The CyberWire Daily Podcast 6.11.21
Ep 1352 | 6.11.21

Diplomatic Backdoor targets charities, embassies, and telcos in Europe, Africa, and Southwest Asia. Fancy Lazarus and DDoS extortion. Slilpp credential market takedown. A data gap? Cyber regulation.


Dave Bittner: Diplomatic Backdoor afflicts Africa, Europe and Southwest Asia. Electronic Arts' source code has been stolen. Fancy Lazarus is back. Despite the name, it's an extortion gang, not an espionage service. An international law enforcement action takes down a credential market. Making good data available for AI research. There's a growing appetite for cyber regulation in Washington. Thomas Etheridge from Crowdstrike looks at protecting cloud data. And Matt Chiodi of Palo Alto Networks' Unit 42 has highlights from their cloud threat report. And hold that side order of fries - a McBreach is disclosed.

Dave Bittner: From the CyberWire studios a DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, June 11, 2021. 

Dave Bittner: Researchers at ESET, the Bratislava-based security company, have issued a report on a cyberespionage operation targeting charitable groups, diplomatic organizations, telcos and others in Africa, Europe and the Middle East. The threat actor is being called Backdoor Diplomacy for its use of the Turian backdoor and its preference for diplomatic targets. Turian appears to be a derivative of the Quarian backdoor seen in earlier operations against targets in Asia. Backdoor Diplomacy is a cross-platform threat, afflicting both Windows and Linux systems. 

Dave Bittner: Electronic Arts, the popular game and esports company, disclosed yesterday that it had been breached. CNN reports that on June 6, cybercriminals claimed to have taken 780 gigabytes of data from EA and that their haul included Frostbite source code. Frostbite is the game engine behind the widely played FIFA, Madden and Battlefield franchises, as well as other less well-known titles. EA is confident that no player data was accessed and that the incident doesn't represent a threat to user privacy. 

Dave Bittner: The incident seems to be an IP hack and not an attempt to steal personal data. The criminals' motivation appears to be the sale of the code in various hacker markets. In posts on underground forums, the hackers hawked their stolen code with a big dose of marketing bravado. Quote, "You have full capability of exploiting on all EA services," Motherboard quotes them as writing. They posted screenshots to provide some evidence that they have what they claim to have. But they're releasing the source code only to paying customers. Don't bother contacting them unless you are actually interested in buying. Only serious and rep members, all other would be ignored, they wrote. So if you would be interested in buying - not, of course, that you would be, but if you were - remember to be serious and rep. But hey, that's good advice any time, right? 

Dave Bittner: Security firm Proofpoint yesterday released a study of a criminal group that styles itself a Fancy Lazarus and that specializes in extortion by distributed denial of service. One might think Fancy Lazarus was either a Russian or a North Korean operator, but it's not. Its chosen name is an apparent homage to Fancy Bear and the Lazarus Group. But Proofpoint discerns no connection whatsoever to either group. Instead, Fancy Lazarus seems to be an ordinary criminal operation. In the past, it's borrowed the popular names of well-known state-run actors, including Fancy Bear, Lazarus, Lazarus Group and Armada Collective. But that's all apparently either misdirection or, more probably, an attempt to look more menacing than, in fact, they are. 

Dave Bittner: Fancy Lazarus, Proofpoint says, is taking aim at an increasing number of industries, including the energy, financial, insurance, manufacturing, public utilities and retail sectors. They threaten a crippling DDoS attack, but as often as not, if they're ignored, they're simply not heard from again. Some victims report demonstration DDoS attacks, and a few of them say they've experienced some degree of disruption. But in general, Fancy Lazarus seems to be more talk than action. 

Dave Bittner: The U.S. Justice Department announced yesterday afternoon that an international law enforcement operation had taken down Slilpp - that's S-L-I-L-P-P - an underground marketplace where stolen login credentials were sold. The joint action by police in Germany, the Netherlands, Romania and the United States seized the servers that Slilpp used and the domains those servers hosted. 

Dave Bittner: Justice explained in the seizure warrant under which it acted, since 2012, the Slilpp marketplace has been selling stolen log-on credentials, including usernames and passwords for bank accounts, online payment accounts, mobile phone accounts, retailer accounts and other online accounts. Its customers used the credentials they stole to conduct unauthorized transactions, such as wire transfers, from the related accounts. The U.S. alone has arrested more than a dozen people connected to Slilpp. 

Dave Bittner: A good set of training data are to the AI race what LOX and kerosene were to the early space race. Artificial intelligence needs data to train on, and the sources of such data must be reliable and as reasonably free of bias as any human product can be. The Wall Street Journal reports that the U.S. government is considering ways of making suitably sanitized data available to AI researchers. 

Dave Bittner: The National Artificial Intelligence Research Task Force, a 12-member body operating under the White House Office of Science and Technology, is working toward a strategy for doing just that. Much of the motivation for the program is economic. The U.S. seems to be anticipating a Sputnik moment in AI, with China taking the role of Russia as principal strategic competitor. 

