Lazarus Group interested in thorium reactors? Disinformation by phishing. ZeroCleare wiper in the wild. NATO addresses cyber conflict. NotPetya litigation. Black market takedown.
Dave Bittner: [00:00:03] North Korea's Lazarus Group may have been looking for Indian reactor design information. A possible case of Russian influence operations served up by phishing is under investigation in the U.K. The ZeroCleare wiper malware is out and active in the wild. NATO summit addresses cyber conflict. And a big NotPetya victim challenges insurers' contentions that the malware was an act of war. And an international police action takes down a spyware black market.
Dave Bittner: [00:00:36] And now a word from our sponsor KnowBe4. Endpoint security, firewalls, VPNs, authentication systems - we've all got them. But do they really provide the comprehensive level of security your organization needs to keep the bad guys out? Are they giving you a false sense of security? The unfortunate reality is that each of these security layers can provide hackers with a backdoor right into your organization, and KnowBe4 will show you how. They've got an exclusive webinar with Kevin Mitnick, the world's most famous hacker and KnowBe4's chief hacking officer. He'll show you the three most common causes of data breaches, he'll share demos of significant vulnerabilities in common technologies, and he'll share his top tips for security defenders. Go to knowbe4.com/vulnerabilities, and register for the webinar. That's knowbe4.com/vulnerabilities. And we thank KnowBe4 for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:01:58] From the CyberWire studios a DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 4, 2019. The incursions into networks belonging to India's space program and its nuclear power sector are generally thought to be the work of North Korean operators belonging to the Lazarus Group. In neither case are they believed to have affected control systems, but instead to have concentrated on administrative networks. There haven't been any particularly strong accounts of what Pyongyang was after. But now, according to the International Business Times, there's some reason to believe they were interested in obtaining design information for thorium reactors.
Dave Bittner: [00:02:38] Another accusation of Russian government phishing has surfaced during the run-up to the British elections. In this case, the report originates with the Labour politician and candidate Ben Bradshaw, whom the Guardian describes as a frequent critic of Moscow's influence operations. Bradshaw says he received email from someone calling himself Andrei, who claimed to be a whistleblower inside Russian President Putin's administration. The email's attachments purported to describe Russian disinformation operations, including fake news operations, and much of the information in them appears to be accurate. They describe disinformation cells, but upon further review, they appeared possibly malicious. Labour and the Conservatives have been sniping over the handling of Russian influence operations.
Dave Bittner: [00:03:23] Andrei, representing himself more or less as a Westernized good-government type with strong internationalist sympathies - he deplored Brexit and was himself a "Never Trumper" - said he was disturbed by Moscow's policies and the consequences they've had on Western civil society, so he's a whistleblower who wants nothing but the best. That message seems crafted to resonate with the Labour candidate, but Mr. Bradshaw wasn't buying. Bradshaw had them inspected by a security company who confirmed that at least two of the documents contained malicious code. The NCSC - that is, GCHQ's National Cyber Security Centre - is investigating and presumably will comment in good time.
Dave Bittner: [00:04:07] IBM researchers describe a new destructive wiper, ZeroCleare, which is active in the wild against energy sector targets in the Middle East. IBM regards it as likely that ZeroCleare, which in some respects resembles Shamoon, is being deployed by Iranian state actors. As their report puts it, quote, "taking a page out of the Shamoon playbook, ZeroCleare aims to overwrite the master boot record and disk partitions on Windows-based machines. As Shamoon did before it, the tool of choice in the attacks is EldoS RawDisk, a legitimate toolkit for interacting with files, disks and partitions. Nation-state groups and cybercriminals frequently use legitimate tools in ways that a vendor did not intend to accomplish malicious or destructive activity," quote.
Dave Bittner: [00:04:51] IBM also sees wiper attacks - attacks that aim at the destruction of data - as a rising trend. Criminals have been seen using them for extortion or for punishment upon victims' failure to pay. But nation-states have been using them to achieve military objectives, often in the deniable way favored in hybrid war tactics. One note in their report serves as a healthy reminder that attackers, too, have their problems. ZeroCleare originally came in two versions, one for 32-bit Windows architecture, the other for 64-bit systems. The 32-bit flavor, it turns out, didn't work. It caused itself to crash when it tried to access the EldoS RawDisk driver before it began the wiping process.
Dave Bittner: [00:05:35] YL Ventures is a venture capital organization focused on Israeli startups. Roger Hale recently joined them as their CISO-in-residence, helping provide his insights as an experienced CISO to the VCs but also giving the startups looking for funding valuable information as well.
Roger Hale: [00:05:52] I really feel this is that next step. I've been - I'm a multi-CISO. I've been a CISO more than once for companies and high-tech companies in Silicon Valley. But this opportunity is to look at what YL Ventures does as a venture capitalist company because they do incubation and seed round. So this isn't like a series D or an E, where you're providing the moneys to allow a company to grow and expand. This is really incubating and building that company up. And in that process, when you're looking at building that new tech - and in YL's case, cyber tech - getting that direct feedback and understanding what's critical to the operation of cybersecurity to protect a company, I feel is a large step up. But as a CISO, coming in and listening to new startups and - as they're telling us about their great tech, you know, my challenge has always been to help them understand or tell them what's important to me as a CISO, as an operator, and be able to bring those features into their technology development - not just the next cool thing, but being able to provide technology that does what we need it to do.
