Labour Party reports a cyberattack. What the Lazarus Group is up to. Platinum adds a quiet backdoor. Buran competes on price. PCI DSS compliance falling. Ahoy, Yantar.
Dave Bittner: [00:00:03] The U.K.'s Labour Party says it was hacked, but unsuccessfully. The Lazarus Group seems to be back out and about and apparently interested in India. The Platinum threat actor continues to prospect Southeast Asian targets with stealthy malware and a new backdoor. Buran tries to take black market share in the ransomware-as-a-service market. Paycard standard compliance is down. And is that a spy ship we see, or are you just looking at the seabed, all for science?
Dave Bittner: [00:00:37] And now a word from our sponsor ExtraHop - delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. Now that network detection and response is available in the public cloud, it's finally possible to close the visibility gaps inside your network. ExtraHop Reveal(x) Cloud brings cloud-native network detection and response to AWS, helping security teams spot, contain and respond to threats that have already breached the perimeter. Request your 30-day free trial of Reveal(x) Cloud today at extrahop.com/trial. That's extrahop.com/trial. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:01:55] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 12, 2019. The United Kingdom will hold elections on December 12. And this morning, the Labour Party said it had sustained what it characterized as a sophisticated and large-scale cyberattack. That attack failed, Labour says, thwarted by the cyber defenses the party had put in place, and that it's referred the matter to the National Cyber Security Centre.
Dave Bittner: [00:02:26] North Korean cyber operations received renewed attention from both the U.S. and India since late last week. U.S. Cyber Command posted seven malware samples to VirusTotal. The malware is associated with HIDDEN COBRA, the Lazarus Group. And Cyber Command says they've been used for fund generation and malicious cyber activities, including remote access, beaconing and malware command. Financial crime, in particular, has been characteristic of Pyongyang's cyber operations. And so the motive here, fund generation, is a familiar one.
Dave Bittner: [00:03:01] The motives in the other suspected North Korean attacks are less clear. Reports continue to link North Korean cyber operators to recent incidents at India's Kudankulam nuclear power plant. What the Lazarus Group was after, assuming the attribution that's being widely circulated in the press holds up, remains unclear. As ZDNet pointed out two weeks ago, the operation could have been espionage, reconnaissance, staging or simply collateral damage from some other campaign. In any case, Indian authorities continue to reassure the public that only administrative systems and not control systems were affected by the Dtrack malware found at Kudankulam.
Dave Bittner: [00:03:43] More curiously, ISRO, the Indian Space Research Organization, was also warned of a Dtrack infestation believed to be of North Korean origin. The warning arrived during the space agency's Chandrayaan-2 lunar mission, which failed when controllers lost contact with the spacecraft during its September 6 landing attempt. Again, the motive for attack is unclear, as is the effect, if any, it might have had on the flight. ISRO has been relatively tight-lipped about the cause of the lander's failure. It is, we should note, the landing that failed. Chandrayaan's lunar orbiter is up and working, sending data back to ISRO's ground station.
Dave Bittner: [00:04:25] BleepingComputer reports that the threat actor Microsoft tracks as Platinum is using a new stealthy backdoor. Following its preferred metallurgical conventions, Microsoft calls the backdoor Titanium. Platinum is usually described as a shadowy group, probably criminal, that operates against targets in South and Southeast Asia. Its usual sectors of interest, according to Microsoft, are governmental organizations, defense institutes, intelligence agencies, diplomatic institutions and telecommunication providers, which is an unusual target set for a purely criminal organization. Titanium is installed in a multistage process that includes several forms of obfuscation, representing itself variously as security software, audio drivers or DVD-burning tools.
Dave Bittner: [00:05:16] McAfee researchers note that Buran, a Russian-speaking gang offering a variant of VegaLocker ransomware, is competing in the ransomware-as-a-service market by cultivating customer relationships and offering competitive discounts. So the black market sees marketing techniques familiar in legitimate markets. Buran, which means blizzard in Russian, is advertised as an attack tool that can't be used against the Confederation (ph) of Independent States - that is, against a group of nine countries that were formerly Soviet republics. The Confederation of Independent States was a Russian attempt to create an analogue of the British Commonwealth, but not all former Soviet republics are members.
