Jan 17, 2019

Axios Codebook

Welcome to Codebook, the cybersecurity newsletter that never said it didn't collude with Russia.

1 big thing: Hackers target African banks using North Korean tactics

A bank vault. Photo: Matjaz Slanic/Getty Images

A cluster of attempted digital robberies at West African financial institutions appear to have been imitating the North Korea-linked Lazarus Group's run of heists, according to Symantec.

Why it matters: Lazarus, internationally notorious for the Sony hack and the WannaCry malware, is currently very active stealing funds to support the Kim Jong-un regime. The Symantec finding is fascinating as an example of how attacks trickle down from nations to more common criminals.

The big picture: "It seems like after the high public profile of the North Korea thefts, these hackers took those tactics," said Jon DiMaggio, a senior threat intelligence analyst at Symantec.


  • The Lazarus group has utilized the SWIFT system, which banks use to request money from one another, in several high-profile thefts, but the attacks Symantec documented did not.
  • What they did use were a similar set of tools to what Lazarus used to set up those attacks, as outlined in a 2017 alert.
  • Symantec did not want to publicly specify the exact tools that were used.

Background: This isn't the first time DiMaggio said he had seen hackers influenced by a high-profile Lazarus attack. After the group's most famous heist, the theft of $81 million from the central bank of Bangladesh, a separate criminal group added SWIFT fraud to their toolkit.

Symantec's report outlined four different techniques of attacks currently being used in Africa that may represent more than one criminal group.

  • The first, the one flagged as similar to the SWIFT heists, targeted firms in Ivory Coast and Equatorial Guinea.
  • All four clusters used a mix of easily purchasable malware and "living off the land" techniques — avoiding detection using as much software already on victims' computers during the break-in as possible.
  • The other groups of attacks spanned Ivory Coast, Ghana, the Democratic Republic of the Congo and Cameroon.

Historically, West African financial groups have not been common targets for hackers, according to the Symantec report. DiMaggio believes that a softer regulatory structure may have made African banks a tempting target.

The bottom line: DiMaggio stressed that IT staff globally have to become more accustomed to looking for living-off-the-land attacks that don't appear to create
suspicious network traffic. "You have to look at legitimate traffic," he said. "You can't just wait for a warning screen to flash red."

2. Massive list of 1.1 billion passwords circulating on hacker forum

Troy Hunt, the researcher who runs breach archive Have I Been Pwned?, announced he has come across a list of email addresses and passwords on a popular hacker forum with more than 1.1 billion pairs of email addresses and passwords.

Why it matters: The list, titled "Collection #1," is an amalgam of multiple breaches and would likely be used by automated systems to find which of those email address owners reused their passwords on different sites.

By the numbers: 773 million different email addresses appear in the list.

  • Hunt estimates there are 140 million email addresses on the Collection #1 list that have never shown up in the Have I Been Pwned? database.
  • Hunt doesn't store email addresses with corresponding passwords. By keeping them as separate lists, he minimizes the risk of storing data. But Collection #1 contained 21 million passwords Have I Been Pwned? had never seen before.

Our thought bubble: We're not looking forward to Collection #2.

3. Facebook deletes fake accounts linked to Russian news site Sputnik

The main newsroom of Sputnik news, Moscow, April 2018. Photo: Mladen Antonov/AFP/Getty Images

Via Axios’ Sara Fischer: Facebook said Thursday that it has removed hundreds of pages and accounts that pretended to be real news sites from places in Eastern Europe, but were actually operated by employees from Russian state-owned news company Sputnik.

Why it matters: The effort potentially shows a new tactic being used by Russia to weaponize misinformation — using its state-run media arm to create fake posts that look like they come from real newsrooms in vulnerable countries.

Details: In total, Facebook says it removed 364 pages and accounts from a network that originated in Russia and operated in parts of the former Soviet Union, such as the Baltics, Central Asia, the Caucasus, and other countries in central and eastern Europe.

  • Facebook says the owners and operators of the accounts represented themselves as independent pages on topics like news, weather, sports and economics — or politicians from various countries.
  • Some of the pages frequently posted about anti-NATO and anti-corruption topics.