Dave Bittner: [00:06:59] Is there a particular pattern that you see with startup companies? Are there things that - you know, words of wisdom and tips that you find yourself sharing with those companies at that stage over and over again?
Roger Hale: [00:07:12] So the interesting thing is, the first thing on that is the technology wins, seems to be the expectation, where the real winner here is, can the technology actually solve the business problem I'm trying to solve for? 'Cause the evolution of the CISO has gone from being a incredible technologist and being able to protect your perimeter, protect the data, to now looking at, how do we actually provide secure access to the data to assure the data's used the right way while still allowing the business to be able to use the data the way they need to use it to keep their competitive advantage?
Roger Hale: [00:07:48] So the same thing from the startup side is, you have a great idea; you know how to protect this data; you know to assure the integrity of that data, but I have to be able to implement this and still allow people access to it. And so that conversation is, you may have the best tech in the world, but if I can't implement it, if it doesn't integrate into what I'm doing, I can't buy it. And so that's one of those first things. The second thing is, when you're having these discussions with people, you really need to understand what's most important. And in many cases, it's not just the tech, but it's how the tech can be implemented and how the tech can be sustained and maintained.
Dave Bittner: [00:08:31] I wonder, too - I mean, is there an element of the cobbler's kids having no shoes with the - with startups, I think, very often, they're running at such a high velocity. I can imagine that their own security could - can be something that it's easy to overlook or back burner while they're busy building that company.
Roger Hale: [00:08:50] Oh, great point, great point - because they are. They're focused on the tech. And this is what they're so good at, is focusing on that tech. And this is the difference between building technology and being able to implement technology into an enterprise company because there are those levels of assurance - you know, third-party, fourth-party assurance of, what are you doing with the data that you're collecting or that's flowing through your systems? Are you managing this in the appropriate manner? And are you allowing your customers to continue to maintain ownership of their data in that process?
Roger Hale: [00:09:23] And so this is the age-old problem of, technologists want to build technology, and then all of a sudden, we look at security at the end, and they try to bolt it onto the end. It costs three times, and three times as long to do that. It's the same thing in the startup world. If we start and look at doing things from a frame - from a security framework - from looking at what type of assurance based upon what your industry model that you're going after, who's your target audience, you know, who's your target customers? - and meeting their assurance needs, their data privacy and data protection needs, then you're building this into a secure SDLC process that provides that trust and allows companies to acquire your software, subscribe to your software, your service faster and earlier in the process.
Dave Bittner: [00:10:10] That's Roger Hale. He's the CISO in residence and YL Ventures.
Dave Bittner: [00:10:16] The NATO meetings this week are addressing many issues, but two are of particular interest to the cybersecurity sector. First, Deutsche Welle reports that the Atlantic alliance is, for the first time, formally recognizing that Chinese military capabilities represent a significant challenge to NATO's member. The alliance's secretary-general, Jens Stoltenberg, put it this way yesterday - quote, "we have now, of course, recognized that the rise of China has security implications for its allies," end quote. Prominent among those implications are the security dimensions of Chinese interests in 5G technology and how that country's position in the IT hardware markets positions it to wield significant power as an equipment vendor.
Dave Bittner: [00:10:57] Second, NATO continues to wrestle with an appropriate response to cyber operations. Not only are such operations readily deniable and usually difficult to attribute, but they represent a problem as NATO tries to deal with adversaries working below the threshold of armed conflict. And even when that threshold is reached, it remains unclear how or when the alliance should invoke Article 5, its central collective defense provision. Cyber war has implications for the private sector, as well. Many insurance policies have war clauses that exclude payment for damages sustained as a result of combat. These have particular importance for cyber insurance because of the difficulties surrounding attribution and because of the increased use of cyberweapons in hybrid war. One such case is now being litigated in a U.S. court.
Dave Bittner: [00:11:46] Big pharma giant Merck is wrangling with its insurers over the $1.3 billion in losses the company incurred as the result of the NotPetya infestation it suffered on July 27, 2017. The insurers have balked at paying because it appears that the NotPetya attack, generally and credibly attributed to the Russian government, may have amounted to an act of war. The malware was initially deployed as part of Russia's hybrid war against Ukraine but spread rapidly to targets elsewhere in the world. The matter is now being litigated, Claims Journal reports, in a Union County, N.J., court.
Dave Bittner: [00:12:23] And finally, congratulations again to the law enforcement agencies involved in the takedown of the Imminent Methods spyware black market. The Australian Federal Police led the international effort to shut down the sale of the market's principal product, the Imminent Monitor remote access Trojan, also known as IM RAT. This spyware could be had for as little as $25, and more than 14,000 buyers are said to have sampled Imminent Methods' wares. In all, police executed 85 warrants, seized more than 400 items in the gang's possession and arrested 14 people. And in taking down the site, they also disabled the spyware, so those who bought it won't be able to use it. And that's a good day's work in anyone's book.
