Today, three North Korean state-sponsored malicious cyber groups were sanctioned by the U.S. government for their role in North Korea’s malicious cyber activity on critical infrastructure. Lazarus Group, Bluenoroff, and Andariel were identified as “agencies, instrumentalities, or controlled entities of the Government of North Korea” by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) in documents announcing the sanctions.

The announcement of sanctions includes specific campaigns, attacks, and actions that the U.S. government has attributed to the three groups. According to Dmitri Alperovitch, CrowdStrike CTO and co-founder, “This is yet another indication of how forward-leaning US government’s position has become in a relatively short period of time on doing attribution of malevolent cyber actors. A few years ago, this type of action would have been unprecedented.”

According the Department of the Treasury, the groups have targeted financial systems, financial institutions, and government agencies in their campaigns. The activities have largely been responsible for hard currency returns to North Korea’s government. John Hultquist, director, intelligence analysis for FireEye says, “The sheer scale [of the campaigns] suggests that they are a financial lifeline for a regime that has long depended on illicit activities to fund itself. It’s important to remember that this activity appears to be very lucrative, and the choice for the cash-strapped regime to give it up will be a hard one.”

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Escaping Email: Unlocking Message Security for SMS, WhatsApp.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/us-sanctions-3-cyber-attack-groups-tied-to-dprk/d/d-id/1335805?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

New malware bearing similarities to Ryuk ransomware has been discovered in a campaign attempting to steal files containing confidential military, financial, and law enforcement data.

This campaign, which was detected by the MalwareHunterTeam, does not encrypt the target’s data and demand a ransom as Ryuk normally does. Instead, it searches victims’ computers for sensitive files, steals them, and uploads the information to a site under the operators’ control.

It has not yet been determined how the Ryuk lookalike lands on target machines. When it does, it scans for specific Word and Excel files, checking for strings kept on a blacklist, BleepingComputer explains in a report. When a file or folder matches a string, the malware stops checking it. If a document passes the blacklist, it verifies whether the file is valid.

If so, the malware compares its name to a list of 77 strings seemingly picked to lead the operator to sensitive information: “military,” “classified,” “finance,” “SWIFT,” “report,” “secret,” “clandestine,” “checking,” “saving,” and “routing” are all examples of terms on the list. When a file matches a term in this string, it’s uploaded to a server controlled by the attackers.

Jeff Warren, general manager of products for STEALTHbits Technologies, emphasizes the simplicity of the techniques used to identify sensitive files. “With nothing more than comparing file names to a list of 77 strings, the malware is able to identify and exfiltrate sensitive information,” he says. The stealer uses basic scanning to identify and mount additional shared folders, so anywhere a user has access is vulnerable to these types of attacks, Warren adds.

Ryuk Relations
This particular infection shares a few curious qualities with Ryuk ransomware. For one, it contains specific string references to “.RYK” and “RyukReadMe.txt,” says cybersecurity researcher Vitali Kremez in a conversation with Dark Reading. Ryuk typically leaves victim notes as “RyukReadMe.txt,” and encrypted files have the “.RYK” extension. The stealer malware seems to intentionally skip files like these, which are linked to the Ryuk ransomware.

Also like Ryuk, this malware contains specific references to the Ahnlab antivirus company and it checks for a file called Ahnlab on target machines. It also has a link to “UNIQUE_ID_DO_NOT_REMOVE,” which is a string present in Ryuk ransomware, Kremez adds. The malware’s file searcher and extension with blacklist logic are similar to the Ryuk routines.

“Overall, it looks like someone with the Ryuk code added additional code to make it a stealer and compiled in a different environment,” he says. The code indicates this wasn’t an advanced attacker. “It feels like if someone less experienced took the Ryuk code and/or tried to mimic Ryuk routines, then they copy/pasted some own code logic/code and created a new malware.”

The code quality related to upper/lowercase extension check, external library dependency, and recursive routine is not good, Kremez notes. Still, the act of taking Ryuk and transforming it into a stealer is new, he points out. Ryuk’s ransomware operations are linked to the TrickBot malware group, and they have robust code development. While there is no way to know who is behind this, the actor may be linked to the core Ryuk group if code was taken from them.

“We know that Ryuk is a very targeted ransomware,” Kremez explains. “If this malware is part of the same group, we suspect it to be also very targeted.”

