken notice of the Oldsmar cyber sabotage incident. Senator Warner, Democrat of Virginia and chair of the Senate Select Committee on Intelligence, has formally asked the FBI and the Environmental Protection Agency for information on Oldsmar. In a letter addressed to Matt Dorham, FBI assistant director, cyber division, and Radhika Fox, acting assistant administrator, Office of Water at the EPA, Senator Warner pointed out that water is one of the 16 sectors Presidential Policy Directive 21 designated as critical infrastructure and that while Oldsmar is a relatively small town with about 15,000 inhabitants and that while the intrusion into the utilities control system was detected before damage was done, the U.S. might not be so lucky the next time around. The senator asked the bureau and the EPA to coordinate their responses with his office. He gave no deadline for them to do so. 

Dave Bittner: Dutch police are posting notices to hacker forums, appealing to the conscience, caution and criminal self-interest of forum participants who may find themselves tempted to engage in cybercrime. In a message from the Netherlands police that BleepingComputer reports has appeared so far on both the Anglophone RaidForums and the Russophone XSS forum, the police blandly recount the recent takedown of Emotet and then say, quote, "Hosting criminal infrastructure in the Netherlands is a lost cause. Looking for a botnet? Think again. The Netherlands police will continue to focus on abuse of our infrastructure. We aim at botnets and related malware like Ryuk, TrickBot and many more. We feed on underground information sources and the cybersecurity industry. We will leave no stone unturned in finding those committed to cybercrime. You might lose your liberty and not just your bots and business. As you know, the Netherlands police is always the first to see next season's catalogs. International law enforcement continues to work against cybercrime, wherever it's committed. Everyone makes mistakes. We are waiting for yours." 

Dave Bittner: Well, that would scare us straight if we'd been tempted to hire a botnet or cryptojack someone's machine. Good hunting to the Netherlands police, we say. Their note isn't bad at all - clear, direct and calculated to undermine that strange, disinhibited sense of immunity that tends to infect people in cyberspace, from influencers to fans to, well, crooks, creeps and side-hustling spies. The mentions of underground information and next season's catalog are particularly nice touches. 

Dave Bittner: The Netherlands police also close with some news you can use. Quote, "Check where criminals host their infrastructure. Avoid those that use the Netherlands." It's law north of the Waal, hackers, which in cyberspace is even scarier than law west of the Pecos. You've been warned - seriously. 

Dave Bittner: There have been other international law enforcement operations, of course. This week, a joint Franco-Ukrainian action resulted in the arrest of several Ukrainian nationals on charges related to operating the Egregor ransomware-as-a-service operation. The disruption may be temporary, as Dark Reading writes, but for now, at least, Egregor has taken a hit. 

Dave Bittner: And finally, as we speak to our listeners in Texas from our own greater Baltimore ice storm, which isn't nearly as bad as yours, we send warm wishes for safety and comfort to everyone in the Lone Star State who's suffering from the effects of immoderate weather. Stay safe and stay warm. We'd add, look out for your neighbors, but you already knew that. 

Dave Bittner: It's been a month and a half or so since the riot at the U.S. Capitol building in Washington, D.C. Footage from that fateful day included shots of rioters ransacking and rummaging through the offices of representatives. And there were additional reports of computer hardware being stolen. It was a stark reminder that unauthorized physical access to hardware remains a serious risk. For more on this, we checked in with Bentsi Ben-Atar, CMO and co-founder of Sepio Systems. 

Bentsi Ben-Atar: So I think that a lot of the actions being taken by the existing security teams are mostly related to the capabilities of the tools that are being deployed. So I think the main issue is that they currently have very limited visibility to hardware with malicious intent. So obviously, they do have various visibility tools to get a kind of asset inventory to some of their tools - to some of their assets. But when you talk about the rogue aspects of hardware devices, then they lack the capabilities and visibility into those. 

Dave Bittner: Can you give us an idea of the spectrum of types of devices that folks may find hooked up to their network, you know, from the - you know, the noisy ones through the ones that are trying to stay hidden? 

Bentsi Ben-Atar: So the basic categories are - could be divided into two. One would be the network implants or network spoofing devices, and the other would be various, say, USB HID emulating devices. But they are not limited to that because every device can be an impersonating device, whether it's a display or a Sybil device. Or any hardware device of any interface could be that. When talking in specifics about the network options, then we see a lot of man-in-the-middle attack tools that actually operate while exfiltrating the information over a cellular connection because attackers understood quite smartly that some of the enterprises do monitor their Wi-Fi activity. So their exfiltration path would be using a cellular connection, which is much more difficult to intercept and to analyze, especially regulation wise. And those devices that operate on the layer one, on the physical layer, act as a seamless, passive cable so that none of the existing solutions in the upper layer, mainly layer two and above, whether these are NAC solution or IDS solution, cannot detect the existence of these devices because the switch itself, which is their main probing device and source for information, does not see those devices. So there could be - starting from a passive network implant, going through a full-blown man-in-the-middle attack tool that is based on a cellular router. On the USB side, it's a different game because some of the attacks that we've seen are attacks that exploit vulnerabilities within existing USB devices. So it could be a wireless combo keyboard, which is known to be vulnerable, or a certain mass storage device. Or it could be a Rubber Ducky device, which is a device that impersonates as a legitimate keyboard with the same facade of a legitimate keyboard, while in real life, it's actually an attack tool that runs a script that could significantly harm the enterprise's capability of doing business. 

