UN Security Council looks at North Korean cybercrime. Notes on PsiXBot and BITTER APT. The state of spearphishing. Election security. A final look back at Black Hat and Def Con.
Dave Bittner: [00:00:03] More on the U.N. Security Council's report on North Korean state-sponsored cybercrime. PsiXBot evolves. BITTER APT probes Chinese government networks in an apparent espionage campaign. A study looks at the state of spearphishing. It's not just the three-letter agencies out securing U.S. voting systems; it's the four-letter agencies who are taking point. And a last look at Black Hat and DEF CON.
Dave Bittner: [00:00:33] And now, a message from our sponsors ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. Funding for this CyberWire podcast is made possible, in part, by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.
Dave Bittner: [00:01:36] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, August 13, 2019. The U.N. Security Council panel studying North Korean hacking concluded, according to the AP, that Pyongyang has made at least 35 financially motivated cyberattacks against 17 countries as it works to fund its weapons of mass destruction programs. This is the report which the Associated Press saw a fragment of last week. They've now seen the whole thing.
Dave Bittner: [00:02:07] In terms of targeting, South Korea received the most attention, sustaining 10 North Korean cyberattacks. India came in second with three, and Bangladesh and Chile received two attacks each. A single attack was determined to have cut a wide international swath, with victims in Costa Rica, Gambia, Guatemala, Kuwait, Liberia, Malaysia, Malta, Nigeria, Poland, Slovenia, South Africa, Tunisia and Vietnam.
Dave Bittner: [00:02:34] The most common operations have been attacks against the SWIFT international banking funds transfer system, then attacks against cryptocurrency exchanges - most of these in South Korea - and finally, cryptojacking to mine alt-coin directly. Monero was Pyongyang's preferred alt-coin. Anything they succeeded in mining went to servers at Kim Il Sung University in the nation's capital.
Dave Bittner: [00:02:58] These three families of attack share the common feature of being well-adapted to quick, difficult-to-trace or interdict money transfers and money laundering. The report also emphasized that the attacks were low-risk and high-yield efforts. Money laundering would be essential to North Korea, hemmed in as it is by international sanctions, designed mostly to choke off the nuclear weapons and ballistic missile programs the Kim regime is pursuing.
Dave Bittner: [00:03:24] Given the seriousness of the hacking campaign's goals - nuclear weapons after all not generally being a good thing - the sanctions recommended by the U.N. panel are surprisingly light. They basically come down to measures against half a dozen North Korean merchant ships caught smuggling red-handed. This is probably more an indication of how little there is that remains to be sanctioned than it is a sign of indulgence toward Mr. Kim and his regime.
Dave Bittner: [00:03:51] Anomali said last week at Black Hat that it had observed the BITTER APT operating against Chinese government targets. It's engaged in email phishing designed to extract email credentials from users within China's government. The apparent motivation is espionage, and the effort probably represents the first stages of a larger, more extensive campaign. BITTER APT has been seen in action in the past against targets in Pakistan, Saudi Arabia and China. Anomali stopped short of any attribution firmer than believed to operate from South Asia. But the BITTER APT has, for some time, been regarded as being, in all likelihood, an Indian operation.
Dave Bittner: [00:04:32] Proofpoint has released a study of PsiXBot, a modular information-stealer described earlier this year by FoxIT. A new version of the malware is out in the wild, turning up in both phishing campaigns and exploit kits. The malware has added additional modules and a new way of connecting to DNS servers. Proofpoint regards the upgrades as evidence of the threat actors' determination to compete in the competitive criminal-to-criminal market. They don't identify the gang responsible, but they observe without comment that PsiXBot checks a potential victim to see if that target is likely to be Russian. If it is, PsiXBot exits. So we figure you don't exactly have to be Sherlock Holmes to figure that one out.
Dave Bittner: [00:05:16] Here in the U.S., there's bipartisan agreement that cyber security deserves to be a national priority. How exactly to accomplish that remains a point of contention. And that played out recently when Representative Eliot Engel, a Democrat from New York, placed a hold on the State Department's plans to establish a bureau of cyberspace securities and emerging technologies. Michael Overly is a partner at Foley & Lardner LLP and a member of the firm's information technology and outsourcing team.
Michael Overly: [00:05:45] This has been sort of in the making for almost two years. That is, there was the proposal to create such a department, organization, what have you about two years ago, and it kind of languished. And it looks like in light of the events in June that it's going to continue to languish for some time until there's agreement on exactly what it's going to do.
Michael Overly: [00:06:08] You know, it's one of those things where there's a good idea. Let's foster economic development online and cyberspace. Let's prove online privacy. Let's certainly address cyber security. These are all things that I think no one will disagree with. But nonetheless, we're two years-plus out right now, and we still don't have a formed organization, department, et cetera to do this.
