The CyberWire Daily Podcast 7.1.22
Ep 1611 | 7.1.22

Notes on cyber conflict. Lazarus Group blamed for the Harmony cryptocurrency heist. MedusaLocker warning. Observation of the C2C market. The Crypto Queen cracks the FBI’s Ten Most Wanted.

Transcript

Dave Bittner: An update on the DDoS attacks against Norway. NATO's resolutions on cybersecurity. North Korea seems to be behind the Harmony cryptocurrency heist. MedusaLocker warnings. Microsoft sees improvements in a gang's technique. Google blocks underworld domains. The Israeli-Iranian conflict in cyberspace. Chris Novak from Verizon with his take on this year's DBIR. Our guest is Jason Clark of Netskope on the dynamic challenges of a remote workforce. And now among the FBI's Ten Most Wanted - one Crypto Queen.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 1, 2022. 

Update on the DDoS attack against Norway.

Dave Bittner: Killnet's Cyber Spetsnaz continues to look more like a state-directed operation than they do a spontaneously aroused group of patriotic hacktivists. Security Affairs has an account of the various units now claiming adherence to the Killnet Collective. These include, most recently, Sparta, which says its remit is sabotage. Beyond Sparta, Security Affairs' Killnet scorecard looks like this. Phoenix coordinated its activities with another division called Rayd, who previously attacked government resources in Poland, including the Ministry of Foreign Affairs, Senate, Border Control and Police. Other divisions involved in the DDoS attacks include Vera, FasonninGung, Mirai, Jacky, DDOS Gung and Sakurajima, who previously attacked multiple web resources in Germany. The aim of the operations seems to be influence, not really serious disruption or disablement. And the DDoS attacks in Norway have been a nuisance, as opposed to a serious, consequential attack. 

NATO's resolutions on cyber security.

Dave Bittner: NATO's Madrid summit this week addressed the threat Russia poses to its neighbors, vividly on display in the special military operation. The White House has offered the U.S. reading of how the Atlantic Alliance intends to address the Russian cyberthreat specifically, through strengthened cyber resilience and defense. A White House statement says, building on last year's adoption of a new cyber defense policy for NATO, allied leaders will endorse a new action plan to strengthen cyber cooperation across the political, military and technical levels. As an operational domain for NATO, cyber will also be a key component of NATO's strengthened deterrence and defense posture. Building on lessons learned from the conflict in Ukraine, allies will decide at the summit to use NATO as a coordination platform for offering national assets to build and exercise a virtual rapid response cyber capability to respond to a serious cyberattack. The United States will offer robust national capabilities as part of this support network. So a rapid cyber response capability is expected to become at least as important as conventional kinetic capability. 

North Korea seems to have been behind the Harmony cryptocurrency heist.

Dave Bittner: The Wall Street Journal reports that efforts to launder some $100 million, taken in last week's looting of Harmony's Horizon blockchain bridge - a service that enables the transfer of funds from one blockchain to another - appear to be the work of North Korean state-sponsored threat actors. TechCrunch notes that strong circumstantial evidence points to the long-familiar Lazarus Group as the operators behind the theft. The U.S. government sees such theft as principal North Korean means of funding its advanced nuclear and ballistic missile programs. Why the unseemly haste to launder the stolen altcoin? Things have changed, and they're not working out as well for Pyongyang as they once did. Reuters reported earlier this week that the current crash in cryptocurrency values has given the DPRK's weapons programs a bit of a haircut, which explains the urgency on display in the Lazarus Group's money laundering efforts. Times are tough all over. 

MedusaLocker warning.

Dave Bittner: CISA and its partners - the FBI, the Department of the Treasury and the Financial Crimes Enforcement Network - warn that MedusaLocker ransomware operators are now relying for the most part on exploiting vulnerabilities in remote desktop protocol to access their victims' networks. MedusaLocker is a ransomware-as-a-service operation in which the proprietors split the take with their affiliates. 

Microsoft sees improvements in a gang's technique.

Dave Bittner: Microsoft warns that the 8220 gang, a criminal group that's been around for a few years, is improving its ability to attack Linux devices. 8220 is running cryptojacking attacks that install a CoinMiner in the victims' systems. Redmond says to protect networks against this threat, organizations should secure systems and servers, apply updates and use good credential hygiene. Always good advice, and as always, we note in full disclosure that Microsoft is a CyberWire partner. 

Google blocks underworld domains.

