CyberWire Daily - BadRabbit hopping though Eastern and Central Europe, and Southwest Asia. DUHK risks. Kaspersky on how a laptop was backdoored. Notes from Atlanta's ICS Cybersecurity Conference.
Episode Date: October 25, 2017In today's podcast, we hear about BadRabbit, a new strain of ransomware that's hopped out of Petya's hutch. The Lazarus Group is said to have taken control of some servers in India. DUHK [duck] ...warnings. Are industrial control system operators paying sufficient attention to Level 1 and Level 0 threats? Next May will see not only GDPR, but also NIS. Joe Carrigan from JHU reviews a list of security tips suggested by IBM. Guest is Scott Kaine, CEO of Delta Risk on cloud migration security issues.And Kapersky continues to protest its innocence of spying, and offers an explanation of what really happened with NSA leaks. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Bad Rabbit is a new strain of malware that's hopped out of Petya's hutch.
The Lazarus Group is said to have taken control of some servers in India.
Duck warnings. Are industrial control system operators paying sufficient attention to level
one and level zero threats? Next May, we'll see not only GDPR, but also NIS. And Kaspersky
continues to protest its innocence of spying and offers an explanation of what really happened with the NSA leaks.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, October 25th, 2017.
A new strain of malware appears to have hopped out of Petya's Warren, and this one may well propagate as rapidly as its extended family.
Russia, Ukraine, Germany, Turkey, Japan, and Bulgaria report outbreaks of bad rabbit,
a malware strain that's acting like ransomware or pseudo-ransomware.
Group IB thinks bad rabbit, which hit yesterday, looks like a Petya offspring.
The largest single disruption so far appears to be in Ukraine,
where Odessa's airport has had to curtail operations and increase security.
The subway system in Kiev is also being affected.
Russian news agencies Interfax and Fortanka were hit yesterday morning, as reportedly were two other media outlets, so far unnamed.
Bad Rabbit's victim landing page is demanding approximately $283 to recover files,
but the situation is still developing and it remains to be seen whether this is a genuine extortion play,
pseudo-ransomware aimed at disruption, or some mix of both.
U.S. CERT advises against paying the ransom.
If the perceived similarity to Petya and not Petya holds,
Bad Rabbit can be expected to continue its rapid spread.
Attribution at this stage is mere speculation.
Nozomi Networks reached out to us this morning with their take on Bad Rabbit.
Moreno Carullo, Nozomi's co-founder and chief technical officer, said,
Our research shows that the group behind Bad Rabbit have spent considerable time
creating their infection network, going back to at least July, with the majority of sites relating
to media and news. Carullo also offered insights on how an infection works. When a victim visits
what they believe is a legitimate site, they are instructed to download an Adobe Flash installer
and update. Given that the attackers are targeting
media and news sites that have previously employed Flash to enhance the visitor experience,
this request may not immediately arouse suspicion, but it should. If the user follows the redirection,
the attack begins and the ransomware dropper downloads. End quote. Once the mark has executed
the dropper, and the victim needs admin privileges to do so,
a malicious DLL is saved and run using a customary utility.
Carullo explains that their experience is that the malicious file tries to brute force login credentials
and download an executable that appears to be derived from the disk cryptor utility.
That begins the encryption phase of the attack, replacing the
bootloader the way NotPetya did. So what should an enterprise do? Don't pay the ransom. Consider
investing in some real-time detection tools, and above all, back up your files.
The Lazarus Group North Korean threat actor is reported to have taken control of a number of servers in India.
The servers aren't the ultimate target.
Rather, they constitute a platform from which other cyber attacks can be launched.
Duck attacks against devices using the ANSI X9.31 random number generator are being reported.
Duck, D-U-H-K, stands for Don't Use Hard-Coded Keys. There's a bit of a transformation
going on as companies are moving more of their IT infrastructure to the cloud. What's motivating
those moves can have a serious impact on security. Scott Kane is CEO at DeltaRisk,
and he offers his perspective. The biggest shift that we've seen is that the use of the cloud is
being primarily driven by the mid-market. So those companies that are 10 employees all the way up to
5,000 employees are now the primary users of these cloud environments because they do not have the
staff to manage anything in-house. And at the end of the day, from a cost perspective,
it makes a lot more sense for them
to leverage most of their back office applications in the cloud. As this transformation is taking
place, the business is moving out. So businesses are getting the efficiencies of the cloud. However,
the security groups are usually left behind and they're in the usual state of catch up,
which is obviously a problematic situation in today's cyber environment.