Dave Bittner: [00:06:00] In any case, Buran's marketing seems, on this point, to be disingenuous. Buran does indeed check to see if a machine is in Russia, Belarus or Ukraine, and if the malware finds that this is so, it simply exits. But that leaves out seven confederation members. And Ukraine, while a founder of the CIS, has never been a member. And the discounting - most ransomware-as-a-service-controllers take 30 to 40% of their affiliate's earnings. Buran is content with a modest 25%.
Dave Bittner: [00:06:34] SmarterASP sustained a ransomware attack late Sunday, posting status updates to its site and Facebook pages. The hosting service tweeted over the weekend that its first priority is restoring its data servers. As of yesterday, SmarterASP said that it had recovered some 95% of its servers. The company has been reassuring its customers that their data will be decrypted and it's asked them for their patience.
Dave Bittner: [00:07:02] Verizon has issued its 2019 "Payment Security Report." It's not particularly encouraging. Taking compliance with the Payment Card Industry Data Security Standard as a rough index of payment security health, Verizon finds that compliance peaked in 2016 and has been falling off since. And that's just compliance. As good as the PCIDSS is and as important as it is to comply with it, compliance isn't sufficient for security. Verizon points out that many organizations seem to think that they can follow a step-by-step recipe to protect data, but unfortunately, quote, "in the real world, solutions are not simple, requiring complex paths with nonlinear progression," quote. And to judge by falling compliance rates, they are not even following the recipe particularly well.
Dave Bittner: [00:07:55] And finally, a Russian navy vessel, the Yantar, has appeared in the Caribbean a few months after dropping off open-source ship-tracking systems. The Russian navy carries Yantar on its books as an oceanographic research vessel operated by the Main Directorate Of Deep-water Research. Like the way the old U.S. Glomar Explorer was engaged in deep-water mining of manganese nodules, any, say, Soviet missile submarines it might or might not have picked up were just so much gravy. Forbes and others calls that oceanographic research stuff a euphemism and says that Yantar's stock in trade actually consists in deploying and servicing undersea sensors and, of more interest probably to you, placing taps on undersea cables. Whatever she was up to, suspicious eyes see some sort of search pattern, but we hope the crews enjoy the trip. Trinidad and Tobago are lovely this time of year, or so we hear.
Dave Bittner: [00:09:00] And now a word from our sponsor ObserveIT - the greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:09:57] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Joe, great to have you back.
Joe Carrigan: [00:10:06] Hi, Dave.
Dave Bittner: [00:10:06] I got a couple of browser issues to talk about today.
Joe Carrigan: [00:10:11] Yeah, last week was a big week for browser bugs.
Dave Bittner: [00:10:13] Yeah. Well, get us started here. Where do we want to begin?
Joe Carrigan: [00:10:15] Well, let's start with Firefox.
Dave Bittner: [00:10:16] All right.
Joe Carrigan: [00:10:17] ...Because that's the one that is still a problem.
Dave Bittner: [00:10:19] OK.
Joe Carrigan: [00:10:20] ...As of this recording. So there is a bug that is being exploited in the wild in Firefox that allows a developer - or, you know, a malicious developer to lock up the browser and make it so it doesn't work.
Dave Bittner: [00:10:33] Hmm.
Joe Carrigan: [00:10:34] So it's being exploited right now in the field by scammers. These are tech support scammers. They will display a webpage that says - I love the wording on this webpage.
Dave Bittner: [00:10:44] (Laughter).
Joe Carrigan: [00:10:44] It says, please stop, and do not close the PC; the registry key of your computer is locked. But, you know, that's not how registry keys work, right? (Laughter).
Dave Bittner: [00:10:53] Right (laughter). That's not how any of this works.
Joe Carrigan: [00:10:55] Right.
Joe Carrigan: [00:10:57] It's a big pile of techno mumbo-jumbo designed to scare and confuse people.
Dave Bittner: [00:11:01] Right. And then they ask you to call into a support phone number.
Joe Carrigan: [00:11:05] Exactly. They ask you to call in. You cannot close the browser through any of the standard interfaces. You actually have to go and force quit the browser through your operating system.