Dave Bittner: [00:13:11] And now a word from our sponsor ExtraHop - delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. Now that network detection and response is available in the public cloud, it's finally possible to close the visibility gaps inside your network. ExtraHop Reveal(x) Cloud brings cloud-native network detection and response to AWS, helping security teams spot, contain and respond to threats that have already breached the perimeter. Request your 30-day free trial of Reveal(x) Cloud today at extrahop.com/trial. That's extrahop.com/trial. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:14:09] And joining me once again is Michael Sechrist. He's chief technologist at Booz Allen Hamilton, and he also leads their Managed Threat Services intelligence team. Michael, it's always great to have you back. I wanted to touch today on some of these utilities like Slack that corporations use for internal communications and some of the potential malware attacks that can happen within those types of services. What do you have to share with us today?
Michael Sechrist: [00:14:34] Yeah. Great. Thanks for having me back. We were attuned, here at Booz Allen, to a couple of instances where a new backdoor malware was used as a kind of command and communication C2 channel. And the malware, which was identified by Trend Micro, back in the - I believe it was the summer or early part of 2019 was named SLUB, which basically was a variant of the Slack backdoor. And this is a malicious backdoor that's used to, again, go outbound. It's very targeted internally. It's how it kind of identifies users, pulls them into a private channel, pins messages to get the infected computers to execute commands and then potentially pass outbound communications through to a server or a node that's listening outside your network.
Dave Bittner: [00:15:28] Yeah, it's interesting. I think for many of us who use these sorts of tools, they almost fade into the background. They become so much a part of your workday that it's easy to not think of them as even having a connection to the outside world.
Michael Sechrist: [00:15:43] Yeah. So I think, also, attackers understand that. So they understand how prevalent these type of new communication technologies are. They understand that when there is sort of a newness in the industry, that it presents a potential opportunity for attackers to leverage. And, you know, as soon as something like these type of communication platforms exist, attackers are going to be, you know, standing at the gates, trying to figure out ways that they could leverage them into providing sort of outbound or some sort of infection that they can leverage internally and kind of pivot around your digital environment with. And that's very interesting. So it's kind of always a race whenever these get in - you know, these type of technologies get deployed to make sure that those logs and the data that you're using them for internally also get captured and filtered back to a security team in an easy-to-evaluate way to look for suspicious and malicious events.
Dave Bittner: [00:16:42] Yeah, it also strikes me that, you know, tools like this, they tend to function at a high velocity. You know, people are responding to things in real time versus something like email, where you might be - take a little more time to reflect on something, not reply so quickly and, in fact, be trained to not reply so quickly to things. With tools like Slack, I mean, you're pretty much chatting real time.
Michael Sechrist: [00:17:05] Yeah, that's correct. I mean, it just generates so much data than we had prior. And there have always been sort of instant messaging, you know, communications going back decades, but sort of the prevalence of them, the use of use, the ability to edit and delete messages that have been there for a long time, prevents - it's obviously fantastic as a user, but it does provide avenues of attack that we hadn't seen prior.
Dave Bittner: [00:17:33] So what are your recommendations in terms of best practices for teams that are using these kinds of tools?
Michael Sechrist: [00:17:38] So one is to - when you do have new platforms put in place, to quickly make sure that your security teams are aware of those and working with the security teams at these companies to find ways to gather the requisite information you need in the event that there is an incident from one of these platforms. That's kind of a level set. That's very difficult to do. I mean, there's so many new technologies that come in place. But when these ones come in place that are being used by all sorts of - you know, critical members of your staff and your enterprise are using them, you need to make sure that you also have ways to gather what you need in the terms that they're used in an event.
Michael Sechrist: [00:18:20] Now, it's also important to make sure that you're profiling the risk of them, and that means having sort of a threat intelligence program that can capture if there's new malware being used. In the case of Slack, there is this one called SLUB, like I mentioned. But there's others that affect all sorts of different platforms. And to make sure that, OK, now I know that these communication platforms are being targeted. How am I going to make sure that I'm looking for the indicators of compromise that are associated with the kind of attacks we're seeing? How am I looking and using analytics to look for ways that they're using these attacks? What are the new tactics, techniques, procedures that are being used and how they're going to be leverage against us?
Michael Sechrist: [00:18:59] And then you could also use threat hunting to look for things that haven't been used but potentially could be against this profile. There's whole sorts of red teaming options that you could do and how they could kind of provide avenues of those attack internally. And then just also working with the parties themselves to make sure that you're capturing, you know, what their best intelligence looks like that they're seeing and so that you can look for that in your log data.
Dave Bittner: [00:19:25] All right. Well, Michael Sechrist, thanks for joining us.
Michael Sechrist: [00:19:28] Thanks so much.
Dave Bittner: [00:19:33] And that's the CyberWire.
Dave Bittner: [00:19:34] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:46] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.