Dave Bittner: [00:06:36] And what do you suppose is holding things up here? As you read between the lines, what do you think is going on?
Michael Overly: [00:06:43] Well, I think that, you know, there is a fundamental problem of - as is common in the government, we have competing interests. We have sort of a bipartisan effort, which is underway. That's - Eliot Engel is working on with the Cyber Diplomacy Act. Engel is arguing that the proposed group focuses far too much on cybersecurity issues to the detriment of fostering online commerce, to avoiding disputes online and to better promoting sort of a digital economy.
Dave Bittner: [00:07:16] And is there an unspoken subtext here? Have political interests seeped into what's really going on or not - is that not a factor?
Michael Overly: [00:07:27] Well, it's interesting. You know, if you think about the Trump administration, one of their hallmarks is - one of his hallmarks is let's avoid excessive regulation. Let's avoid big government. So nonetheless, though, we have a new group being created, which, mind you, I think is a good thing. I think both sides of the aisle would agree that getting sort of a uniform approach to these many issues that comprise cybersecurity, the digital economy, et cetera, are all good. The problem is how to make that happen. The proposed new organization would have, as I understand it, 80 employees with only about a $28 million budget. That's not a lot of money to fundamentally impact online activity.
Dave Bittner: [00:08:17] Yeah, it doesn't really seem to reflect what I suspect most people would recognize is the importance of the issue.
Michael Overly: [00:08:25] It's true, and I think everyone agrees - very important issue. The question is - and, you know, as so often happens, there are lots of lines being drawn as to who is going to do what. And the problem is that we're not getting those lines drawn in a rapid fashion. And so some people look at this and say, you know, the world is potentially passing us by with regard to things like digital economy, with regard to, you know, activities on privacy. In fact, many people would say that Europe's well ahead of us on privacy. And so I think we need to do a little bit of catch-up. And I don't think it's a situation where one side or the other is saying, it's got to be my way or the highway. I think the problem is that everyone needs to agree on what the form is and then get that constituted as quickly as possible.
Michael Overly: [00:09:13] So unlike many things that are pending in Congress right now, I don't think there's a fundamental disagreement as to - that's between the two parties. If there is one area that moves quickly and potentially can change overnight fundamentally what it's doing, it is online activity. What we understand today may not be our understanding in three months, yet we've had a situation here where we've got a two-year gap thus far without activity in this area. That is a travesty, and I don't think anyone's assigning blame to anyone at this point. The problem is something needs to be done sooner rather than later or we are going to miss the boat substantially. I think that this is a very important, if not fundamental, area that we need to have an established presence in because if we don't lead, the world will. And that may not be what we want.
Dave Bittner: [00:10:07] That's Michael Overly. He's a partner at the law firm of Foley and Lardner LLP.
Dave Bittner: [00:10:13] Glasswall Solutions issued a report this morning in conjunction with Forcepoint on spear phishing trends. They find that it's growing more evasive. An analysis of 25 million email attachments concluded that IP theft and compromise of client confidential data represent the highest risks. Some of the report's conclusions will surprise no one. The finding that users are more likely to click or open documents that appear familiar from a known source, for example, confirms conventional wisdom about social engineering. Others show trends that, while unsurprising, are nonetheless interesting. The study found that technology was the most targeted sector and that it was followed by legal services and industrial control system providers.
Dave Bittner: [00:10:59] Influence operations targeting next year's U.S. elections are arguably already underway, Nextgov notes. They're inexpensive and low-risk, as Russian operators have demonstrated since the 2016 election season. Iran has shown a willingness to crib from the Russian playbook, using what Facebook calls coordinated inauthenticity to amplify messages online. Iran's operators have shown a preference for pushing particular lines of thought. There are things they'd like people to believe and positions they'd like to persuade them into. That's less the case with the Russian operators, who aim at disruption in an opportunistic way. The trolls of St. Petersburg tend to be chaos artists, like Batman's antagonistic The Joker. Several observers note that Chinese intelligence and security services have been more comfortable with traditional espionage and propaganda, but there's no reason to think that Beijing would necessarily pass up a chance at the new school of influence operations.
Dave Bittner: [00:11:57] Defcon's Voting Village saw some attempts at voting machine hacks. But these were troubled by some logistical fumbles, and not everyone had time enough to take a good crack at the targets. The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, CISA, did put in a noteworthy appearance at the Voting Village to describe how NCATS - CISA's National Cybersecurity Assessment and Technical Services - is supporting election security. NCATS offers its services free to eligible federal, state and local authorities. CISA is still a relatively young agency, and it's interesting to see the portfolio of services it's evolving. If you're running an election stateside, it would be worth your while to get to know NCATS.
