Welcome to Codebook, the cybersecurity newsletter that never said it didn't collude with Russia.
A bank vault. Photo: Matjaz Slanic/Getty Images
A cluster of attempted digital robberies at West African financial institutions appear to have been imitating the North Korea-linked Lazarus Group's run of heists, according to Symantec.
Why it matters: Lazarus, internationally notorious for the Sony hack and the WannaCry malware, is currently very active stealing funds to support the Kim Jong-un regime. The Symantec finding is fascinating as an example of how attacks trickle down from nations to more common criminals.
The big picture: "It seems like after the high public profile of the North Korea thefts, these hackers took those tactics," said Jon DiMaggio, a senior threat intelligence analyst at Symantec.
Background: This isn't the first time DiMaggio said he had seen hackers influenced by a high-profile Lazarus attack. After the group's most famous heist, the theft of $81 million from the central bank of Bangladesh, a separate criminal group added SWIFT fraud to their toolkit.
Symantec's report outlined four different techniques of attacks currently being used in Africa that may represent more than one criminal group.
Historically, West African financial groups have not been common targets for hackers, according to the Symantec report. DiMaggio believes that a softer regulatory structure may have made African banks a tempting target.
The bottom line: DiMaggio stressed that IT staff globally have to become more accustomed to looking for living-off-the-land attacks that don't appear to create
suspicious network traffic. "You have to look at legitimate traffic," he said. "You can't just wait for a warning screen to flash red."
Troy Hunt, the researcher who runs breach archive Have I Been Pwned?, announced he has come across a list of email addresses and passwords on a popular hacker forum with more than 1.1 billion pairs of email addresses and passwords.
Why it matters: The list, titled "Collection #1," is an amalgam of multiple breaches and would likely be used by automated systems to find which of those email address owners reused their passwords on different sites.
By the numbers: 773 million different email addresses appear in the list.
Our thought bubble: We're not looking forward to Collection #2.
The main newsroom of Sputnik news, Moscow, April 2018. Photo: Mladen Antonov/AFP/Getty Images
Via Axios’ Sara Fischer: Facebook said Thursday that it has removed hundreds of pages and accounts that pretended to be real news sites from places in Eastern Europe, but were actually operated by employees from Russian state-owned news company Sputnik.
Why it matters: The effort potentially shows a new tactic being used by Russia to weaponize misinformation — using its state-run media arm to create fake posts that look like they come from real newsrooms in vulnerable countries.
Details: In total, Facebook says it removed 364 pages and accounts from a network that originated in Russia and operated in parts of the former Soviet Union, such as the Baltics, Central Asia, the Caucasus, and other countries in central and eastern Europe.
Between the lines: Facebook says the groups also spent $135,000 on ads, the first big ad spend announcement the tech giant has made since it first revealed bad actors bought ads on the platform in the fall of 2017.
Facebook also says, with a tip from law enforcement, that it removed accounts and pages from a separate campaign originating from Russia and Ukraine that used "coordinated misinformation tactics" on Facebook and Instagram. It says the two operations don't appear to be linked, despite using similar tactics.
Researchers at Forcepoint posted a deep dive into malware that used a service from the Telegram secure messaging app in its infrastructure. What they found revealed as much about the service as the malware.
Why it matters: Telegram offers other developers a "Bot API," a Telegram interface to secure communications within their own programs. But the level of encryption in the Bot API is not as high as the one Telegram Messenger uses, allowing Forcepoint to tap in to the full history of the malware's communications that used the Bot API to obscure its function.
The GoodSender malware profiled by Forcepoint has been active since Feb. 4, meaning the report is technically an early birthday gift to the malware infecting around 120 victims.
Forcepoint notes that the same techniques it used on GoodSender could easily be used on actual good senders — well-intending developers that thought the Telegram framework would secure their programs.
Palo Alto Networks believes the Rocke group, criminals the firm first reported on last summer, may have designed the first malware that uninstalls cloud security products.
Why it matters: Rocke group's intentions might be bland; the malware was designed to mine the Monero cryptocurrency. But the malware, which targets five cloud security products designed by Tencent Cloud and Alibaba Cloud, would be a new evolution in the field.
The Rocke group's wares don't exploit vulnerabilities in the security software. Rather, it logs in as an administrator and uninstalls the products.
The Wall Street Journal reports that Huawei may face criminal charges in the United States for theft of intellectual property.
Why it matters: This is the latest in a flood of bad news for Huawei, including international bans on telecommunications products believed to be sabotaged by the Chinese government for espionage, unrelated arrests of employees for espionage and violation of sanctions against Iran, and the broader U.S. trade war.
Investigators began to pursue the case, per the Journal, following civil lawsuits against Huawei, including one for the theft of testing equipment designed by T-Mobile.
Our thought bubble, from Axios' Ina Fried: At issue here is a dispute over "Tappy," a tool that tests smartphone endurance — and it's a really old case to be basing new charges on.
Codebook will be back on Tuesday, following a weekend at ShmooCon.