Dave Bittner: That's Bentsi Ben-Atar from Sepio Systems. 

Dave Bittner: And joining me once again is Dinah Davis. She's the VP of R&D for Arctic Wolf. Dinah, it's always great to have you back. I wanted to touch base with you today about interacting with a company's board of directors and kind of making that case to get funding for security. What can you share with us today? 

Dinah Davis: Yeah, it's really important - right? - that the board buys in and actually funds the security program in your company, right? So the first thing you really need to get around is how to get them engaged, right? You can't just, you know, walk into the board one day and say, hey, I need some money. Can you give me some money? 

Dave Bittner: (Laughter) Right. 

Dinah Davis: (Laughter) Because they're going to be like, no. What are you going to do with it (laughter)? 

Dave Bittner: Right. Who are you, and what are you doing here? 

Dinah Davis: Yes, exactly. So a great place to start is with the fact that cyber risk is actually organizational risk, right? What are the risks that your board cares about? So you can highlight that it's not only the company's reputation, but there are massive commercial implications to a breach. In fact, I was reading yesterday that about 40% of the losses, like, the financial loss that companies go through during a breach is because of customer loss because they're not trusted anymore. So that's the first thing. You know, make them understand the importance of the reputational and commercial implications. And also remind them that directors and officers of the company are liable for misrepresenting their security measures, right? So if they fail to disclose things, if they're not doing what they need to do, there could be heavy fines for them. 

Dave Bittner: They've got skin in the game. 

Dinah Davis: They do. They do. And then you got to hit them where it hurts most. 

Dave Bittner: (Laughter). Go on. 

Dinah Davis: Money. Money. 


Dinah Davis: So, you know, what would it cost their organization if ransomware shut them down? So walk them through that. The costs include, like, the cleanup, the loss of customers, like I said, compliance fines, all kinds of things, right? And if you're in health care, it's even worse, right? You've got HIPAA to deal with and all these other things like that. And so you can show them that adding security after will cost you - after development and after something like that will cost you about 100 times more, right? And then, you can show them, you know, some statistics on the likelihood that they will get breached, so - and the average cost. So the average cost of a data breach in 2020 was $3.8 million. So that's kind of crazy. And then on average, it takes about 280 days to spot and contain a breach. So the more stuff you have in place at the beginning, the faster you're going to find that, the more you're going to detect it, the less money you're going to lose. And then, as I mentioned before, the largest factor is the loss of business, which is about 40%, right? 

Dave Bittner: Yeah. 

Dinah Davis: So now that you've, you know, scared the crap out of them... 

Dave Bittner: (Laughter). 

Dinah Davis: ...And showed them all the bad things, now you want to show them what you've done for good. So you want to go in there and say, hey, look, this is what we've put in place already. It's decent. It's not going to cover everything, you know, that we are worried about, but it's covering good. Here's what we need more so that we can do this, this, this and this. And it's going to cost this much. That's what we need your funding for. So you can also remember to keep it simple, practice your pitch and if needed, go get marketing to help you with your slides. Make them look amazing. That's what marketing is for (laughter). 

Dave Bittner: Right. It's interesting to me, like, you know, as you mentioned at the outset, the importance of speaking to them in their own language, of taking the time ahead of time to do your homework so when you walk in there, you're talking to them as - you know, in terms of risk, which is what they... 

Dinah Davis: Yes. 

Dave Bittner: ...That's what resonates with them. 

Dinah Davis: Yes, absolutely, right? And it's money risk. It's reputation risk. It's fines. It's all kinds of different risk for them, right? 

Dave Bittner: And ultimately, I mean, it's up to them to decide how they're going to dial things in, how they're going to - I mean, it can't be total risk elimination, but it's risk management. 

Dinah Davis: Right. Exactly, right? You have to - it's that medium ground, right? Because if you did everything to the nth degree, you might bankrupt (laughter) the company spending all of the money doing that. 

Dave Bittner: Right. 

Dinah Davis: Right? Or making it so hard that your customers can't use your product, right? That's that classic security problem of usability versus security, right? And it's the same when you're looking at a business on how much to put in place to protect yourself and how much you have to just go, OK, let's accept that risk and make sure we have good, you know, response plans if it happens. 

Dave Bittner: Yeah. No, I think it's really important stuff. All right. Good information. Dinah Davis, thanks for joining us. 

Dinah Davis: No problem. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. A palatable confection and a most nourishing food. Listen for us on your Alexa smart speaker, too. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.