Between the lines: Facebook says the groups also spent $135,000 on ads, the first big ad spend announcement the tech giant has made since it first revealed bad actors bought ads on the platform in the fall of 2017.

  • Facebook says the organizations paid for the ads, which started running in October 2013, in euros, rubles and U.S. dollars.
  • They also set up 190 real-world events scheduled between August 2015 and January 2019. Up to 1,200 people expressed interest in at least one of these events, though Facebook can't confirm if any events actually occurred.

Facebook also says, with a tip from law enforcement, that it removed accounts and pages from a separate campaign originating from Russia and Ukraine that used "coordinated misinformation tactics" on Facebook and Instagram. It says the two operations don't appear to be linked, despite using similar tactics.

  • This campaign was smaller than the first. Facebook removed 26 pages, 77 accounts and 4 groups on Facebook, as well as 41 accounts on Instagram. These actors also bought around $25,000 in ads on Facebook and Instagram that were paid for in rubles. The ads ran throughout 2018.
4. Telegram malware left unsecured by Telegram's shortcomings

Researchers at Forcepoint posted a deep dive into malware that used a service from the Telegram secure messaging app in its infrastructure. What they found revealed as much about the service as the malware.

Why it matters: Telegram offers other developers a "Bot API," a Telegram interface to secure communications within their own programs. But the level of encryption in the Bot API is not as high as the one Telegram Messenger uses, allowing Forcepoint to tap in to the full history of the malware's communications that used the Bot API to obscure its function.

The GoodSender malware profiled by Forcepoint has been active since Feb. 4, meaning the report is technically an early birthday gift to the malware infecting around 120 victims.

  • The malware is propagated using EternalBlue, the now-patched, allegedly NSA-discovered vulnerability made famous by the WannaCry attacks.

Forcepoint notes that the same techniques it used on GoodSender could easily be used on actual good senders — well-intending developers that thought the Telegram framework would secure their programs.

5. Coin miner may be the first to uninstall cloud security products

Palo Alto Networks believes the Rocke group, criminals the firm first reported on last summer, may have designed the first malware that uninstalls cloud security products.

Why it matters: Rocke group's intentions might be bland; the malware was designed to mine the Monero cryptocurrency. But the malware, which targets five cloud security products designed by Tencent Cloud and Alibaba Cloud, would be a new evolution in the field.

The Rocke group's wares don't exploit vulnerabilities in the security software. Rather, it logs in as an administrator and uninstalls the products.

6. Report: Huawei may face criminal charges for IP theft

The Wall Street Journal reports that Huawei may face criminal charges in the United States for theft of intellectual property.

Why it matters: This is the latest in a flood of bad news for Huawei, including international bans on telecommunications products believed to be sabotaged by the Chinese government for espionage, unrelated arrests of employees for espionage and violation of sanctions against Iran, and the broader U.S. trade war.

Investigators began to pursue the case, per the Journal, following civil lawsuits against Huawei, including one for the theft of testing equipment designed by T-Mobile.

Our thought bubble, from Axios' Ina Fried: At issue here is a dispute over "Tappy," a tool that tests smartphone endurance — and it's a really old case to be basing new charges on.

7. Odds and ends
  • The SEC charged hackers with using non-public information in illicit trading. (SEC)
  • More than 3 TB of data exposed by the Oklahoma Securities Commission contains everything from life insurance policies to brokers social security numbers. The data exposure was short, and it does not immediately appear to have been noticed by any malicious actors. (UpGuard)
  • A breach investigator believes a Trisis attack against a Saudi plant could have been prevented. (CyberScoop)
  • Hackers breached systems at the South Korean Defense Acquisition Program Administration. (Dong-a Ilbo)
  • The FCC asks for a delay in a net neutrality suit, citing the shutdown. (Ars Technica)
  • Deepfakes need a deep fix. (Foreign Affairs)
  • Hackers are exploiting a patched ThinkPHP exploit in the wild. (Akamai)
  • Lazarus attempted robberies in Chile. (Flashpoint)

Codebook will be back on Tuesday, following a weekend at ShmooCon.