Ryuk ransomware has been seen targeting businesses around the world. In April, it struck the city of Stuart, Florida, and forced servers and computers offline; last year, it hit C.E. Niehoff Co., a small manufacturing firm. Earlier this summer, the UK’s National Cyber Security Centre (NCSC) issued a warning for a new global Ryuk ransomware campaign packing Emotet and TrickBot.

Related Content:

• 7 Steps to Web App Security
• Taking a Fresh Look at Security Ops: 10 Tips
• Security Leaders Share Tips for Boardroom Chats
• Proposed Browser Security Guidelines Would Mean More Work for IT Teams

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Escaping Email: Unlocking Message Security for SMS, WhatsApp.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/malware-linked-to-ryuk-targets-financial-and-military-data/d/d-id/1335808?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A few months back, someone asked me to help him take apart a bed frame. He had a problem stemming from a stripped screw that could not be removed. When I came over, I noticed another screw on the other arm of the bracket. The second screw was not stripped, and so I loosened it. This freed the bracket, which allowed me to easily take apart the bed frame.

I’m relaying this incident not to brag about my talent as a brilliant problem solver or because I am exceptionally handy. In fact, the person who asked me for help is a particularly brilliant problem solver — a far better one than I. The reason I was able to solve the bed frame problem is because I looked at it with fresh eyes, a state of mind that is also useful in the realm of cybersecurity, as these 10 examples demonstrate:

1. Executive support: Struggling to get the attention of executives and the board? Not able to make security a priority for the business and advance items important to security? Try looking at the problem through new eyes — namely theirs. How do executives view the business? What risks and threats to the business are they concerned with? If you can view issues from the perspective of the C-suite, you might have better luck communicating why security is important in a language they’ll understand far better.
2. Security strategy: Sure, you may have a formal security strategy that was written a few years back. But have you looked at it with your present-day eyes? The environment in which the security team operates changes constantly. It might be time to take a fresh look at the overall direction of the program.
3. Risk: Do you understand the risks that the business faces? Are you sure? Risks evolve continuously and understanding what they are and how they affect the business today is paramount to successfully securing the business.
4. Threats: Are you familiar with the information security threat landscape that you face? Are you certain that your knowledge is up to date? It might be time to take a new look at the threat landscape as it pertains to your enterprise.
5. Goals: When was the last time you set goals for the security team? Was it at a time when you may have looked at the information security world differently? If the last time you examined goals was not so recently, you will likely see the topic differently now. Give goals a glance through your present-day eyes.
6. Priorities: The security team’s priorities are likely shifting constantly. New challenges arise continuously, as do old challenges. So why is it that you set priorities only once per year, or even less frequently than that? Of course, priorities cannot be reset daily, but there is a balance here. Try looking at priorities more frequently than annually.
7. People: You’re likely quite fond of and proud of the security team you’ve built. You’ve probably assembled a group of skilled and talented contributors. But there is more to the equation than just the quality of the team you’ve put together. There is also consideration of the alignment of the team and their skill sets to your strategic objectives. Has it been a while since you took a look at your team from that perspective? It might be worth a new look.
8. Process: I’ve seen my share of bad processes over the course of my career. Even the good processes I’ve come across were written for a given purpose under a specific set of circumstances. What if the purpose and/or the circumstances change? Over a period of time, this is almost always the case. Given that, doesn’t it make sense to reevaluate whether or not different processes make sense in the current environment? Casting a fresh look upon processes often produces more effective and efficient ones.
9. Technology: Maybe you love your security tooling. Maybe you hate it. Maybe you painstakingly architected your security stack with an eye for detail. Maybe you inherited some or all of it. Whatever the situation, it’s likely that things have changed quite a bit since the tooling in place was procured and deployed. Isn’t it time to ensure that the technology in place still fits the bill? My guess is that you’ll find several pieces that are no longer appropriate.
10. External organizations: You probably have a membership in a few different external organizations. Perhaps you are a part of mailing lists, attend conference calls, or participate in meetings with these organizations on a fairly regular basis. When was the last time you stopped to think about what you’re actually getting out of these organizations versus what you’re putting into them? What once made sense may no longer be the case. Definitely worth a glance with fresh eyes.

Related Content:

• Security the Infinite Capacity to Rationalize
• 20 Questions to Ask During a Real (or Manufactured) Security Crisis
• Sensory Overload: Filtering Out Cybersecurity’s Noise

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO – Emerging Technologies at FireEye and as Chief Security Officer for … View Full Bio

Article source: https://www.darkreading.com/risk/taking-a-fresh-look-at-security-ops-10-tips-/a/d-id/1335744?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Although companies realize that skilled security professionals are difficult to hire, they continue to focus on increasing head count rather than training their current employees, according to a survey conducted by the 451 Group.