Dave Bittner: Google's Threat Analysis Group has published an account of its observations of hack-for-hire groups, a subsector of the criminal-to-criminal market that specializes in account compromise and data exfiltration. Recent hack-for-hire campaigns have been run by operators in India, Russia and the United Arab Emirates. Hack-for-hire operators are essentially an illicit counterpart of firms who provide lawful intercept capabilities to governments. They differ from the lawful intercept companies, however, in at least one important way - the vendors themselves are engaged in the operation. Google, which has blocked a number of the hack-for-hire domains it's located, explains. They say, in contrast to commercial surveillance vendors, who we generally observe selling a capability for the end user to operate, hack-for-hire firms conduct attacks themselves. They target a wide range of users and opportunistically take advantage of known security flaws when undertaking their campaigns. Both, however, enable attacks by those who would otherwise lack the capabilities to do so. 

Israeli-Iranian conflict in cyberspace.

Dave Bittner: State-versus-state cyber conflict news has been dominated since January by Russian campaigns against Ukraine. But it's worth remembering that cyber and hybrid conflicts are in progress elsewhere as well. The long-running tension between Iran and Israel is an evergreen example. Reports earlier this week attributed disruption of steel production at a major Iranian mill to an Israeli cyberattack. The action, which Iran says it quickly mitigated, was attributed to a nominally hacktivist group, Predatory Sparrow. But speculation in the Israeli press suggests that Predatory Sparrow might be a front group used by a nation-state to achieve deniability. Iran has no shortage of nation-states who don't necessarily wish Tehran success, and those include, in the Jerusalem Post's accounting, the U.S., the Saudis, the UAE and others with significant cyber capabilities. Prominent among those others is, of course, Israel, as the Post itself points out. Israel's defense ministry is treating the reporting as prima facie evidence of an illicit leak. And the Times of Israel reports that Defense Minister Gantz has ordered an investigation into the leak, not the cyberattack. 

Dave Bittner: Iranian media have taken an interesting tack in the ongoing information conflict with Israel, asserting that specific Israeli companies are engaged in illicit cyber operations. Mentioned in dispatches are specifically Proofpoint, which PressTV says is connected with Israel's Unit 8200 and engaged in a covert campaign to intercept the email traffic of U.S. media companies, and mobile forensic company Cellebrite, which the Mehr News Agency says is now being targeted - and rightly so, in Mehr's view - by Iraqi hacktivists, presumably in retaliation for the company's provision of forensic technology to Israeli authorities. Presumably, the hope is that other Israeli companies will draw the same hostile scrutiny that's been directed at the NSO Group, the proprietors of the Pegasus intercept tool. In these cases, that hope seems a long shot. 

Wanted: Crypto Queen.

Dave Bittner: And finally, the FBI has added a new member to its Most Wanted list. Ms. Ruja Ignatova - formerly styled as the Crypto Queen and the founder of OneCoin, which the U.S. Department of Justice maintains was a Ponzi scheme - cracked the top 10, and it was well-earned. She is alleged to have defrauded investors of around $4 billion - that's billion with a B - before she quietly went into hiding back in 2017. She's been tough to track down, her holiday being well-funded by the cool $500 million she allegedly got away with and is no doubt using to live it up in parts unknown. Anywho, Ms. Ignatova is out there in the wind, and the feds want her for one count each of conspiracy to commit wire fraud, wire fraud, conspiracy to commit money laundering, conspiracy to commit securities fraud and securities fraud. So be on the lookout, citizens. The bureau says there's a $100,000 reward for information leading to determination of her whereabouts. If you know where she is, or if you'd like to cop to being one of the marks she - allegedly, we say - allegedly swindled, dial 1-800-CALL-FBI. Operators are standing by, so act now. 

Dave Bittner: Over the past couple of years, through COVID and the ascension of threats like ransomware, security pros have found it necessary to be more flexible than ever to adapt to the needs of the people they are charged with protecting, to meet them where they live. Jason Clark is chief security and strategy officer at security firm Netskope, and I asked him for his perspective on the new normal. 

Jason Clark: What I'm seeing is definitely this hybrid work is becoming a very - you know, a very important term where we were - you know, we were all on-prem, and then we were 100% off-prem, which obviously accelerated the movement of cloud modernization and the adoption of SAS. We saw people go from, you know, 100 SAS apps to 2,000 SAS apps in one company, as an example, right? So just a massive shift in that, now people are kind of going to, well, it's really two days in the office, three days in the office for certain industries, right? Not retail or manufacturing, but most other industries are in some type of a, I work from home sometimes. I work from the office sometimes. Or I work from, you know, Starbucks other times, right? And so I think that's one big thing that's probably - I'd say is a change and making people rethink, you know. It's not one or the other. Now it's something in between. And as they do an operating model - right? - they look at their security stack and make sure that, you know, they're kind of integrated in the execution of that. These aren't two separate systems, right? They kind of have one brain overlooking the way that their employees are, you know, driving or they're enabling the business in - you know, from a technology standpoint. 

