The CyberWire Daily Podcast 11.18.21
Ep 1462 | 11.18.21

Developments in cyber gangland, and the increasingly complicated entanglement of crooks and spies. Selling confiscated alt-coin to compensate fraud victims.


Dave Bittner: RedCurl is a Russophone gang with an unusual target list. North Korea's TA406 is having a busy year hacking for intelligence and for profit. Wicked Panda's getting good at code signing, and software supply chain attacks are in Beijing's long-term plans. A spear-phishing campaign abuses legitimate collaboration tools. Kevin Magee from Microsoft has an insider's look at Windows 11 security. Our guest is Kevin Bocek from Venafi to discuss security software build environments. And selling confiscated cryptocurrency to compensate victims of scams.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, November 18, 2021. 

Dave Bittner: Security firms today have issued reports on several criminal and state-directed actors. Group-IB has published an update on the activities of RedCurl, a Russian-speaking threat group that casts an unusually wide net; wide enough to include North American firms and Russian banks. The group, active since 2018, is principally engaged in industrial espionage, interested in trade secrets and employee personal data. The goal would appear to be financial, and it's unusual that a Russophone criminal gang would be bold enough to hit Russian targets. Those are normally off-limits to the Russian-speaking gangs. 

Dave Bittner: According to Proofpoint, 2021 has been a big year for Pyongyang's hackers. The group that security firm tracks as TA406 has been active against a wide range of targets. It's a North Korean state threat group associated with the activity against Western diplomatic and intelligence targets familiarly tracked as Kimsuky and Thallium and also associated with the Konni family of remote access Trojans. 

Dave Bittner: TA406 has engaged, according to the researchers, in espionage, cybercrime and sextortion during 2021. It's proceeded from criminal theft to attacks that involve distribution of malware. So like other DPRK threat groups, TA406 engages in a mix of spying and financially motivated cybercrime. 

Dave Bittner: That mixed motive is also visible in recent activities of another threat group, this one out of China. Security firm Venafi today published research on how Chinese threat actor APT41, also known as Barium, Winnti and Wicked Panda, has perfected code signing techniques, the better to hack software supply chains 

Dave Bittner: The key points the security firm makes are these. First, they use bespoke tools. Quote, "APT41 is unique among China-based threat groups as they leverage specially crafted, non-public malware typically reserved for espionage activities for financial gain, likely outside the scope of state-sponsored missions," end quote. 

Dave Bittner: Second, Wicked Panda is very much interested in the value of code signing keys. Quote, "critical to the success of this attack method, APT41 has made code signing keys and certificates, which serve as machine identities that authenticate code, a primary target," end quote. This is important because such certificates are useful for cooperation among attack groups, and they make success all the likelier. As Venafi puts it, "compromised code signing certificates are used as a shared resource for large teams of attackers because they act as an attack force multiplier and dramatically increase the odds of success," end quote. 

Dave Bittner: Finally, APT41 is patient in its pursuit of strategic objectives. Quote, "this strategic, long-term focus is a primary factor in APT41's ability to successfully compromise a wide range of high-value targets across multiple industries, including health care, foreign governments, pharmaceuticals, airlines, telecommunications and software providers," end quote. This patience is visible even in training. APT41 has for more than a decade run what Venafi calls a bootcamp on the technique. 

Dave Bittner: The strategy pays off in at least two ways. As Venafi puts it, quote, "the cyber-espionage activity of APT41 is mostly focused on the theft of source code, software code signing certificates, intellectual property, customer data, internal technology documentation and valuable business information. These same set of activities also facilitate financially motivated schemes, including ransomware, cryptojacking and virtual currencies manipulation. The financially motivated activity has primarily focused on the video game and adware industry," end quote. This is close to a page from Pyongyang's playbook, although in this case the financial aspects may amount to an APT side hustle as opposed to privateering or direct enrichment of the National Treasury. 

Dave Bittner: Domain Tools has identified a quiet spearphishing campaign in progress since the end of July in which an email address belonging to an employee of a firm operating in the UAE was used in an apparent credential harvesting campaign directed against other companies in the region. The documents in the emails each contained distinctive domains hosted on Glitch, a legitimate web-based code collaboration tool whose ephemeral nature the attackers seem to have used to render their operations quieter and less susceptible to detection. 

Dave Bittner: Apps are accessible on Glitch for a matter of a few minutes. Domain Tools writes, quote, "this ephemeral nature makes Glitch shared spaces perfect for serving up malicious content, especially because Glitch's domains are trusted and often allow listed on many networks already. Domain Tools research reached out to Glitch about this but have yet to hear back as of the publishing time of this document," end quote. Again, we note that Glitch is not a criminal enterprise but a legitimate service. 

Dave Bittner: Domain Tools offers no further attribution of the activity, nor do they give the unknown operator a catchy name. They do call the operation Seeing Red because of the frequency with which the links ran to a named page, red.htm. And they note that the techniques on display show some of the cunning ways in which criminals have evolved to evade traditional security measures. 

Dave Bittner: As the report says in its conclusion, quote, "spaces where code can run and be hosted for free are a goldmine for attackers, especially considering many of the base domains are implicitly trusted by the blocklists corporations ingest. This delegation of trust allows for attackers to utilize a seemingly innocuous .PDF with only a link to a trusted base domain to maneuver past defenses and lure in user trust. By coupling that with exfiltrating captured credentials to compromised WordPress sites, attackers have built an attack chain that can sneak past defensive tooling," end quote. 

Dave Bittner: And finally, what happens to cryptocurrency seized by authorities during investigation of crime and fraud? In the case of the BitConnect Ponzi scheme, the Justice Department is selling $56 million in altcoin. CNBC reports that the funds will be used to compensate victims. 

Dave Bittner: The folks at security firm Venafi recently surveyed more than a thousand IT development pros and executives to get a sense for where things stand when it comes to securing the software development pipeline. Kevin Bocek is vice president of security strategy and threat intelligence at Venafi, and he joins us with insights from their survey. 

Kevin Bocek: I think we're in this period of uncertainty where security teams and engineering teams are not certain who's responsible for securing software development pipelines. And also, why have businesses not really made a dramatic change following the SolarWinds breaches? And I have to say it all starts with boards, CEO, managing director. It has to be the clear prerogative and demand. And also, they have to have accountability and responsibility that we are in a new age where everyone is under attack. And it's not business as usual. 

Kevin Bocek: And that starts at the board. It starts at the CEO about being accountable and then that accountability, of course, cascading down. So we're not going to see that change, that tidal wave, I believe, until that is. That may require boards. That may require regulation, whether, you know, you're in the U.S., U.K. or elsewhere around the world. Your regulators may also drive that change. So in other words, best be prepared. 

Kevin Bocek: And then that, you know, cascades down where - hey, security team; should we be responsible for - ultimately responsible for what engineers build? Or are engineers saying, hey; we're the ones building that; we're going to be responsible? Or, hey; it's you guys, security. You know what? We'll just go continue building features and making releases. It's this uncertainty. And I think that, again, that has to change from the top. But in the meantime, though, I see a path of change. One - hey; when it comes to software that we're consuming, whether that be SaaS or - that your business is licensing - you know, I see a world today where, you know, we ask security questions as part of that procurement process. Procurement teams have certain, you know, prerequisites that they want to see. 

Kevin Bocek: But what we have to change is actually the buyers. At the same time that they're learning about the features or what value a software or software as a service is going to be provide, your business should be saying, how are you going to secure the data that we use? How are you going to protect that we don't become the victim of a software supply chain attack? 

Kevin Bocek: At the same time, you're asking about questions, again, that are going to, you know, drive revenue or create some efficiency. That's a change that we have to make today because, again, we're in this world where we're all under attack no matter who we are. And that's a first change. We have to move, again, software supply questions from procurement all the way to the beginning. And that's something that security teams can make a change. I really believe they can start doing that today. 

Kevin Bocek: Second of all, when it comes to, hey; who's responsible for securing software development pipelines in the software that we build - again, your business is a software development company - that's actually - I might sound a bit controversial. That's actually where engineering teams need to have more and more accountability and responsibility. You know what? They're architecting the build pipelines. They are engineers. Engineers are building the software. Engineering teams have to have accountability, responsibility. So I actually believe they're the ones that should be accountable, responsible for securing the software development pipelines. 

Kevin Bocek: Security teams can help, but technology is changing so quickly. I mean, just ask a security architect about the latest in build pipeline technology, whether that's Azure DevOps, what GitLab has released, or - I'm sure there's even more. That's not their specialty. And so engineers, then, need to be accountable and responsible. And I think that's a great opportunity, then, for the VP of engineering, the CTOs to step up, too. 

Kevin Bocek: So my two takeaways out of what we're seeing in this uncertainty is, A, security teams can immediately make change moving those security questions - how are you going to stop us being the next victim of a supply chain attack? - from procurement questions all the way to when the business is asking feature and value questions. And then second, engineering, executive CTOs - they need to become accountable, responsible for securing their software development processes. 

