CyberWire Daily - Advice on ransomware from the US National Security Council. JBS announces its recovery from the REvil attack. Cyber diplomacy (and maybe retaliation). Ransomware-themed phishbait.
Episode Date: June 4, 2021JBS recovers from its REvil ransomware attack, and this and other apparent instances of privateering will figure among the agenda at the upcoming US-Russia summit. (The US is said to be mulling retali...ation.) The White House issues general advice on preparing for ransomware attacks. The Tokyo Olympic committee suffers a data breach. Ransomware may have interrupted some media livestreaming yesterday. Attribution in the MTA attack. Dinah Davis from arctic wolf helps prevent your SOC from becoming ineffective. Carole Theriault warns of data privacy leaks in online home tours. And ransomware-themed phishbait. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/107 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
JBS recovers from its R-Evil ransomware attack,
and this and other apparent instances of privateering
will figure among the agenda at the upcoming U.S.-Russia summit.
The U.S. is said to be mulling retaliation.
The White House issues general advice on preparing for ransomware attacks.
The Tokyo Olympic Committee suffers a data breach.
Ransomware may have interrupted some media live streaming yesterday.
Attribution on the MTA
attack. Dinah Davis from Arctic Wolf helps prevent your sock from becoming ineffective. Carol Terrio
warns of data privacy leaks in online home tours and a ransomware themed fish bait.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, June 4th, 2021. JBS said yesterday that it had resolved the ransomware attack it sustained on Sunday
and that operations had returned to normal.
The company's statement reads in part,
quote,
The company's swift response, robust IT systems, and encrypted backup servers allowed for a rapid recovery.
robust IT systems and encrypted backup servers allowed for a rapid recovery. As a result,
JBS, USA, and Pilgrims were able to limit the loss of food produced during the attack to less than one day's worth of production. Any lost production across the company's global business
will be fully recovered by the end of the week, limiting any potential negative impact on
producers, consumers, and the company's workforce.
All things considered, the response seems to have been swift and effective,
and it will be interesting to see what lessons may emerge from JBS's experience.
The impact of the incident on food availability and price appears to have been limited,
and HuffPost observes that there appears to have been no impact on food safety whatsoever,
which is unsurprising given the nature of the attack.
The U.S. FBI was unusually quick with attribution,
fingering the Russia-based R-Evil gang as the group behind the attack.
R-Evil, which operates a criminal affiliate network,
the attack. R-Evil, which operates a criminal affiliate network, told Bleeping Computer last October that the gang itself cleared more than $100 million in profit annually. They may have
at least two revenue streams, direct ransom payment, and the proceeds from auctioning victim's
stolen data. R-Evil's claims about its revenues and operations are difficult to corroborate,
but the gang at least gives the appearance of being financially motivated.
As with other Russian criminal groups, however,
their activities now arouse suspicions that they're state-tolerated cyber-privateers
and that their motivations may be complex.
Utah Public Radio quotes Ryan Larson,
a Utah State Farm Management Extension Specialist, who said, When you read that a large percentage of the meat processing has been hacked, it causes concerns for citizens.
So, I think a lot of the motivation was purely just to cause concern and scare people.
and scare people, end quote. Fox News talked to various experts who thought that the prospect of the JBS hacks being a dry run for a more damaging operation, slightly paranoiac, albeit possible.
On balance, the consensus was that the rise in ransomware attacks was driven by the criminal's
realization that there was a great deal of money to be made from extortion. ABC News reasonably sees a convergence of contributing factors.
Ransomware strikes have surged over the past year due to a confluence of factors,
experts say, including the rise of hard-to-trace cryptocurrency,
a work-from-home boom that has resulted in new IT vulnerabilities,
and a political climate marked by ongoing tensions between the U.S. and Russia, the nation from which many of these
attacks are believed to emanate. Privateers or ordinary gangsters, the Voice of America reports
that the JBS attack and other ransomware incidents will figure among the agenda of the upcoming U.S.-Russia summit.
Some, like NBC News, report that U.S. patience with ransomware, especially state-tolerated or
encouraged ransomware, is nearing an end, and that naming, shaming, and sanctions may be played out
as effective responses. They are hair on fire, a former U.S. official said of the administration,
and retaliatory cyber attacks may be under study, perhaps under active consideration.
The U.S. government is said to be taking the ransomware threat seriously. Reuters says the
Justice Department will accord ransomware attacks the same priority it gives terrorism.
To ensure we can make necessary connections across national and global cases and investigations
and to allow us to develop a comprehensive picture of the national and economic security threats we face,
we must enhance and centralize our internal tracking, Justice Department guidance says.
It's a procedural change that involves giving information sharing and coordination greater importance.
John Carlin, Principal Associate Deputy Attorney General at the Justice Department, told Reuters,
quote, we've used this model around terrorism before, but never with ransomware, end quote.
The New York Times interprets an advisory letter from Deputy National Security Advisor Ann Neuberger
as a prescriptive, blunt, general call for all organizations to adopt the cybersecurity standards
that federal agencies and contractors now follow.
Neuberger wrote, in part,
The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German,
and other organizations around the world
is that companies that view ransomware as a threat to their core business operations,
rather than a simple risk of data theft, will react and recover more effectively.
To understand your risk, business executives should immediately convene their leadership teams
to discuss the ransomware threat and review corporate security posture and business It strikes us that in this case, the Times perceives clarity as bluntness.
Neuberger's letter goes on to say,
Specifically, those steps include implement the five best practices from
the President's Executive Order, backup your data, system images, and configurations, regularly test
them and keep the backups offline, update and patch systems promptly, test your incident response plan, check your security team's work, and segment your networks.
This, with the supporting details that are too long to read here, seems like useful advice.
According to the Japan Times, the organizing committee for the Tokyo Olympics
has suffered a data breach as a consequence of Fujitsu's recent compromise.
It's another instance of third-party risk.
Some personal information was apparently exposed in the incident.
The Record reports that Cox Media live streams were interrupted yesterday
in what multiple sources tell the Record was a ransomware attack.
The story is still developing, but it appears to be another case in the ongoing wave a ransomware attack. The story is still developing, but it appears to
be another case in the ongoing wave of ransomware attacks. The ransomware attack against New York's
Metropolitan Transportation Authority is being attributed, bleeping computer rights, to a Chinese
threat actor that exploited a pulse-secure vulnerability to gain access to MTA systems.
SC Magazine speaks with industry sources who express concern
that the operation may be a harbinger of more to come, especially if the group responsible
should prove closely connected to the Chinese government. BlackBerry reports that the Avedon
ransomware operators now pose a triple threat, adding the prospect of distributed denial of service to the familiar
threats of encryption and data theft. And finally, all the recent high-profile
ransomware attacks have spawned a large brood of unrelated but obviously parasitic phishing
campaigns. Inky has been tracking some of them and finds that the emails represent themselves as coming from a more
plausible than usual help desk. The recipients are told that their organization is upgrading
its security after the wake-up call it received from the Colonial Pipeline incident. Specifically,
users are asked to download a ransomware system update from an external site.
That site, of course, is malicious.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass
your company's defenses is by targeting your executives and their families at home? Black
Cloak's award-winning digital executive protection platform secures their personal devices, home Thank you. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Among the many things the pandemic has upended is the real estate market.
In my neck of the woods here on the east coast of the U.S., a shortage of
home inventory is causing home prices to spike, with some fearing we are entering another real
estate bubble. Sellers have also shifted to largely selling their homes online, with fancy 3D virtual
tours replacing the traditional open house. Again, a practical adjustment accelerated by the pandemic.
open house. Again, a practical adjustment accelerated by the pandemic. Our CyberWire UK correspondent Carol Terrio was recently doing a little real estate online window shopping
and happened upon an unsettling privacy issue. So one of my pastimes is property porn. Is that
okay to say in a cybersecurity podcast? I guess I'll find out. But it's true. I imagine myself
picking up sticks and moving to a brand new place and I check out properties in that cybersecurity podcast. I guess I'll find out. But it's true. I imagine myself picking up sticks
and moving to a brand new place
and I check out properties in that locale
because, well, you never know.
Anyway, there I was indulging in my pastime
when I land upon a house
that has a bunch of private information
laying bare in their 3D virtual tour.
Now, many, many houses out there
are staged to increase the sale price, but
quite a few out there are not. And in this particular case, I could see stuff I shouldn't,
even if I were walking around in person. We are talking financial documents that you could easily
zoom in upon, full name, address, details for anyone to gop at. Other identifiable data about the homeowners and the property included names of their pets on a photograph.
We all know that pet names are often used as passwords.
There were clues about their political views based on their choice of reading material and their health.
There was an asthma inhaler that was visible in one of the bedrooms.
And then you've got to think about the opportunities that this presents
for potential phishing attacks. I mean, getting the address and visiting the property in person
is a doddle. All you need to do is call the estate agent. Couldn't someone call them up and pretend
to be the representative of their periodical magazine that they buy, or the book club that they belong to, or their share company.
It's kind of scary.
With the help of a BBC journalist,
we were able to alert the agents and get the video taken offline.
But how do things like this happen?
Here's my thoughts.
One, camera tech is way more advanced than you might think.
Think Google Maps, but inside your house.
