CyberWire Daily - ANSSI considering retaliation for ransomware attack. MixCloud breached. Imminent Monitor shut down.
Episode Date: December 2, 2019France might go on the offensive against ransomware attackers. The UK’s NCSC has been helping an unnamed nuclear power company recover from a cyberattack. A failed cyberattack targeted the Ohio Secr...etary of State’s website on Election Day. MixCloud confirms data breach. The Imminent Monitor RAT is shut down by law enforcement. And a cryptocurrency exchange loses nearly fifty-million dollars. Joe Carrigan from JHU ISI on victim blaming. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/December/CyberWire_2019_12_02.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. Calling all sellers, Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Attackers, the UK's NCSC has been helping an unnamed nuclear power company recover from cyber attack.
A failed cyber attack targeted the Ohio Secretary of State's website on Election Day.
Mixcloud confirms a data breach.
The imminent monitor rat is shut down by law enforcement.
And a cryptocurrency exchange loses nearly $50 million.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, December 2, 2019.
France's National Cyber Authority, ANSI, the National Agency for Information System Security,
hasn't ruled out neutralizing the threat actors responsible for the November 15 ransomware attack on a major Rhone medical center, Bloomberg reports. ANSI has authorities and capabilities regular law enforcement agencies lack, and ANSI
is rumbling that it may be ready to use them. The attack on the university medical center in Rhone
has been widely attributed to the Russian criminal gang TA-505. In another ransomware incident that's hit European targets,
the Dutch Broadcast Foundation says it's obtained a confidential report
from the Netherlands National Cyber Security Centre, the NCSC,
that warns of a ransomware campaign which has targeted more than 1,800 companies since July of 2018.
The campaign deploys the Laker-Goga,
Rayuk and Megacortex strains of ransomware,
and many of the attacks use shared infrastructure.
The NCSC believes several sophisticated criminal groups are behind the campaign,
and that they're working together
to carry out different stages of the attacks.
An international law enforcement operation
led by the Australian Federal Police
resulted in the arrests of 13 users of the Imminent Monitor remote-access Trojan,
Europol announced.
Imminent Monitor was cheap, easy to use, and effective,
which made it an extremely popular criminal tool.
Imminent Monitor's website was also taken down,
and the malware's nearly 15,000 buyers have lost access to licensed versions of the Trojan.
Bravo to the Australian Federal Police and their colleagues in Europol.
The Telegraph reports that the UK's National Cyber Security Centre has been discreetly assisting a nuclear power company with its recovery from a cyber attack it sustained earlier this year.
The nature of the attack is unknown, as is the identity of the targeted company.
A nuclear decommissioning authority report obtained by The Telegraph simply referred
to the victim as an important business in the nuclear power generating sector.
Beyond that, little is publicly known.
In the first legally required correction notice of its kind, Facebook has labeled a user's
post with, Facebook is legally required to tell you that the Singapore government says
this post has false information, so says Reuters.
The notice is visible only to users in Singapore itself, and it amounts to an official assertion
appended to the content, not to deletion or further modification of the content itself.
Singapore's law was prompted by concerns about fake news and the potential threat it poses to civil society and democratic processes.
Ohio Secretary of State Frank LaRose said a Russian-owned firm attempted to carry out an SQL injection attack against his
office's website on November 5th, Election Day. The attack was thwarted by the state's network
security system. LaRose told the Columbus Dispatch that while the attempt was unsophisticated,
attackers often use unsophisticated techniques to identify vulnerabilities.
The Russian-owned firm that allegedly tried the SQL injection attack was
unnamed and, of course, the attribution and allegation should be treated with open-minded
circumspection. Mixcloud, the widely used music streaming service, confirmed over the weekend
that it had been breached, with information on some 21 million users apparently for sale on the
dark web. ZDNet reports that the data includes usernames,
email addresses, hashed password strings, users' country of origin, registration dates, last login
dates, and IP addresses. Mixcloud emphasizes in its disclosures that it does not store full pay
card information. The company added that while passwords were encrypted with salted hashes,
users might want to change their passwords, just in case.
The Chinese government now requires people in the country to have their faces scanned
when they sign up for mobile phone plans, the BBC reports.
Previously, mobile customers needed to show ID and have their photos taken when they purchased a SIM card.
China's Ministry of Industry and Information Technology says facial recognition will now be used to match people's faces
with their identification documents. South Korean cryptocurrency exchange Upbit says hackers stole
$48.5 million worth of Ethereum from its Upbit Ethereum hot wallet, ZDNet reports.
from its Upbit Ethereum hot wallet, ZDNet reports.
Upbit's owners say the exchange will cover the losses.
ZDNet notes that the circumstances of the theft have led some observers to speculate that the hack may actually be part of an exit scam,
but so far there's no evidence to suggest that this was the case.
And finally, much advice is circulating about the threats lurking in holiday shopping.
USA Today offers a rogues gallery of potentially backdoored consumer electronics,
and ESET reviews safety advice for online shoppers.
Be wary of gift cards and special offers received by email.
Electronic greeting cards are also being used as malware vectors.
Bleeping Computer describes one ongoing Thanksgiving-themed campaign.
And Grinch bots are said by NBC News to be scalping the best online deals.
It's an international problem.
Computing says that about 7,000 victims of Cyber Monday credit card fraud
are expected in the UK alone.