Dave Bittner: [00:12:42] Before we leave Black Hat and Defcon until next year, we'd like to offer our congratulations to the Plaid Parliament of Pwning. Yes, Carnegie Mellon University's competitive hacking team took top honors for the fifth time in seven years at Defcon. Defcon's capture the flag is generally seen as the World Cup of hacking - its Super Bowl, its World Series, almost its pay-per-view pro wrestling cage match. Congratulations to the Triple P, and may Pittsburgh give you a parade.
Dave Bittner: [00:13:11] Finally, we close with some notes from Las Vegas on swag and booth diversions. Socks continue to be a popular giveaway. If you left Black Hat barefoot, you did so by choice and not out of necessity. T-shirts remain another standby. CrowdStrike had a big line at their booth for shirts emblazoned with the company's cartoon representations of threat actors - too long, in fact, for our reporter to get himself a shirt. And if you're listening, CrowdStrike, he wears a men's size large and is partial to Fancy Bear. And if you aren't able to get to Las Vegas, ask those colleagues who made the trip if they spent any time in Demisto's ball pit. Trust us. Admit it or not, they probably did. Farewell to Las Vegas until next year.
Dave Bittner: [00:13:59] Now a moment to tell you about our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms: Everything You Need to Know About Security, Orchestration, Automation, and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:15:16] And joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center. Jonathan, it's always great to have you back. We had a story come by from Wired written by Andy Greenberg, and this was about some clever cryptography that's going on with some features that Apple's including in some of their devices. Can you shed some light on what's going on here?
Jonathan Katz: [00:15:39] Yeah. This is basically a mechanism that Apple has integrated into their hardware which will allow people to be able to find their hardware in case it gets lost or in case it gets stolen. And the problem with the previous schemes that they had was that they would only work when they were powered on. And so, of course, if you had somebody who stole your laptop, for example, or your phone and then just didn't turn it on or didn't turn it on when it was near a Wi-Fi connection, then you'd have no way to locate that device. And so what they've done is they've changed things a little bit, and they've come up with what seems to be a new cryptographic protocol that has the device actually transmit certain information even when it's in sleep mode.
Dave Bittner: [00:16:19] So what's going on with the protocol itself? Can you share some details about that?
Jonathan Katz: [00:16:24] It's quite fascinating also. I mean, I haven't seen the technical details of the protocol. I've just seen the public reports about what the protocol does. And one of the concerns, of course, with anything like this is that if you have a device that's constantly transmitting information about where it is, then that opens up huge privacy concerns because it means that somebody could potentially follow you around or follow your device or listen for the device and thereby track your location over time. So they've developed this protocol that will allow them to be able to broadcast information about a device's location in such a way that it remains hidden to everybody, both eavesdroppers as well as even Apple itself, but will allow the owner of the device to still locate it. So it's pretty impressive, actually, that they've been able to do that.
Dave Bittner: [00:17:10] Any sense for what dark magic is taking place under the hood to make that happen?
Jonathan Katz: [00:17:14] (Laughter) Well, so like I said, I haven't seen the technical details. But the basic...
Dave Bittner: [00:17:17] Yeah.
Jonathan Katz: [00:17:17] ...Idea is that you set up, say, two devices that have, let's say, matching cryptographic keys. And what those devices will do is they'll remain in sync over time. So think about, say, each device updating its key - let's just say for the sake of argument every hour. And the key will be updated in such a way that anybody who doesn't have one of the keys won't be able to trace this evolution of the key over time. So imagine that you have your phone and your laptop, and your phone and laptop are going to always be updating their keys. And if the phone is stolen, it's going to be broadcasting something that's correlated with its key at every moment in time. Somebody from the outside listening in won't even be able to tell that it's the same key from the same device, but the owner, the original person with the laptop that they paired with that phone, will be able to tell not only that that's their key, but also, they'll be able to use that information to then decrypt and find the location of the phone. So it's pretty impressive, actually, and I'd be curious myself to really see the details of the underlying protocol.
Dave Bittner: [00:18:21] So, really, it seems like a best of both worlds kind of thing here where you get privacy where even Apple doesn't know where the devices are.
Jonathan Katz: [00:18:30] Yeah, that's right. And like I said, it's pretty impressive. There isn't a published protocol yet, but I'm hoping that they'll publish it and open it up for peer review. I think the devil is always in the details with these kinds of protocols. There are all kinds of things that could go wrong, and it would be great if they really allowed experts the opportunity to look at what they're doing and then to evaluate it.
Dave Bittner: [00:18:50] All right. Well, Jonathan Katz, thanks for joining us.
Jonathan Katz: [00:18:52] Thanks again.
Dave Bittner: [00:18:57] And that's the CyberWire.
Dave Bittner: [00:18:59] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:10] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed.
Dave Bittner: [00:19:25] And check out the Recorded Future podcast, which I also host. The subject there is threat intelligence, and every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:19:39] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.