I mean, I could read every single title in their
bookcase. A remote camera snaps hundreds, if not thousands of photos across a property. Who's
going to go through every single photo individually? The real estate agent? The owner? Who has the time?
Well, make time. That is, I think, the takeaway. If you're going to employ whiz-bang features to
help you sell your house or improve your sales strategy, enhance your service offering, whatever it is, do your homework before enabling them.
And that means testing.
Like, imagine you're a visitor and use and abuse those features so you can get a strong indication of what a visitor might experience and see.
Do this before you make it live, so to speak.
See, it turns out that mom was
right. Cleaning up before your guests arrive or before non-employees show up for a meeting is a
good idea. Not just to hide any slobbiness, but it also allows you to see what's left out in the open
and lets you decide whether it should be put away. I mean, think about it. If you don't value your
privacy, who will?
This was Carol Terrio for The Cyber Wire.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatL are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
sensitive data and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant.
and joining me once again is dina davis she is the vp of rnd at arctic wolf dina great to have you back um i want to touch today about some tips you have for socks um and in particular
some things maybe not to do things that might might torpedo some of your efforts within your SOC. What do you have to share with us today?
So some of the things that can make your SOC quite ineffective is having a high amount of false positives.
So you want to really focus on reducing the alert overload.
the alert overload. So when you first are setting up your SOC and putting in place the tooling,
usually a SIM is part of that or a SIM-like tool. And the way it works is you set up a whole bunch of rules and it alerts you when those rules fire, right? Now, unfortunately, a lot of the time,
those rules will alert you on things that aren't actually real, false positives, and you get really tired.
It's called alert fatigue, right?
So spending a lot of time looking at your system, knowing what you really care about and what you don't, and tuning your system to only notify you when it's important is key here, right? You don't
want to manually review every alert. There's thousands that'll be coming in per day. So you
want to tune that down, right? So that's one thing you can do to make your SOC more effective.
The second thing you can do is make sure you have really good security processes, right? So you want to focus
on the two most important processes of a SOC, which is intrusion detection and incident response.
So when something happens, how is the team notified? What is the criteria for escalation
of event to an incident? What does the investigation and response protocol all entail? What do remediation
efforts look like? You want to have that all really well defined so that when something happens,
you are just reacting and following a process and not trying to figure all of that out at the same
time as trying to remediate whatever's going on. Another thing you can do is try to streamline team communication.
So you want to have an easy and clear way to communicate and paths set up with your team.
So most people today are using a tool like Slack, right? But just having that tool is, you know,
it's probably not enough. You have to set it up in a cohesive way. So you can create channels for reporting threats,
one for daily communication.
And then one that I really recommend doing
is for each big instant you have,
you create a channel
and only the people working on that instant work there.
I also highly recommend throwing in a Zoom room at the top,
like in the topic, if you're using Slack and Zoom,
because just keeping the same Zoom room open and anybody can pop in and out of there,
you don't have to set that up every time. It makes it super easy.
Another great thing to do is make sure you're adding a reporting capability.
So you need to know how effective your SOC is being. To this end, some metrics you
may want to track are the volume of events, how much false positives you have, what your false
positive ratio is, and you want to try and drive that down, like I mentioned above. Head count to
ticket ratio, time to detection, and time to response. Those are all things that you want to
be able to track so you
can see if there's any trends happening so that you can course correct. And then finally, orchestrate
and automate because we all know how much like just automating the crap out of everything is
amazing. So you want to extract the most value from your security tools and then orchestrate
and automate everything else, right? So orchestrations value from your security tools and then orchestrate and automate everything else,
right? So orchestrations can connect your security tools into a single pane of glass,
ensuring they're all working together cohesively. You can set up streamlined workflows that will
work between tools to eliminate any manual or tedious tasks. And you can free up that time for
those, you know, very skilled security workers that
you have to work on higher value things. Now, when it comes to turning off that firehose of alerts,
I mean, is it kind of like email where every now and then it's a good idea to go through your spam
folder just to make sure that nothing's accidentally getting shuffled off into there?
your spam folder just to make sure that nothing's accidentally getting shuffled off into there?
Yes, it definitely is. Definitely. You want to take a look at that, you know, on a regular basis, whether it's monthly or quarterly. You can often like prioritize the results coming in as like high,
medium and low. So you probably want to go through your mediums more than you want to go through
and do a review of your lows, right?
Right, right.
No, that makes good sense.
All right.
Well, good information.
Dinah Davis, thanks for joining us.
You're very welcome.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's edition of Research Saturday and my conversation with Carl Sigler from Trustwave.
We're discussing their research on HTML Lego,
hidden phishing at a free JavaScript site.
That's Research Saturday.
Do check it out.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Kelsey Fong, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.