CyberWire Daily - Another ransomware victim pays extortionists. Business email compromise. Government impostor scams. ShadowBrokers still airborne. Exploit supply chain. Silence suspected in bank heists.
Episode Date: July 8, 2019Another ransomware victim pays up. Privilege escalation comes to ransomware. Vendor impersonation scams hit cities, and government impersonation scams hit citizens: be wary of both. Former NSA contrac...tor Hal Martin will be sentenced later this month, with suspected connections with the ShadowBrokers still unresolved. An exploit supply chain is described. The Silence gang is suspected in Bangladeshi bank heists. And a bad message can brick a phone. Ben Yelin from UMD CHHS on privacy concerns with a shared bar patron database. Guest is Derek E. Weeks from Sonotype on supply chain security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_08.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Another ransomware victim pays up.
Privilege escalation comes to ransomware.
Vendor impersonation scams hit cities
and government impersonation scams hit cities, and government impersonation
scams hit citizens.
Be wary of both.
Former NSA contractor Hal Martin will be sentenced later this month, with suspected connections
with a shadow broker still unresolved.
An exploit supply chain is described, the silence gang is suspected in Bangladeshi bank
heists, and a bad message can brick a phone.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 8th, 2019. Forensic lab Eurofins is paying the extortionists who hit it with
ransomware. The BBC says the amount is unknown, but large.
The Times puts it at hundreds of thousands of pounds.
In any case, the payment is regarded as very large, huge in some headlines.
Eurofins is not, we should point out, a digital forensics shop.
Their work is of the physical laboratory type, DNA typing, and toxicology.
So DinoKibi Ransomware is using a Windows Privilege Escalation bug, CVE-2018-8453, to gain admin access to its targets.
As ZDNet notes, it's relatively unusual for ransomware to exploit a privilege escalation vulnerability.
But here's something that's not at all unusual.
The bug, which was patched in October 2018,
was first exploited by a state
and then was picked up by the criminal underworld.
The vulnerability first came to light as a Zero Day
exploited by Fruity Armor,
a state-directed espionage crew
active mostly against Middle Eastern targets.
The city of Griffin, Georgia, located in the
greater Atlanta region, recently lost a cool $800,000 to a scammer posing as a vendor the
city's water department was accustomed to doing business with. The loss came through a phishing
email in which someone impersonating the vendor told the luckless city employee that they needed to change their
banking info. Change it, the employee did, and the city subsequently flushed away a few hundred
thousand dollars. The city manager is quoted by Atlanta's 11 Alive News to the effect that
he's shocked by the whole thing. And of course, government agencies are also impersonated by
scammers working against individual citizens.
It's worth remembering that contact from people claiming to represent a government agency
should be treated with appropriate suspicion.
That phone call from the Social Security Police, that pop-up from the CIA,
that email from the FBI are all too likely to be bogus.
Especially the Social Security Police, since there really is no such
thing, and a social security number doesn't get suspended. Anywho, the U.S. Federal Trade
Commission reports that government imposter scams are running at an all-time high,
with over 46,000 attempts reported to the FTC in May alone. The median amount lost by individuals hornswoggled by the imposters is $960. So don't
be taken in. The government, the U.S. government anyway, and we think matters are much the same
in the rest of the civilized world, isn't going to call you up to threaten arrest or ask for
personal information. What will happen, should you run afoul of the Federal Bureau of Investigation,
What will happen, should you run afoul of the Federal Bureau of Investigation, is that they may show up with flashbangs and other methods of forced entry.
That's how they collared Hal Martin, the former NSA contractor, convicted of unlawful retention of defense information.
Mr. Martin will have his sentencing hearing on July 17th in a Baltimore federal court.
The Washington Post observes that his widely suspected connection,
if any, to the shadow brokers' leaks remains as obscure as ever. There was much speculation around the time of Mr. Martin's arrest that he had been in Twitter contact with the brokers,
but the government has apparently not established this, either because the evidence isn't there,
or because they secured more than enough evidence from his Glen Burnie, Maryland residents, or because there are other sensitivities at play. As for the brokers
themselves, they have kept a low profile for some time after their leaks of purported NSA tools,
and they and their implausibly broken English are as much on the wing as ever.