Yeah, let's dig into that a little bit.
When you say they're playing catch-up, what prompts that?
Most of what I've seen has been a situation where the business and the ops and the IT teams
have had a directive internally to either increase the efficiencies of their back-office applications
or increase the capabilities of their back office applications.
And so they're left with no choice but to move out to the cloud relatively quickly.
In most cases, the security teams are an afterthought from what I've seen.
And what ends up happening is the folks that are driving the business needs
don't want any barriers and therefore to some extent
are leaving the security teams out of the mix. So in many cases, what we find out is the security
teams don't even realize that the company is hosting some of these applications out there
and only find out after the fact and then get asked to go ahead and try to fix it. And I'd say
as it relates to the larger firms, that is clearly an issue when you're dealing with the DevOps side of the house.
So you've got developers within an organization that are pushing out code and production code, which are a vital interest to any firm, out to environments like AWS and GitHub.
When you speak to the security staff and ask them whether or not they feel as if they've had visibility into these environments, the answer is normally no or I'm not sure.
From my experience and what we've seen as a growing trend
is that the developers are basically creating the next generation of the Wild Wild West,
pushing their code out, using these environments.
The security staff is unaware that the development staff are doing these things.
And then it's not until something shows up in the press or someone is proactively searching to see actually what's going on,
do they find out after the fact that they've got environments as well as individuals working,
whether it be in Azure or whether it be AWS or GitHub, as I mentioned earlier,
they then have to go back and figure out how to strap things down and retroactively put in
the policy and governance, as well as the
monitoring in place to keep tabs on these individuals that are doing things that are
putting the company at risk.
So where's the communication gap here?
I mean, surely security is not a mystery in terms of that it needs to be handled these
days.
And I would say one of the things we've seen in the past couple of years is that that message
has reached the board. So how can they be being left out of these conversations
and these setting of rules and policies? Well, it's definitely a cultural thing. I mean,
the textbook answer here is that the software development lifecycle, especially for the
development teams, should include security staff from the onset. We've been professing that
for decades, and frankly, it's been a challenge to get people to adhere to that. A variety of
reasons. There might be personality conflicts. The security staff might impact the pace at which
the teams have been asked to get things out. So picture this, you've got a requirement to have
something done by a particular time frame. The security staff shows up and indicates that in
order for the company to do everything that they want to do, it's going to require additional
funding. It's going to require more time to make sure that most of the structural pieces are in
place to make sure that this environment is secure. And frankly, people tend to avoid wanting
to have those conversations because they just have a directive to get things done. The answer is
simple, which is the teams from security staff should be involved, as I've said, at the beginning.
Unfortunately, if they are in a state of catch-up, it's driving a good part of our business model
to help security teams catch up to the speed of the business.
You know, over time, I think cultural people will get ahead of it. It's just not there yet.
That's Scott Cain from Delta Risk.
air yet. That's Scott Cain from Delta Risk. In industry news, security company Securebox has announced closing a $150 million funding round. We're represented down in Atlanta this
week at Security Week's 2017 Industrial Control System Cybersecurity Conference.
A few notes from the event. The conference always features the annual State of the State Address by ICS thought leader Joe Weiss of Applied Control Solutions.
In yesterday's address, he described widespread challenges in the industrial control system security field as a whole.
In particular, he deplored the way in which the IT security has taught the ICS community lessons he believes can be more misleading than helpful.
Our challenge isn't information assurance, it's mission assurance, he said. The engineer's job is safety and
availability. Fundamentally, the engineer doesn't care whether a disruption arises from malice,
error, or an act of God. As long as it disrupts operations or affects safety, it must be dealt
with. The consequences of failing to do so can not only
be expensive, but in the worst cases, lethal. Purdue University's ICS reference architecture
describes several levels. Level 4 compromises business logistics systems, things like ERP.
Level 3 includes manufacturing operations. Level 2 control systems, SCADA. Level 1 comprises intelligent devices that
sense and manipulate processes, and level 0 defines the actual physical processes themselves.