Dave Bittner: And what sort of recommendations are you making for folks to make that as seamless and friction-free for the employees, to be able to make that switch and have it be effortless? 

Jason Clark: So I kind of talk to it, like, that, you know, you have - look at how much spend and technology for security you have for the on-prem - right? - and come back with a percentage and the numbers for that. And then look how much you're spending for, let's call it, you know, the hybrid aspects, when they're off the network. And then how much are you spending for just cloud in general, cloud security? And what you'll find is the majority of the spend in any global 2,000 is still pretty heavy on-prem, right? But yet you're kind of in this - you know, 90% of your users are mobile. And generally in most every organization, more than 50% of their apps is in the cloud now, when you start adding SAS. 

Jason Clark: And so I tell them it's kind of like a rubber band. You're stretching your security, you know, far out, which also creates friction on your team, creates friction on the business 'cause you're trying to secure from one location, or you have three disparate solutions for each of those three scenarios. And that - you really need to do what, you know - I think Gartner did a brilliant job of coming out with Security Service Edge as an example, SSE, to really recenter and get leverage in your security model and kind of center yourself with a cloud solution that can fulfill the on-prem scenarios of everything outbound or egress - right? - and also solve the hybrid worker scenario while at the same time solving the cloud security issue. 

Dave Bittner: Let me ask you this. I mean, does the organization who is starting up now, who's taking a fresh approach, you know, a blank sheet of paper and looking at all of the options available for securing their organization - are they at a bit of an advantage now, you know, being on the other side of things where we've had this huge shift to the cloud, that they're not sort of dragging along some of that legacy stuff? Is that a fair way to look at it? 

Jason Clark: Hundred percent, yes. I mean, I think anytime you can be greenfield and you're in a company that was started in the last 10 years, but you've just had tremendous growth and success - right? - that is - you know, you're in a much better spot. You don't have, you know, all of that technical debt. You don't have a clunky architecture, quite frankly - right? - that you're trying to piece together because of stuff that was built 20 and 30 years ago. So anybody in a greenfield scenario is going to be - and honestly, most likely, they're going to be, you know, almost all in the cloud. And that allows you to get a lot more visibility, a lot more data, a lot more kind of trajectory to see what's going on, right? And so that security program has - is simpler, right? And the, you know, complexity is the enemy of security. And so when you have any of the legacy stuff, you have a lot of complexity - right? - trying to get to one identity solution as an example, right? Most companies, even - if you ask people how many data protection systems you have, they'll tell you 10 to 12, right? But they're all trying to do the same thing - protect data. You really want one brain to do that. And when you're a greenfield and you're all cloud, you can have one brain. When you've got a lot of legacy systems, you have to find ways to bring it all back to one brain that can make those decisions. 

Dave Bittner: That's Jason Clark from Netskope. 

Dave Bittner: There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro and sign up for "Interview Selects," where you'll get access to this and many more extended interviews. 

Dave Bittner: And joining me once again is Chris Novak. He is managing director of security professional services for Verizon Business. Chris, always great to welcome you back to the show. It is that time of year - I think, for a lot of security professionals, one of their favorite times of the year. And, of course, I'm referring to the release of the Verizon DBIR... 

(LAUGHTER) 

Dave Bittner: ...A report that I think lots of people look forward to. Can we start off with just a little background here for folks who may not be familiar with it? What's the significance of this report? 

Chris Novak: Sure, Dave - always a pleasure to be here. Thanks for having me back. Yeah, so when we look at the DBIR, this is - I've actually had the pleasure and fortune to be part of the DBIR's creation since the very first iteration or publication of it - now going back 15 years - so... 

Dave Bittner: Wow. 

Chris Novak: ...kind of hard to believe. But when we first put the report together, the genesis for anybody who's not familiar or was reading it for the first time was - nobody was talking about breaches. Everybody knew they were happening, and they kind of snuck up in the news, and people were freaked out and worried, and everybody wanted to know what happened to victim A, B or C. How do I prevent it from happening to me? You know, I'm in a similar industry or I probably have similar data. I might be attacked by similar threat actors. You know, everybody thankfully wanted to know what they could do to improve, but the challenge was they felt that there wasn't really a great outlet for them to find that data - and really factual data, right? There was plenty of information out there in terms of marketing material for silver-bullet technologies that'll solve all your security problems, but people wanted real evidence-based data. 