Dave Bittner: The Voice of America says that Chris Inglis and Jen Easterly, nominated respectively for the posts of U.S. national cyber director and director of the U.S. Cybersecurity and Infrastructure Security Agency, both said yesterday during confirmation hearings before the U.S. Senate Homeland Security and Government Affairs Committee that they favored a more active role for government in private sector cybersecurity. Neither markets nor voluntary standards nor enlightened self-interest strike the nominees as sufficient, and they both favor more regulation. 

Dave Bittner: They're likely to find sympathetic ears on Capitol Hill, where, Reuters reports, the U.S. Senate is considering whether legislation is necessary to address the risk of cyberattacks and particularly the ransomware threat. 

Dave Bittner: One sign of that sympathy is a letter the chair and ranking member of the Senate Homeland Security and Governmental Affairs Committee sent yesterday to the acting director of the Office of Management and Budget and the assistant to the president for National Security Affairs. 

Dave Bittner: The letter opens, quote, "we write you today with serious concern about the state of our nation's cybersecurity and the threat of ransomware attacks directed at our critical infrastructure," end quote, and goes on to say they want information that can inform anti-ransomware legislation they're in the process of drafting. 

Dave Bittner: They have three specific information requirements that suggest the lines along which they're thinking - first, "information on strategies that relevant federal agencies are developing and implementing to combat ransomware attacks"; second, "any new authorities or revisions to existing authorities that would further empower relevant federal agencies to combat ransomware attacks and respond when they do occur"; and third, "suggestions for Congress to consider as we develop legislation and oversight plans to combat ransomware attacks," end quote. 

Dave Bittner: And finally, The Wall Street Journal reports that McDonald's operations in South Korea and Taiwan have sustained a data breach. The hackers stole customer emails, phone numbers and addresses for delivery customers in South Korea and Taiwan, the Journal says. McDonald's says that some employee data in the U.S. was also accessed, but none of it was either sensitive or personal. The incident wasn't a ransomware attack. The burger giant has engaged the services of cybersecurity firms and notified the appropriate authorities. 

Dave Bittner: Palo Alto Networks' Unit 42 recently released the latest edition of their Cloud Threat Report. And as you might expect, COVID-19 played a big part in cloud security over the past few months. I checked in with Matt Chiodi from Unit 42 for details on the report. 

Matt Chiodi: Well, we do cloud threat reports about every six months. And whenever we do them, we typically choose a different topic. But this time around, we're obviously still in the throes of the COVID-19 pandemic. And what we wanted to do this time was something a little bit different. We wanted to see how has COVID-19 impacted security in the cloud? And so what we did was we looked at data pre-COVID-19 discovery and then post-COVID-19 discovery and really to see what's changed. 

Matt Chiodi: And how did - you know, for example, Pew Research found that, you know, employees working remotely pre-pandemic was about 20%. And then after - within a matter of months, that number jumped to 71%. That's Pew Research data. So whenever you have a massive shift in a workforce like that, there is bound to be security impacts. And that's really what we wanted to see. What's changed? How did things like that impact cloud security? And that's exactly what we focused on throughout this report. 

Dave Bittner: Well, let's go through it together. What were some of the highlights here? What are some of the things that really drew your attention? 

Matt Chiodi: Sure. The first one, and this is really what I would say probably shocked me, was that we actually saw cloud security incidents increase once the COVID-19 pandemic began. So what we found was that cloud security incidents - they nearly tripled in the second quarter of 2020, so April to June. They increased by almost 188%. Now, to be clear, we define a security incident as events that caused violations in security policies that put sensitive data at risk. So, again, cloud security incidents, they nearly doubled at 188% increase in that second quarter of 2020. So just massive change in terms of security incidents. That's kind of a - probably one of the big, high-level items that came out of the report. 

Dave Bittner: Well, what sort of insights do you have on the why? As, you know, what's - what are the actual changes in people's behavior or opportunities or desires that triggered the shift? 

Matt Chiodi: So, you know, when organizations - when the COVID really first started to unfold, this really caused many organizations - yes, because of work-from-home types of things, they needed that rapid spin up of basically compute that only cloud can offer. And as organizations rapidly scaled their cloud usage, we found that overall that there was a massive increase in that. So, for example, when we look at certain industries, they - that was very different in terms of, you know, how they scaled their cloud usage. But overall, we saw that most industries across the board rapidly scaled their actual cloud usage. 

Matt Chiodi: And one of the things that we dive into in the report is we don't just look at it globally. We actually dove into, how did it impact cloud security by region? How did it impact it by industry? And what we saw was that as they scaled their workloads, unfortunately, their cloud security incidents disproportionately increased as well. And, really, the why behind that is that without automation, sudden increases in cloud workloads lead to a dramatic growth in security incidents. And unfortunately, that often leads to overwhelmed security teams. 

Dave Bittner: Overall is - are we at a state where the message is hopeful that we feel like folks are getting on top of this? Or do you feel like we're slipping behind, or are we treading water? 

