Cyber espionage vs. the RoK MoD. Fancy Bear’s old Lojax tricks. US rumored to be prepping another case against Huawei. Database exposure in Oklahoma. Yes Men prank Post.

Dave Bittner: [00:00:03] South Korea's Defense Ministry discloses a cyber-espionage incident. Fancy Bear sticks to its old tricks with Lojax. The U.S. Justice Department is rumored not to be done with Huawei. There's a big database exposure case in Oklahoma and an update on yesterday's bogus Washington Post edition.

Dave Bittner: [00:00:28] I'd like to take a moment to thank our sponsor Georgetown University. Georgetown offers a part-time master's in cybersecurity risk management that prepares you to navigate today's complex cyberthreats. Ideal for working professionals, the program features flexible options to earn your degree without interrupting your career. Take classes online, on campus or through a combination of both. You decide. Not ready to commit to a full master's program? Explore accelerated options through Georgetown's cybersecurity certificates, which you can complete in as little as six months. To learn more about these programs, you're invited to attend an upcoming webinar on Tuesday, January 29 at noon Eastern time. Visit scs.georgetown.edu/cyberwire to RSVP. That's scs.georgetown.edu/cyberwire. And we thank Georgetown University for sponsoring our show.

Dave Bittner: [00:01:28] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 17, 2019. Unnamed attackers have breached a South Korean national defense ministry organization. The Defense Acquisition Program Administration, which oversees military procurement, was successfully attacked. The attackers compromised, ironically enough, a data protection app - the Data Storage Prevention Solution. They obtained administrative access to the application's server and used it to spirit away sensitive material pertaining to Republic of Korea military systems. The breach occurred in October. The National Intelligence Service, which was in charge of the investigation, disclosed the incident this week. Seoul hasn't blamed Pyongyang for the attack. But as ZDNet notes, it wouldn't surprise anyone if they did.

Dave Bittner: [00:02:23] Security firm NETSCOUT has published an updated report on Lojax, the espionage tool deployed by Fancy Bear, that is to say Russia's GRU military intelligence service. NETSCOUT notes that Fancy Bear has kept its Lojax command and control servers online even after its activities were exposed by ESET, NETSCOUT and others. They draw one lesson from this. Here's a case where indications of compromise are well worth paying attention to. If the old bear is using old tricks, it's good to be aware of them.

Dave Bittner: [00:02:55] How secure are industrial radio controllers? Apparently, less secure than a garage door opener, a Trend Micro study suggests. The RF controllers are also connected to far more consequential systems than a garage and interface with significant safety measures.

Dave Bittner: [00:03:13] Its creator may be behind bars, but ZDNet notes that the NanoCore remote access Trojan continues to circulate in the wild. Fortinet researchers say they're observing the RAT's propagation via malicious Word documents. The malware is proving unusually resistant to eradication from infected systems.

Dave Bittner: [00:03:34] Contractors and civil servants warn that the ongoing U.S. federal government shutdown exposes the country to growing cyber risk. That's not, of course, exactly an admission against interest, but the concerns being expressed aren't idle either.

Dave Bittner: [00:03:50] The U.S. Department of Justice is apparently not done with Huawei. Sources tell The Wall Street Journal that the DOJ is said to be preparing a case of IP theft against the Chinese device manufacturer. Specifically, suspicion centers on alleged theft of robotic phone-testing technology from T-Mobile. The investigation emerged from a civil judgment in which the U.S. District Court for the Western District of Washington at Seattle found that Huawei had, quote, "abused its relationship as a phone handset supplier for T-Mobile to obtain access to T-Mobile's robot and, in violation of several confidentiality and non-disclosure agreements, copied the robot's specifications and stole parts, software and other trade secrets," end quote. In 2017, a jury awarded T-Mobile $4.8 million in damages. Huawei contested the suit, although it acknowledged some improprieties on the part of two employees.

Dave Bittner: [00:04:49] As organizations in Europe settle in for the long haul with GDPR, later this year, another set of regulations will come into play. PSD2 updates the payment services directive, which mandates how European merchants handle electronic payments. Angie White is from authentication and fraud prevention firm Iovation.

Angie White: [00:05:10] Basically, what this does is it creates a single marketplace within the European Union, takes down some of the barriers for open banking. And with PSD2, there's a lot of added protections for consumers, making sure that their transactions are done in a secure manner. So it adds a lot of consumer protections.

Dave Bittner: [00:05:31] And so for the consumers and the merchants, what kind of changes could they expect to see with this coming online?

Angie White: [00:05:37] One of the biggest changes that you're going to hear about with PSD2 is the need for strong customer authentication or SCA. With this mandate, SCA will be required on all transactions above 30 euros. There's some carve-outs for that. But, you know, this is a pretty big bar and a pretty big change for merchants.

Dave Bittner: [00:05:59] And so from a practical point of view, what does that mean for the merchants? Is this just a higher standard they have to meet?

Angie White: [00:06:05] Absolutely. So, you know, as it currently stands, there are SCA requirements mostly in the form of 3-D Secure. And under the current PSD, Payment Services Directive, they're allowed to waive those SCA requirements and take on the liability themselves. So under PSD2, they're no longer allowed to waive those requirements.