Yet, offering an opportunity for employees to learn new skills and the potential to advance and develop their careers could actually help firms acquire more dedicated and loyal security teams, according to a report based on the survey results and published this week by managed-security solutions provider eSentire. Eighty-seven percent of respondents maintain that the staffing levels at their organizations are adequate, while 78% of security professionals believe that companies have a gap in needed skills, not in the number of people performing security-related work. 

So, what if your company wants to develop its security team? Train and focus on career path, says Chris Braden, vice president of global channels and alliances at eSentire.

“When you have that sort of shortage, simply getting someone on board in the first place can be a challenge, but companies also need to focus on their strategy to be able to retain them,” he says.

The survey underscores one of the paradoxes of the tight labor market in cybersecurity. While training is necessary to develop the skills to allow the security team to do its job, many companies fear that training and certification will allow their security experts to find better-paying jobs at other companies.

And there is some evidence of that. In 2018, the number of cybersecurity-related job posting in the United States increased by 7.2%, but the number of clicks on US cybersecurity jobs decreased by 1.3%, according to job aggregation platform Indeed.com. Currently, the cybersecurity sector does not have enough incoming skilled workers to fill all the necessary positions. Instead, companies are cannibalizing the teams at other firms.

“If you are a company who does not have a series of advanced security-skilled positions available in your organization, you are probably not going to be very proactive about encouraging your employees to get the training, because they are going to use the training to exit the business, more than likely,” Braden says.

Train to Retain
At the same time, such training is what convinces skilled workers to stay. Almost two-thirds (63%) of security professionals believe that ongoing education and helping employees get security certifications is the No. 1 effort that could help companies hire and retain personnel, according to the survey. Higher salaries and better benefits came in at No. 2, with 57% of respondents believing that raising pay would help retain employees.

The survey also found a strong link between training opportunities and job satisfaction, with approximately six in 10 of security professionals saying they are satisfied with their jobs also being satisfied with the educational opportunities offered to them, while seven in 10 of those workers unsatisfied with their jobs also are unsatisfied with their options for continuing education.

It even applies to managed service providers, such as his company, Braden says.

“We are not immune to this,” Braden says. “But the size of our SOC and the number of people we employ led us to develop an internal training capability — we can train college students into an entry level role and train them as they move up the [career] stack.”

A third of respondents — the largest segment — rate learning new skills as their top consideration in job satisfaction. Security professionals who have stayed at their current jobs for longer than five years have the greatest satisfaction with the level of education and training offered by their employers.

Still, not all companies have the need for more advanced positions. Part of the problem for many companies is that they have little way for cybersecurity professionals to advance their careers, says Braden.

“Even with large midmarket companies with 5,000 or 10,000 employees, there may not be a lot of roles requiring security skills that would allow that type of advancement,” he says. “I think that skills-gap alignment is really a bigger issue in some ways than the shortfall in security talent itself.”

Managed service providers can help mitigate the impact of the lack of security talent, but companies have to take the right approach, Braden says.

“Our model is really not to enable a company to displace their IT security team — those people are valuable and they are hard to get, as we identify in the report,” he says. “Instead, companies can use those resources for other purposes. And, if you look at the litany of operational debt items that are typically in a SOC or an IT department, we are talking about the ability to be able to implement software updates and patches, retiring login credentials when someone leaves an organization — they can repoint their people to more productive activities to which they are better suited, rather than processing alerts off a SIEM.”

For companies that want to develop their own in-house team, the survey seems to indicate a way forward. Organizations need to have good executive support for whoever is designing and managing the security program, and roles have to be developed that both support the program and allow employees to advance into new positions, Braden says.

Then the head of information security must work with human resources to develop a program to develop and acquire the right talent for those positions and retain them. And, Braden adds, a key part of that is education.

Related Content

• More Supply, More Demand: Cybersecurity Skills Gap Remains
• The War for Cyber Talent Will Be Won by Retention not Recruitment
• Summer: A Time for Vacations Cyberattacks?
• How Security Vendors Can Address the Cybersecurity Talent Shortage
• How to Attract More Women Into Cybersecurity – Now

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Escaping Email: Unlocking Message Security for SMS, WhatsApp.”

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/no-quick-fix-for-security-worker-shortfall/d/d-id/1335803?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple