38. Malware is from MARs Implants are from Venus
Coming up this week on Breaking Badness. Today we discuss: Get Your HOTCROISSANT at the BUFFETLINE: US Government releases Information on North Korean Malware, Phishing Attack Tanks Puerto Rico’s Economy, and our fun new game, two truths and a lie.
Here are a few highlights from each article we discussed:
- The Cybersecurity and Infrastructure Agency (CISA) represents a partnership between the DHS and FBI for threat intel sharing and collaboration.
- The US Government made it fairly clear that their intention was to help reduce exposure to HIDDEN COBRA, this group related the malware in the MARs to HIDDEN COBRA through similar code as well as techniques and IOC similarities, such as email addresses embedded in the Trojan files.
- One of the biggest takeaways from this is an actual deep technical insight into North Korean malware development capabilities. Their malware development techniques and methods are a lot more advanced than what we previously knew. One specific feature that several of HIDDEN CORBA’s malware includes proxy traffic with generated fake TLS handshake sessions using valid public SSL certificates, disguising network C2 operations. It’s pretty slick.
- A recommended way to mitigate is behavioral based AV is your best shot at detecting these types of malware. In addition don’t let your users run with privileged accounts.
- According to the Cyber National Mission Force, all of their payloads are catered towards North Korean operations such as stealing secrets, which is common for nation states. However, North Korea is also associated with any means necessary for acquiring assets. In this case there are HIDDEN COBRA samples that also show communication protocols for inspecting and hijacking ATM accounts.
- These types of campaigns are typical, they target C-level executives. In this case, it was a regular phishing email saying that there was a change in the bank account details for remittance payments.
- Puerto Rico receives about $21 Billion in financial aid from the US every year—according to the US census. Considering that they struggled to get their aid post-hurricane though, that their economy is about $71 Billion in debt and that their government budget is around $26 Billion this year I think they can use every penny they can get. That said I feel like this isn’t a massive amount of money considering that US companies lost over a billion dollars to these same scams last year. I think this story got a little pumped when it didn’t need to be. Maybe I’m paranoid, but with the new governor and all the work going on there it seems like one of those stories that gets pumped to undermine trust in a new government—especially one that’s targeting corruption.
- There have been similar attacks in the US, in fact, just last year a Texas school district in Austin lost $2.3 Million this way, the city of Ocala, FL lost almost a million this way. It’s just a common place now.
- Chad’s three strategies to mitigate phishing:
- I’d say for these specific BEC-type scams that if you are transferring large sums of money in your office you need to have systems in place for validation and verification. Either two people have to approve or just entirely cut the email chain out of it—no large transfers decided over email seems like a good strategy.
- I’d also say that you should run regular phishing training and testing in your office. There are some tools out there to run this yourself such as GoPhish which is open source and free. Craft emails, make it fun, trick people in the office so that they’re on their guard. Education isn’t going to fix the problem, but it will at least put people more on guard with what comes in.
- Lastly there are tools for analyzing all of your incoming email for phishing scams. Google services of course are pretty good if you use that, but if not you’ll want to look for some commercial product that’s hopefully ingesting the discovery of new phishing domains from our PhishEye tool since it picks up all the new phishing-likely domains the moment they come online. Got to watch out for those domains with the phrase sharepoint in them.
Two Truths and a Lie
Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.
You’ll have to tune in to find out!
This Week’s Hoodie/Goodie Scale
Get Your HOTCROISSANT at the BUFFETLINE: US Government releases Information on North Korean Malware
[Chad]: 7/10 Hoodies
[Tarik]: 8/10 Hoodies
Phishing Attack Tanks Puerto Rico’s Economy
[Chad]: 4/10 Hoodies
[Tarik]: 6/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!