Chris Novak: And so when we created that first DBIR back in 2008, that was the idea. It was let's take data from real breaches, real investigations. At the time, it was just based on the work that my team did. So if we did an investigation for customer A, B or C, we would anonymize and aggregate that data together and then pull out what the salient points were, that we could say, look, I don't have to - you know, I draw a lot of analogies between cyber and health care. I don't need to necessarily tell you who patient A, B or C is. But if I told you, look, I looked at a collection of patients that are of similar demographics and background as you, and this is what led to health problems, and this is what led to a long, healthy life, you know, you could use that information to hopefully, you know, bootstrap your own health. And so that was the concept of the DBIR way back then and still today. And now one of the biggest differences going over that 15-year span is, in 2008, it was just the data from our own casework. Now, we have 80-plus contributing organizations that are also providing their evidence and their data, so it builds out a much more well-rounded big picture of what that threat landscape looks like. 

Dave Bittner: Well, let's dig into this year's version of the report. What are some of the things that stand out to you? 

Chris Novak: Sure. So, I mean, there's more data in it than ever before. You know, contributing organizations are up. Some key standouts - ransomware continues to be big. I think anybody who is not tracking on ransomware - you're probably hiding under a rock. 

Dave Bittner: Yeah. 

Chris Novak: But to put real numbers on it, it increased 13% over the previous year. And this was a bigger jump than the last five years combined. And I know some folks may be looking at that and going, 13% increase doesn't sound like all that much. But when you consider that we're looking at, you know, over 5,000 breaches and almost 24,000 incidents, you know, that's a pretty sizable jump. 

Dave Bittner: Anything in this year's report that is surprising to you - anything bubble up that wasn't expected? 

Chris Novak: You know, I would say that it's hard because, when I look at it so closely, I feel like I expect a lot of what I see. But I think if you're not knee-deep in the data and in the incidents, there's a few things that I would say are really takeaways. You know, one thing that that jumped out, I thought, interestingly, was around supply chain. You know, we've seen a handful of big supply chain events over the course of the last year to two years, and I think that's an area where we're just going to continue to see activity happen as organizations bolster their own security. And then also, we see a lot of changes in the way organizations are working as it relates to COVID. People are moving more things, more workloads to third parties. They're relying on more as-a-service type of things. 

Chris Novak: And not necessarily that any of those things are inherently bad or present security problems in and of themselves, but the more you rely on someone else, it also means the more you're relying on their security, and we see that threat actors are getting smarter and realizing, maybe I don't go, you know, head-first right at the front door of my target. Maybe I kind of take the side door or the back door through some supplier or third party that either has access to them, their data or some other connectivity. So the supply chain piece, I think, is something that is important for everybody to be watching very closely, and we've got some good kind of anecdotes and data points in the report around that. 

Dave Bittner: You know, you mention how many more organizations are contributing to the report this year. And, to me, that's one of the great success stories of this report. As you say, it's been, you know, 15 years or so that you've been a part of it and that Verizon has been heading up the charge on this. I'm curious - you know, behind the scenes, have there ever been - have you ever had to stand up and, I don't know, you know, beat back the marketing department... 

Chris Novak: (Laughter). 

Dave Bittner: ...And say, no, we're keeping this report pure, and here's why. 

Chris Novak: That is a topic that comes up often. 

(LAUGHTER) 

Chris Novak: I will say that that is something that - you know, I have to give the team a lot of credit. You know, the team has worked very hard over the last 15 years to make sure that the report stays open and freely accessible. It's not behind a paywall or anything like that. And part of that also is, you know, promises and commitments we make to our data - you know, contributing partners that - you know, look, if they're going to contribute data, we agree that we're going to make this openly accessible and freely available to the masses because the key here is it's not - you know, it's not intended to be a marketing tool for selling an object or a service or a product. It's really intended to be educational awareness. And in order for that to be effective, you know, we really need to kind of have a hands-off approach as it relates to some of the, you know, maybe some of the marketing or sales angles. 

Chris Novak: We really want people to read it for the data that's in it and how it can be useful. And I think, honestly, that's why we've seen an uptick in usage of it in, you know, college curriculums and various university programs. They look at the data, and there's really something there that they can sink their teeth into and make good use of. And hopefully, also, we see the same thing, you know, from our, you know, our CISO consumers of it as well. When they're looking at it, they feel like they can actually take what they read and apply that to, you know, how they mature their security programs. 

Dave Bittner: Well, congratulations on the publication of another year's DBIR, and continued success in the future, Chris. 

Chris Novak: Thank you, Dave. Pleasure. 

Dave Bittner: Chris Novak, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. 

Dave Bittner: Don't miss this weekend's "Research Saturday" and my conversation with Larry Cashdollar from Akamai. We're discussing a DDoS campaign claiming to be REvil. That's "Research Saturday." Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.