Kevin Bocek: This is a new world that we're in, and that's why for CEOs and boards, managing directors - as they report to shareholders, they have to be talking about the cybersecurity threats just as much of a business risk as your competition. So that's the opportunity as well for the leaders on the technology and security side. It's as - you know, cybersecurity and protecting our software, it's just as important. How are we going to outwit the competition? 

Dave Bittner: That's Kevin Bocek from Venafi. 

Dave Bittner: And joining me once again is Kevin Magee. He is the chief security officer at Microsoft Canada. And, of course, we note for disclosure Microsoft is a CyberWire sponsor. 

Dave Bittner: Kevin, always great to have you back. You know, with great fanfare, you all at Microsoft have released the latest version of Windows. I hear this one goes to 11 (laughter). And so there's a lot of excitement around that. But I wanted to really dig in with you about some of the security elements that are in Windows 11 and get a little behind-the-scenes insight onto what you all are thinking when it comes to security here and how this sort of sets the table for us for the future. 

Kevin Magee: So thanks for having me back, Dave. And you're absolutely right. Most operating systems - you know, they only go to 10. And where are you going to go from there when you need more security, right? Nowhere. 

Dave Bittner: (Laughter) Right, right. Nowhere - right. 

Kevin Magee: Windows now goes to 11. So I think Windows 11's an interesting case study to look at what's happening in our industry right now. And as vendors and customers are looking and thinking about security differently, you know, first we want a fully integrated security approach. We can't look at siloed, best-of-breed hardware, software, operating solutions. We have to allow the consumer or the organization to figure out how to work together to protect themselves. They need to become much more integrated. And that's one of the things we're looking at with Windows 11 - how better to do that - chip to cloud, we call it. The second is - integrity of supply chain has become a very important part of every security discussion recently. And that can't be done in a silo, either. You can't have an operating system, supply chain discussion, a hardware to supply chain discussion, an app security discussion. So how do we start thinking about integrating those and protecting the supply chain, again, from chip to cloud? And then finally, what I'm really pleased with Windows 11 is this approach that we call digital empathy or user empathy, where we're designing products to take the requirement away from the user to figure out security and just making it easy for them. And that's how - ultimately reducing the risk for the user by increasing the experience or making the experience much better with the product. 

Dave Bittner: Can you give me an example of that? I mean, how would a Windows 11 user notice a difference when it comes to their interactions and security? 

Kevin Magee: I think a couple of quick things would be just how we build in security from a - I call it stairs and guardrail. When you think about any other security or aspect - walking down a broken set of stairs without a handrail - and the user were to fall. It's not the fault of the user in our society. You know, there is a requirement that the building owner or whoever's maintaining it, you know, make sure the stairs are built properly, that there's, you know, a proper handrail and whatnot as well. Same - we put guardrails on highways. We really expect that the user's going to be using the product and really shouldn't ultimately be responsible for the entire security. Now, they still have to drive within the lines. They still have to make sure they're walking safely. But we've taken that approach to designing Windows 11. 

Kevin Magee: And we're seeing a lot of other vendors look at this as well, too. So that could be running applications in isolation, including Microsoft Defender antivirus, that will run from the time of boot. So it's looking at the hardware boot process, as well as once it's running as well - allowing applications to sort of prove that they're trustworthy, running user account control in least-privilege mode by default, and also just building in some applications so users can have a holistic view. An application is included with Windows 11 so a user can look at their security posture, look at a privacy report as well, and familiarize themselves with what's really running on their system in one place, instead of having to go hunting across the operating system or multiple applications to find this information. 

Dave Bittner: For the pros in the audience who still want to dig in there and, you know, hit that command line and mess things up on their own, under their own terms, (laughter) they still have the capability to do that, right? 

Kevin Magee: Absolutely. And I think that's a matter of choice. And that's how - all of our products are really designed with user choice. If you want to have a granular-level access to your security and you want to tune it specifically as a user or as an organization, you can do that. But what about - you know, what about the family who really doesn't have an IT department or a security - fire department? There's no CSO of most households. They're struggling with these challenges as well, too. So we're not just making products for business users, but also for the modern home, which probably has more devices hooked up to the internet now than most businesses did 10 years ago. And they're struggling with these challenges as well, too. So again, how do we take the need to design security and manage security out of the hands of the user, make the experience great and then build in security by default as well? 

Dave Bittner: All right. Well, Kevin Magee, thanks for joining us. 

Kevin Magee: Thanks, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.