Matt Chiodi: Well, certainly in response to the pandemic, we were barely treading water. And again - and this was probably some of the other interesting findings - was that COVID-19 critical industries, they actually suffered a spike in security incidents. Right? So we looked at from October of 2019 through February of 2021 - of '21 - right? - so it's that kind of a long period of time. And we actually found that cloud security incidents for the retail, manufacturing and government industries rose by 402% for retail, 230% for manufacturing and 205% for the government. These are those same industries that were among those facing the greatest pressures to adapt and scale in the face of the pandemic - retailers for basic necessities and manufacturing and government for COVID-19 supplies and aid. 

Matt Chiodi: So, you know, the question I would be asking is, you know, if I was an attacker, which industry poses the best risk/reward? And the answer is, unfortunately, retail, manufacturing and government. They had huge spikes in cloud growth, but they also saw their incidents spike. And this takes us back to kind of where we started. If you don't automate security, security teams will be overwhelmed and they will be barely treading water. 

Dave Bittner: That's Matt Chiodi from Palo Alto Networks' Unit 42. You can find the latest version of their cloud threat report on their website. There's a lot more to this conversation. If you want to hear the full interview, head on over to CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews. 

Dave Bittner: And I'm pleased to be joined once again by Thomas Etheridge. He is senior vice president of services at CrowdStrike. Thomas, it's great to have you back. I want to touch today on data protection in the cloud and how folks can best go about making sure that they're covered there. What can you share with us? 

Thomas Etheridge: Thanks, Dave. It's great to be back. Well, everybody's talking about transformational projects and the push to the cloud. We've seen a tremendous amount of organizations move applications and infrastructure from traditional on-premise model to cloud infrastructure. And a lot of that's due to, you know, things like COVID, moving workforces to work from home or work-from-anywhere models, telemedicine, online purchasing. All those things are driving bigger infrastructure and the need for scale. And that's pushing a lot of organizations to the cloud. 

Thomas Etheridge: One of the things we are talking to our customers about, and I preach in many of the talks that I give, are the three M's around the security challenges, those three M's being misconfiguration of cloud infrastructure, mismanagement of cloud infrastructure and mistakes. And those things are typically at the root or heart of most cloud breaches that CrowdStrike responds to. 

Dave Bittner: Well, how do folks go at making sure that they're covered with those three M's? 

Thomas Etheridge: There are a number of things that organizations can do. Technologies such as cloud posture management technology provides for capabilities to help automate the identification of issues and understand how to remediate those risks across many different types of cloud infrastructures, including infrastructure as a service, software as a service and platform as a service infrastructures. Cloud security posture management provides for being able to visualize risk and do assessments, provide improved incident-response capability and monitoring for compliance purposes, as well as provide capabilities around DevOps integration and, if implemented properly and monitored properly, can help reduce false positive and uncover hidden threats. 

Dave Bittner: How much do you find that, when handling this transition to the cloud, that, you know, folks sometimes don't have a good handle for everything they've got in their network? You know, I'm thinking about everything we've seen recently with the Microsoft Exchange server incident where there were folks out there who had exchange servers running and, in the course of their cloud transition, may have lost track of that. 

Thomas Etheridge: Absolutely. So we recognize that skills are a big challenge, especially for organizations that are moving very rapidly to the cloud. In addition to cloud posture management, which I talked about, there's additional capabilities that can provide some increased visibility and fidelity around what might be happening in your cloud environment. Increasing and having index-free cloud log management capabilities implemented are key to being able to capture the necessary data to respond instantly or more effectively to an incident when it does occur. It allows for the ability to pinpoint areas of concern and to potentially recover from incidents when they happen. 

Thomas Etheridge: Another big focus for us in talking to our clients is around identity management and zero trust. Zero-trust architectures can help organizations verify the users in their environment, provide for segmentation and enforcement of the privileged - least privileged principles. It also can help, you know, analyze the IT stack, including what users you have in your environment. What are those users doing? What workloads are they working from? And what endpoints exist in that infrastructure as well? 

Dave Bittner: Are you seeing more and more organizations having - as new organizations are spun up, are they doing business almost exclusively in the cloud? - I mean, it - seeing less of these sort of hybrid solutions, kind of, you know, legacy things that are holding on from the past. 

Thomas Etheridge: I think it's a mix, Dave. A lot of organizations aren't able to forklift everything they do today with their on-premise infrastructure and move it into the cloud. We talked about some of the resource constraints in terms of skills and expertise and the speed at which the business is moving. So we still see a hybrid approach where there's, certainly, on-premise infrastructure that still requires management and expertise at that level. 

Thomas Etheridge: But as more organizations shift to cloud workloads, the skills, in some cases, don't translate. And the same policies, procedures and controls are different and require thoughtful - a thoughtful approach to monitoring those, to assessing the risk of those configurations and settings. And as I said, the three M's continue to be a problem for most organizations that we're called in to support from a breach perspective - misconfigurations, mismanagement and mistakes. 

Dave Bittner: All right. Well, Thomas Etheridge, thanks for joining us. 

Thomas Etheridge: Thanks, Dave. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Be sure to check out this weekend's edition of "Research Saturday" and my conversation with Adam Taggart from the National Security Agency. We're going to be discussing NSA's most recent Science Of Security report. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.