So, if shop you must, shop safely.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the Hacking Humans podcast. Joe, great to have you back.
Hi, Dave.
I want to have a conversation with you today about victim blaming.
Victim blaming. And I have to say, I don't have a complete conclusion on this, but it's something I've been thinking about.
We're coming back from a holiday weekend and this is something that crossed my mind while we were away.
And I just want to get your take on it. So let's walk down this together. Here's where my line of thinking went.
So let's walk down this together.
Here's where my line of thinking went.
Let's say I put a lock on the front door of my house.
Right.
I have a regular lock and I have a deadbolt.
And these are unlocked with keys and so on and so forth.
So my house is locked up.
Yep.
Someone comes along and picks those locks.
Right.
And they break into my house and they steal things.
Yes.
My fault?
No.
No, I don't think that's your fault.
Because? Because somebody has made a conscious effort to get around the locks that you installed to keep people out.
But I didn't put more locks on my doors, Joe. Right.
And you didn't put like really good hard to pick locks on your doors.
Exactly.
Yeah.
Exactly.
Yeah.
This is, yeah, I understand what you're saying with victim.
See where I'm going with this?
Right.
Yeah. So I guess in my mind, I've gone to a reasonable degree of security to secure my home, my family, my personal effects, and so on.
Correct.
And you've followed the advised protocol.
You should have a deadbolt lock on your door.
Yep.
Best practices.
Best practices.
I'm probably not going to run into any issues with my insurance company.
Nope.
Because they're going to ask me, did you have locks on the door?
I'm going to say, yeah, I did.
They are right there.
You can look at them.
And they're going to say, were they locked?
And I'll say, yes.
Yes, they were locked.
Extending that to security.
Right.
I wonder, because it's very easy, I think, when a breach happens.
Uh-huh.
There's a lot of dogpiling.
There is.
And as you and I talk about on Hacking Humans a lot, that we need to have empathy for the people who have fallen victim to these things.
That's correct. Yes.
But I guess the big question is, particularly when we're talking about large organizations is, at what point have they put in a reasonable amount of security?
How do we judge that?
What's the standard for that?
And who says that?
Is it the insurance company who sets those standards?
Yeah.
What's your take?
That's an excellent question, actually.
You know, like when Target got breached,
one of the things that everybody hounded on was that they didn't have a CISO.
They didn't have someone in the position of chief information security officer.
I don't want to victim blame, but when somebody doesn't have the basic best practices up, right?
Like, for example, in the physical example you gave earlier, if you did not have a deadbolt on your front door and somebody just used a credit card to open your door, that would
still be a breaking and entering.
It'd still be a burglary, right?
Yeah.
But there would have been something you could have done to prevent that.
Right.
Right?
And having somebody with a high-level security mindset may have helped Target prevent that
breach.
I'm not saying it would have helped Target prevent that breach, but it may have helped
them.
Well, and I also wonder, you know, what if my house was in a very bad neighborhood?
Right.
And so the best practice there might be to have more than one lock.
To have more than one lock.
Right.
You have to do it.
You have to do the risk assessment.
And is the internet a bad neighborhood?
The internet is a terrible neighborhood.
Right, right.
It's awful, Dave.
Yeah, it's the worst. It's the worst. Right. So I think what you're nailing is that it's
a risk assessment. Nothing is 100% secure. It's impossible. Correct. And so as an organization,
the people who are in charge of making these decisions, how are we going to spend our money
on security? They have to make a risk assessment.
They do.
And they have to deal with a finite level of funds.
They don't have unlimited money.
And I guess part of what I'm wondering about is this impulse that I think a lot of folks have to kind of dogpile and to point out everything that an organization did wrong.
Right.
and to point out everything that an organization did wrong.
Right.
You know, if your neighbor's house got broken into,
don't be that guy who goes down and says,
well, why didn't you have two deadbolts?
Right.
You know?
That would have made it a lot harder for them to pick your deadbolts.
Right, right.
See where I'm going with this? Yeah, I do.
It's a good point, too.
Yeah.
But, you know, sometimes these things are just so egregious.
You can't help but blame them for some things.
You know, but also there's the situation where I guess if I had a, and I was stretching this metaphor to its breaking point.
Right.
If I had a deadbolt and a lock, but I kept the key under the front mat.
Right.
Yeah.
That's a good analogy.
Right.
Like that's, you know, that's like storing your passwords in plain text.
Right.
On a post-it note.
Yeah.
Right. Right. Right by your computer.
Right, right.
Or reusing a password, actually.
Yeah.
You know, it's a lot like that.
If somebody gets breached because they're reusing passwords, even a regular person,
I say that, you know, the reason you got breached was because you reuse passwords.
You know, the reason you got hacked and owned is because your password for your email account
is the same as your Facebook account and the same as your Amazon account.
Guess what?
Somebody ordered something on your Amazon account, verified it through your email,
and that's why we tell you don't reuse passwords.
Yeah.
Right?
So, yeah, I don't know.
I think at some point in time you have to say to the user or to the victim of these crimes,
you bear a certain amount of responsibility in protecting yourself,
particularly on the Internet, because as you said, it's a very bad neighborhood.
Right, right.
All right.
Well, thank you for puzzling through it with me.
I knew we'd have a very interesting conversation about it.
Joe Kerrigan, thanks for joining us.
It's my pleasure, Dave.
Thank you. a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire
podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're
co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire
team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here
tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.