Weiss argued that insufficient attention has been paid to levels 1 and especially 0. He shared a
like he received on LinkedIn for a DEF CON presentation on this very point. It came from an Iranian water
supply system manager. What does this mean? Apart from telling us that Joe is huge in Tehran, which
anyone might have guessed, Iranian water utilities certainly have as legitimate an interest in
protecting their operation as anyone else, but it also suggests that unaddressed ICS vulnerabilities
haven't escaped the attention of nation-state
adversaries. And finally, Kaspersky Lab continues to maintain its innocence of spying,
and it's offering an account of what they believe happened in the NSA leak incident they've been
associated with in the press. The company says the NSA contractor, or employee, accounts now differ,
mentioned as the source of sensitive leaked files
backdoored his own machine by downloading and installing malicious pirated software.
So, if Kaspersky's correct, the NSA type scored a trifecta in the what-you-shouldn't-do race,
putting highly classified files on his own device, taking that device home,
and then downloading pirated software. Bad, bad, and bad.
Our advice, of course, is don't be bad.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1, dollars off. puts her career on hold to stay home with her young son. But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself. Based on the acclaimed
novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Joe, welcome back.
We got a list from our friends at IBM.
You know, people send us things from time to time that they would like us to talk about.
And I actually thought this was a good list for us to go through.
They called this Not Your Father's Cybersecurity Tips.
And our friend Bob from IBM sent this over. I thought it was a pretty good list. Why don't you start off,
take us through the first one here. The first one on this list is lie on your security questions.
And this is a great idea. I actually do this on a regular basis. So if you're on a website and
they say we need to be able to recover your password, let's ask some security questions that only you know. Like what's your mom's maiden name
is a very common one, right? What's your dog's name? What's your oldest kid's name? Well,
all this information is now available on Facebook and it's very easy to find it. So lie. So when
they ask what your mom's maiden name is, tell them it's something completely ridiculous.
Well, some people have even said just put random characters in there.
You could do that as well.
You just have to remember what they are.
Right.
You have to remember your lies.
Right, exactly.
So if you use a password manager, the password manager I use,
and I've talked about it here on the show many times, is Password Safe.
And they have a space for notes.
And the notes are also encrypted with the rest of your information about the website.
So it's fine to store them in there.
Going through the list, I mean, some of these we've talked about before, so we don't need to spend a lot of time on them.
An ideal password is a long, nonsensical phrase.
Right.
We've talked about that many times.
Yes.
You were just saying their third one here is store passwords in a digital vault.
Right.
Check.
The third one here, storing your passwords in a digital vault or a password manager,
makes the second one possible.
Because it's very difficult to remember long, nonsensical passwords for 300 websites that
you might be a user of.
That's for sure.
Their fourth one here is double dip on security checkpoints.
Yep.
Anytime you can enable a security checkpoint that's an option on a website, you should,
particularly with two-factor authentication.
This is so simple nowadays because we have cell phones.
Everybody has a cell phone, pretty much.
And you can actually enable two different kinds of two-factor authentication.
One is where they send you a text message, which is the method I prefer.
And another one is a time-based temporary code.
Google Authenticator is popular.
Google Authenticator is a prime example of that.
That's actually based on a standard.
The number escapes me right now.
But you and the computer are trying to authenticate to share a seed,
and then that seed is applied to an algorithm.
And as long as nobody else has the seed,
it's very difficult to predict what the next number is going to be.
And their last one here is get down with biometrics.
Right. Biometrics to me, I'm not 100% convinced about biometrics. It's better than nothing.
So this is things like fingerprint scanning.
Fingerprint scanning, yeah.
And Apple has the new face ID.
Right.
Things like that those are
better than having an open phone that's for sure yeah for not then not securing your phone and
they're very easy to implement i don't know i think there's not enough research done on the
security of these things and research i have seen suggests that these things are easily defeated
or at least can be defeated i don't know if can be defeated and easily defeated.
I don't view them as the same things.
A lot of people in security do.
Cryptographers view things as either secure or not secure.
There's a very binary view there.
I like to view things more on a spectrum.
I don't have to outrun the bear.
I just have to outrun you.
Exactly. That's right. You don't need to outrun the bear. I just have to outrun you. Exactly.
Yeah.
That's right.
You don't need to be the fastest guy.
You just shouldn't be the slowest guy.
Right.
All right.
Well, I mean, it's a good list.
Overall, it's a good list.
Yeah.
So thanks from our friends at IBM for sending it over.
And thanks to you, Joe, for joining us.
Dave, it's my pleasure.
Cyber threats are evolving every second, Thank you. full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.