There is growing attention given to the security of the software supply chain,
particularly the increased use of open source components. Derek E. Weeks is vice president
at Sonotype, a provider of DevSecOps automation tools. Every single organization that is developing
software is taking advantage of a software supply chain today. And that software supply chain takes
on a couple of different forms. One, it's really how software is delivered into organizations that
use it for development. And in different cases, you can use open source components that are freely
available on the internet that developers use to assemble large portions of their code
that they're developing into applications.
And the other source is containers that are open source
for downloading from places like Docker Hub.
People can use within development or operations practices.
The supply chain volume on the demand side is huge. It's
also huge on the supply side. So when we study and analyze open source component contributions
from different development ecosystems, whether it's Java, JavaScript, Python,.NET, Ruby,
about 13,000 new open source projects having releases every day. The amount
of supply of these components that is available to developers is tremendous. And the consumption
volumes are huge too. From a security point of view, what are the pluses and minuses of using
open source software? That's a really good question. So the pluses are absolutely
that open source components being fed through software supply chains make us a lot more
efficient in development practices. Why spend an hour, a week, a month writing something from
scratch when you could download it from the internet in a second. The incredible efficiency that it allows is why the consumption patterns are going up exponentially.
Most of the open source projects out there develop and help deliver high quality code
to these development organizations.
And many of them want to move very fast because they need to deliver new capabilities to their
customers in order to serve them better and maintain their competitive position in the
market.
So if you're trying to be the next Amazon or the next Netflix or the next Uber, you
have to move a lot faster at delivering value to the market than your competitors.
You have to move a lot faster at delivering value to the market than your competitors.
Now, at the same time, when we look at open source component downloads that we examined last year, we saw one in 10 of these Java components being downloaded, having known
security vulnerabilities.
And then also in late last year, the JavaScript repository led by NPM for the NPM packages used by JavaScript developers,
they had analyzed 4 million component downloads, of which they found 51% had known vulnerabilities in them.
It's really a matter of borrower beware.
Are there any consistencies that you see when it comes to companies who are doing a good job managing
these supply chain issues? Anything that you find that they have in common?
Yeah, there's a couple of things that they're doing in common. One is they're controlling the
use of open source within their organization. So there's something that is referred to as an
open source governance policy. We've spent the last couple of years surveying organizations where about 57% of
organizations say that they have a policy in place. And really the developers in those
organizations are saying that. So the developers are aware of the policy that basically guides
them on, hey, you know, it's your responsibility that when you're using these components to use
the good ones and not the bad ones that provide some level of risk,
whether that's legal risk or security risk to our organization. There are also organizations
as a kind of second best practice that are keeping track of the components that their
developers are using within the applications that they're building. That list of open source components
is called a software bill of materials. And usually, you know, if you're a mature DevOps
practice, about 56% of those organizations, I believe, are keeping a bill of materials.
In organizations that aren't practicing DevOps or DevSecOps, it's about 25% keep a complete software bill of materials.
The reality is when a security vulnerability comes up, whether that's struts or bouncy castle or
open SSLs, Heartbleed, kind of, you know, open source vulnerabilities, the first question any
organization is asking is, did we ever use that component, that vulnerable version of that component?
And if we did, where? The software bill of materials allows them to get that answer.
That's Derek Weeks from Sonotype.
Anomaly has described a Microsoft Office exploit supply chain being shared among at least five
Chinese groups, Konimes, Keyboy, Emissary Panda, Ranker, and Temp.Trident.
Specifically, they're all working the Royal Road Rich Text Format Weaponizer
and using it to exploit CVE-2017-11882 and CVE-2018-0802.
Three banks in Bangladesh sustained substantial thefts by hackers in May.
It now appears that the gang behind the raid was the crew known as Silence. Group IB, which has
been tracking Silence since late last year, believes the gang has two core members, Russian-speaking
operators who appear to be white hats gone rogue. Their hacking involves jackpotting by money mules,
some of whom have been caught in the act.
Britain's Information Commissioner's Office has announced its intent
to slap a record fine on British Airways,
over £183 million for a data breach that put the airline in violation of GDPR.
It's a record fine, which the BBC reports British Airways intends to fight vigorously.
Google's Project Zero has confirmed that under certain circumstances a malformed message can
brick an iPhone. An affected device can be recovered, Forbes reports, but at the expense
of losing data. We close with two sad notes. Jeffrey Sessions, CEO of security and networking firm Red River,
and his wife, Elizabeth Howell, died in a watercraft accident last week.