Dave Bittner: [00:06:29] So what do we expect that to mean to those merchants? Are we likely to see people dropping out from being able to do this or does it mean more fees that they'll have to pay?

Angie White: [00:06:38] It's kind of an interesting paradigm shift because one of the other things that PSD2 does is it puts a much bigger emphasis on fraud prevention. So they've actually - the EBA has allowed some carve-outs for risk-based transaction analysis. So basically, this kind of details into if payment service providers are able to hit certain fraud thresholds, then they'll be exempted from a higher level for SCA transactions. So if a PSP or payment service provider was able to hit an exemption fraud rate of .06 to 1.3, they're able to raise their threshold for SCA to a hundred euros. So that's in comparison to the default of 30 euros. So I think that you're likely to see that this is going to create kind of a tiered market where merchants and PSPs are really going to have to work together for - you know, to get those higher threshold reference fraud rates. The ones who aren't able to meet that are going to have to pay higher processing fees.

Dave Bittner: [00:07:47] Now, what's the response been from the merchants and the providers? Are they on board with this? Are they pushing back? How are they responding to this mandate?

Angie White: [00:07:57] Yeah. Well, I think the transaction risk analysis, that was actually in response to, you know, merchants and payment service providers pushing back because before, there wasn't any type of exemption for, you know, risk analysis. So as it was first stated, there would have been no type of exemptions. So the EBA came back with that as a concession for merchants and PSPs.

Dave Bittner: [00:08:22] Now, from a consumer's point of view, is there anything noticeable that's going to change for them?

Angie White: [00:08:27] Absolutely. So, you know, I think this is going to definitely have a really big impact on e-commerce. The consumer is definitely going to see a change because they're going to have to go through a lot more authentication than they're used to. You know, now we're used to having to remember a username and password, whereas with the strong customer authentication guidelines with PSD2, it now mandates you have to have two factors of knowledge - so something you know such as a password - inherence - something you are, so thumbprint, facial scan - and possession. So that could be, like, your device or a Bluetooth device, something along those lines. So now they're going to have to provide those two separate factors to satisfy SCA requirements.

Dave Bittner: [00:09:19] That's Angie White from iovation. Forbes reported yesterday that the exposed data hunting company UpGuard has disclosed that it found an exposed database belonging to the Oklahoma Securities Commission. The commission, which is that state's securities regulatory body, left some three terabytes of information open to the web. Much of it concerned regulatory and law enforcement matters, including information on federal investigations of financial crimes, irregularities and compliance. The data go back a long way, some of them to the '80s. They include emails running back two decades as well as enforcement action information extending to 2012. Passwords to state systems were also exposed.

Dave Bittner: [00:10:05] The Oklahoma Securities Commission says it's got the matter under investigation, is reviewing policies, determining who might need to be notified that their information is at risk, and that, quote, "the department intends to make no further comment until the investigation is concluded and pertinent facts are established," end quote. The commission did suggest that the exposure occurred inadvertently during the installation of a firewall. Citing Department of Justice policy, the FBI says that the bureau can neither confirm nor deny anything pertaining to ongoing investigations.

Dave Bittner: [00:10:39] UpGuard notes that the sheer quantity of data exposed makes it difficult to characterize in any detail. But it includes business information, personal data, system credentials and other sensitive material. They do say that the silver lining here, such as it is, would appear to be that the data were exposed for a relatively short period of time. They detected the exposed database a week after it showed up in Shodan's catalogue. Still, a lot can be taken in a week. That the exposure happened at a government agency during a period in which governments are devoting increased scrutiny to corporate data security has not escaped notice.

Dave Bittner: [00:11:17] We heard from Bromium about the matter. Sherban Naum, senior vice president for corporate strategy and technology at the company, said in an emailed statement that, quote, "this latest breach shows the disconnect between what government agencies should be doing with their security and what is actually happening. Government agencies hold the most sensitive data in the world from passwords for network machines containing the details of sensitive investigations to Social Security numbers. Despite this, there is a lack of cyber resilience at local, state and national level because they are operating with limited resources, making it hard to earmark funds for IT and cybersecurity to defend these high-value assets," end quote.

Dave Bittner: [00:11:57] He noted that some agencies are either bucketing along with old, unsupported systems or that they're simply not following soundly administered security policies. And some follow-up to yesterday's parody news story - the party responsible for printing and handing out a bogus issue of The Washington Post turns out to be neither Code Pink nor Move On but another progressive group, The Yes Men - a culture jamming activist group that engages in such parodies, posing as representatives of prominent institutions. They also encourage setting up bogus websites, crashing conferences, stuff like that - sort of a merry prankster's light with transgressive high jinks done from the cozy perch of tenured faculty positions, which is nice work if you can get it.