Dave Bittner: [00:11:15] Right.
Joe Carrigan: [00:11:15] And then when you load the browser again, if you have restore tabs on, which - I actually do have restore tabs on on my browser. But if...
Dave Bittner: [00:11:22] Yeah, yeah.
Joe Carrigan: [00:11:23] ...In Firefox by default, that's disabled. You're back in the same boat because the webpage loads again. Now, Ars Technica says that you have to close it quickly - right?
Dave Bittner: [00:11:31] (Laughter).
Joe Carrigan: [00:11:31] ...Before it has a chance to load. But you can also just disconnect from the internet, disconnect from your network, you know, turn your Wi-Fi off or pull the network out, and then go ahead and load the browser, and wait for it. It won't find any pages, and then you can just close the page before it loads.
Dave Bittner: [00:11:46] Yeah.
Joe Carrigan: [00:11:46] ...And then reconnect to the - to your network, and you're good to go. So there is a workaround. Firefox is - the Mozilla project is aware of the problem, and they're working on a patch for it right now to fix it.
Dave Bittner: [00:11:56] This is cross platform?
Joe Carrigan: [00:11:58] It is cross platform. This one works on Windows and Mac versions of this browser.
Dave Bittner: [00:12:04] Yeah.
Joe Carrigan: [00:12:04] Yup.
Dave Bittner: [00:12:05] All right. Well, there's another one - some news about Chrome.
Joe Carrigan: [00:12:08] This is a big one about Chrome. And you should update your Chrome right away. Kaspersky Labs came - found this was being exploited in the wild. This was a zero day that nobody knew about. This is the perfect example of why zero days are so bad.
Dave Bittner: [00:12:19] Mmm hmm.
Joe Carrigan: [00:12:20] When someone visited a site, if the site has this malicious script on it - it would be a third-party script - it would load to see if the machine was worth attacking, according to this article on Tom's Guide. Once it was determined, the malware would download to the machine and check again to see if you were running Chrome version 76 or 77.
Dave Bittner: [00:12:37] Mmm hmm.
Joe Carrigan: [00:12:37] ...And on a Windows box. And then if it was, it would try to exploit the machine. Now, the - I don't know if the bug is specific to the Windows version of Chrome. It doesn't - it's not really clear. But they have patched for all the operating systems. And you can see the little upgrade arrow in the Chrome window where the menu normally is. I've recently upgraded my Chrome because that was a little red arrow that came up that said, hey, this upgrade is kind of important. So Chrome does a good job, Google does a good job of keeping their browser up to date.
Dave Bittner: [00:13:10] Do you generally keep auto-update on with something like Chrome?
Joe Carrigan: [00:13:13] I do. I generally do. Yep.
Dave Bittner: [00:13:15] Yeah.
Joe Carrigan: [00:13:15] And Firefox as well - I use Firefox. The problem is, a lot of times, you have to restart the browser in order to get those updates to go, and I keep my browsers open frequently.
Dave Bittner: [00:13:25] Yeah.
Joe Carrigan: [00:13:25] ...For long periods of time.
Dave Bittner: [00:13:26] Yeah.
Joe Carrigan: [00:13:26] So when it's Chrome, you do actually have to go through and update it. You have to shut it - you have to click the little arrow. It'll shut down and open back up.
Dave Bittner: [00:13:35] All right. So there is a patch for this Chrome issue.
Joe Carrigan: [00:13:38] There is a patch of the Chrome issue.
Dave Bittner: [00:13:39] Still waiting on Firefox.
Joe Carrigan: [00:13:40] And it will be quick, I'm sure.
Dave Bittner: [00:13:41] Yeah, yeah.
Joe Carrigan: [00:13:42] Yup.
Dave Bittner: [00:13:42] All right - good information. Go out there, and make sure you're running the latest versions. And if you're using Firefox, be cautious until that patch comes out.
Joe Carrigan: [00:13:50] Right.
Dave Bittner: [00:13:51] All right. Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:13:52] My pleasure, Dave.
Dave Bittner: [00:13:58] And that's the CyberWire.
Dave Bittner: [00:13:59] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leaving insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:14:11] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Hah. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:14:39] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.