Our condolences go to their family, friends, and colleagues.
And on Friday, Mike Asante succumbed to the cancer he'd resisted for many years.
He was a leader in, indeed a fixture in, the industrial control system security sector.
Again, we offer our condolences to his family, friends, and colleagues.
For all who passed away last week, we wish that those close to them find courage and consolation,
and we trust that those who knew them will remember the departed for lives well led. for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives
and their families at home?
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He's a senior law and policy analyst at the University
of Maryland Center for Health and Homeland Security.
Ben, it's always great to have you back.
A story came by.
This was on Medium from a group called One Zero.
And it's about a company that bar owners use to scan people's IDs.
And there's a lot of information being gathered here in ways that perhaps people
aren't really aware of or prepared for. What's going on here?
So I've learned to be more careful about what I do at bars, the rare occasions that I go to bars
after reading this article. This is a company called PatronScan. And I'm sure at any bar you've
been to, you see the kiosks they have at the entrance with the big bouncers.
They'll take your ID and they'll scan it. And what you probably thought they were doing is
just making sure that your ID was legit, that you were of age, that the ID comes from a reputable
state or international location. What this article talks about is how those kiosks are turning into repositories of a
permanent record of bar
attendees, meaning if one
bar puts some sort of red flag
and associates that
with your driver's license, the one that you
scan when you go in, that will
be visible to users of the
software at every other bar that you go
to. So if you have an incident at a bar
and they put
something on your permanent file that says, you know, Dave was very difficult, he was throwing
punches, got in a bar fight, when that's scanned at the next bar, that information is going to show
up. So not only is it concerning from a civil liberties perspective as it applies to other bars,
you know, frankly, we may not care that much about what other bars think of us as long as they let us in.
Patron Scan is one of the relative few technological companies that seems enthusiastic about cooperating with law enforcement.
If you're wanted for some sort of criminal action and evidence is needed as to whether you are in a particular location,
Patron Scan will voluntarily hand that information over based on when you've scanned your ID. And that can be relatively concerning for people.
Most technological companies go out of their way to say that they will not give information to law
enforcement unless there's either a valid subpoena or some sort of judicial warrant.
And what PatronScan has said is that while they're not selling your
information to third parties, at least that's what they claim, they are willing to give your
information to law enforcement. So the upshot of this is when you go to a bar, just by entering
that bar and having your ID scanned, you're potentially putting yourself at some risk for
A, being blacklisted from other institutions because you get something
marked on your permanent record, so to speak, and B, exposing yourself to law enforcement.
And I think that can be concerning for a lot of people.
Yeah. I mean, I think back to my own days, my younger days when I used to visit bars. I'm
thinking of my college days. And it's hard for me to imagine the equivalent
of this, where I would hand someone my ID and they would say, hold on, I need to make a copy
of this and then I'm going to stick it in a filing cabinet. I don't think people would be okay with
that. No, certainly not. And to extend that metaphor a little bit, imagine they'd made copies
and gave it to every single bar in a geographic area so that before you could enter
any bar, they would check the file and see, has this person assaulted anybody, gotten into a bar
fight, and if not, we can't let them in. From a legal perspective, the patron doesn't actually
have much of a legal leg to stand on. This is your classic third-party doctrine case. You have a
choice whether to go to a bar or not. You are voluntarily giving your ID card to the bouncer
to get in. And once you do that, it's fair game for the company that's doing the scanning to send
that information to law enforcement. But simply from a personal perspective, I think it is
quite intrusive.
And to this point, really the only way around this is to vote with your feet.
Right.
So the adoption of patron scan is voluntary on the part of the bar.
So, you know, perhaps the free market will take care of this and there are going to be
bars that say we're not going to use this technology.
Now, bars have incentive to use it. They're audited on whether they sell alcohol to minors.
And one of the ways they can make sure they don't sell alcohol to minors is to verify their
driver's licenses. And this is one of the key technologies that they're going to use to do that.
So bars certainly have their own incentive to use technology like this. But you're right.
I mean, I think there is going to be a market out there, sort of a dark web for bar goers of places where their names won't be put on a permanent record, especially if this becomes something that's more widely known, widely talked about and written about online.
All right.
That's an interesting one.
Ben Yellen, thanks for joining
us. Thank you. Cyber threats are evolving every second and staying ahead is more than just a
challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity Thank you. Visit ThreatLberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to