Dave Bittner: [00:12:46] The Yes Men's idea was to provide a kind of roadmap to impeachment, since they'd like to send President Trump down that road. And anyway, they like yesterday's scam and say it's all good because it was transparent - transparent because it was dated May 1, and yesterday was January 16. And get this - May 1 is also May Day, an homage to International Workers' Day as established by the Sixth Conference in the Second International. Get it? And the motto on the phony post's front page wasn't "Democracy Dies in Darkness" but, instead, "Democracy Awakens in Action."

Dave Bittner: [00:13:22] And if that don't fetch them, then we don't know Arkansas. The action hasn't been universally praised. WIRED, for example, is dubious, if not entirely condemnatory. While acknowledging a place for satire, WIRED seems not entirely convinced that the Yes Men whereas entirely transparent as all that, especially given prevailing sensitivities about information operations. The Yes Men are content, however, telling WIRED that they're not out there to make friends but, rather, to make change.

Dave Bittner: [00:13:57] And now a word from our sponsor Virtru. Virtru is a data privacy company that protects your organization's data wherever it goes. Using a data-centric security approach, Virtru brings persistent protection and control to the platforms where your data is stored and shared, including Microsoft Office 365 and Google G Suite. Now, I know what you're thinking. What makes this different from any other data protection tool? Well, have you ever tried to protect data from inside your perimeter? It's hard, but Virtru makes it easy by not only encrypting at the data object level but also by giving you the ability to track where your data is shared. Revoke access, maintain audit visibility and host your own keys. So you don't have to trust third-party services to keep your data safe. Virtru helps protect thousands of companies' data, including HBO, WeWork and The Associated Press. And for a limited time, they're providing our listeners a free copy of Forrester's 14-page report on the future of data security and privacy. Get your copy at virtru.com/cyberwire today. That's virtru.com/cyberwire. And we thank Virtru for sponsoring our show.

Dave Bittner: [00:15:22] And joining me once again is Mike Benjamin. He's the senior director of threat research at CenturyLink. Mike, great to have you back again. Today, I wanted to talk about a particular flavor of botnet, if you will, that you all have been taking a close look at. And that's Mylobot. What do you have to share with us today?

Mike Benjamin: [00:15:40] Yeah, thanks for having me, Dave. So Mylobot is a malware family we've been tracking. This is particularly interesting because, like many other families that we're seeing today, it's dropping secondary payloads. And it's doing that so that it can remain flexible to allow for future infections if the actors' desires of their end-state infection changes. So today, we're seeing Mylobot as a infection dropping the Khaleesi malware family. And so that malware family doesn't get a lot of public press. And so I know a lot of folks maybe haven't heard of it. But it's an information stealer. And so we're seeing information stealers being very popular. And they're out to steal credentials, of course, usernames, passwords, both from enterprises as well as consumers. They're both valuable in their own ways to a criminal. But, of course, they're after money, as well. So bank account information. Of course, cryptowallets are particularly popular with any information stealer family. So Khaleesi is what it's dropping as its secondary payload.

Mike Benjamin: [00:16:43] And we published some research recently that outlines one interesting thing from a defender perspective, which is that the Mylobot infection actually uses a DGA - that in and of itself is not particularly unique. So the domain generation algorithm that it uses actually has hardcoded domains in it. And so upon spin-up, what you actually see this malware family do is over 60,000 DNS queries. And from a defender perspective, looking at DNS logs would be a particularly interesting way to see that. That should be really loud. It should be an anomaly in the dataset. And the reason we call that out is that the binary itself is auto-generated constantly by the actor. And so the hash is a really poor way to detect the malware. But the DGA is a really good way. And so we see, globally - best guess - 30,000 40,000 infections on a given day from this malware family, targeting a lot of the Middle East, Latin America, Eastern Europe and Asia.

Dave Bittner: [00:17:43] Yeah, that was my next question, which you led into there, which is, who are they targeting? And do you have any sense for how targeted they are and if there's any specific information they're trying to get?

Mike Benjamin: [00:17:55] So one of the things about how we are tracking botnets is we're doing it from a network perspective - makes a lot of sense coming CenturyLink. And so that initial infection, something that we're not often looking at - it changes. New exploits come out every day - tell us that's a losing battle. And looking at the malware from a network perspective is where we target. Now, I will guess, based on the regions that's attacking, and saying it's probably poorly patched software. You see those parts of the world tend to have out-of-date things, things maybe without up-to-date licenses and other things. And they're a really popular target for a variety of malware families. So those regions aren't unique just to Mylobot. And I would guess that it's not particularly targeted.

Dave Bittner: [00:18:36] So - but the degree of targeting here itself, I guess, is one of the things I'm curious about. Do you have any sense for - is this a shotgun approach where they're trying to get to anything they can get their hands on, or does it seem as though they may be after specific people?

Mike Benjamin: [00:18:51] No, no, they're very much looking at a broad infection in terms of the size, scale numbers and variety of locations we're seeing. They're not looking after - looking at an individual person.

Dave Bittner: [00:19:00] I see. I see. All right. Well, Mike Benjamin, thanks for bringing us up to date. Thanks for joining us.

Dave Bittner: [00:19:10] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik; social media editor, Jennifer Eiben; technical editor, Chris Russell; executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.