CyberWire Daily - BlueKeep is exploited for cryptojacking. Ransomware hits Canadian provincial government. Pegasus lands in India. Magecart, GandCrab updates. US Cyber Command deploys to Montenegro.
Episode Date: November 4, 2019BlueKeep is being exploited in the wild, not too seriously, yet, but you should still patch. Nunavut’s government is recovering from a ransomware attack is sustained Saturday morning. The NSO Group ...controversy spreads into an Indian politcal dust-up. Different Magecart groups are found to be be independently hitting the same victims. GandCrab provided a new template for the cyber underworld. And US Cyber Command deploys to Montenegro. Joe Carrigan with thoughts on the Coalfire pentesters criminal case. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/November/CyberWire_2019_11_04.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Bluekeep is being exploited in the wild.
Not too seriously yet, but you should still patch.
Nunavut's government is recovering from a ransomware attack.
It sustained Saturday morning.
The NSO group controversy spreads into an Indian political dust-up.
Different mage cart groups are found to be independently hitting the same victims.
Gantcrab provided a new template for the cyber underworld.
And U.S. Cyber Command deploys to Montenegro.
U.S. Cyber Command deploys to Montenegro.
From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Monday, November 4th, 2019.
Bluekeep, the wormable vulnerability in Microsoft's remote desktop protocol that Redmond disclosed
in May of this year, has finally been exploited in the wild.
That's not good, but it's not nearly as bad as months of warnings had led observers to expect.
Bluekeep spooked the industry when its discovery was announced,
because a worm that enables remote code execution could be a serious matter indeed.
Not Petya, a different worm that exploited a different Microsoft vulnerability,
did a great deal of damage. So the announcement by several security researchers that a Bluekeep
exploit had turned up in their honeypots drew much attention. But as Wired summarizes the attacks,
the exploitation so far hasn't gone farther than the installation of some cryptojackers.
So there's no reason to panic,
but also no grounds for complacency. About three quarters of a million machines are thought to still be vulnerable to Bluekeep. So again, if you haven't patched against Bluekeep,
what are you waiting for? Ransomware hit the Canadian province of Nunavut's government
Saturday morning, taking agencies offline and rendering services unavailable.
Local and provincial governments have recently proven unusually attractive targets for ransomware.
School districts around the United States, cities like Atlanta and Baltimore,
and now a Canadian provincial government. There's no word yet on which strain of ransomware was
involved, but the remarks by provincial officials to the press suggest that the infection entered the system by the usual way, by phishing. Some governments are taking
prudent steps to avoid becoming the next victim. The city of Grand Forks, North Dakota, for one,
has decided to transfer some of its risk by purchasing insurance. The city of 53,000 has
taken out a $500,000 policy that will cost it nearly $8,000 a year in premiums.
The controversy between WhatsApp and NSO Group has grown into an Indian domestic scandal.
WhatsApp has accused NSO Group of installing Pegasus spyware in WhatsApp users' devices,
targeting journalists, activists, and politicians.
Reuters reports that one of the politicians so targeted is the Congress Party's general
secretary, Priyanka Gandhi Vajra.
A spokesman for Congress, the largest opposition party, said that leaders in other opposition
parties were also warned by WhatsApp that they'd been exposed to Pegasus.
The Times of India says it's received information from the Internet Freedom Foundation NGO that suggests the Ministry of Electronics and Information Technologies, CERT-IN,
knew about the buffer overflow vulnerability in WhatsApp that is believed to have allowed Pegasus in.
WhatsApp has filed suit against NSO Group in a U.S. federal court.
NSO Group, which is based in Israel and has in recent months publicly committed to rights-respecting corporate code of conduct, denies WhatsApp's contentions and says it intends to defend itself vigorously.
Israel's government has basically said, leave us out of this, we don't have anything to do with it.
Security firm PerimeterX says it's found a new trend in mage card attacks, different groups hitting the same victims at the same time. There's been some criminal-to-criminal trade, and even some
signs that rival groups occasionally coordinate their campaigns, but the essentially opportunistic
nature of this particular part of the underground has produced a number of independent attacks
on targets. If it's vulnerable, they will come.
Researchers at Advanced Intelligence explain
how Gantcrab changed ransomware, moving it from a craft practiced in isolation by small gangs
to a full-fledged black market commodity. Gantcrab, whose announced retirement seems
retrospectively to have been considerably exaggerated, began offering ransomware as
a service in January of 2018.
Gant Crabb seems to have represented not only a rationalization of the black market,
but it appears to have also been a cultural phenomenon, redolent with the romance of crime.
Crabb seemed alive and benefited from a kind of personification.
They offered jobs, solicited feedback, and communicated with both accomplices and victims.
Gantcrab even operated the sort of charity campaigns and microloan partnerships traditional mobsters have run with insular communities.
Many an ambitious skid began his or her career with the crab.
And through social contagion, the gang has persisted.
Advanced intelligence sees Gantcrab's development as having provided a template for other criminal enterprises.
And finally, CyberScoop reports that looking ahead to next year's U.S. elections,
U.S. Cyber Command and U.S. European Command have deployed an undisclosed number of cyber operators to Montenegro,
where they will work with the host nation to shore up mutual defenses against
Russian influence operations.
Montenegro is one of the European countries that received close and intense attention
from Fancy Bear, that is, if you're just joining us, Russia's GRU military intelligence service,
during Montenegro's own recent elections.
The cooperation is expected to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the Hacking Humans podcast. Joe, it's great to have
you back. It's good to be back, Dave. We are going to discuss the incident that's going on with a couple of employees from Coal Fire
and some pen testing that they were doing in Iowa and things took a turn for the worse for them.
That's right. What happened here, Joe? Well, they had a contract with the state of Iowa to do some
penetration testing somewhere in the judiciary of the state of Iowa.
And during the course of their penetration testing, they got into a building.
First off, when they walked up to the building, they found the building unlocked.
And this was late at night?
Late at night, around midnight.
Okay.
The building was unlocked.
They actually locked the doors and noted that the building was unlocked, and that's probably
a security violation.
But then they actually picked a lock, which they were authorized to do by their contract.
And the documents clearly show that lock picking was authorized.
Then once they got inside, they set off a burglar alarm.
On purpose.
On purpose.
Okay.
Deliberately setting off a burglar alarm and then waited outside for the police to show up.
Which they did.
Which they did. Which they did.
These deputies showed up, and when the deputies arrived,
they told the deputies they were penetration testers from coal fire,
and they showed them all the documents.
The deputies made the phone calls, and everything was great.
Everything happening the way it should happen.
The way it should happen.
With a penetration test.
Right.
Everything's in order.
When you're doing a physical penetration test,
you have a thing called a get out of jail free card, right?
They showed that to the deputies that showed up. The deputies make phone calls to verify
everything's on the up and up. And they say to the guys, you should be good to go.
But then? Sheriff Chad Leonard shows up. Okay. Right. And he disagrees with his deputies and
says that these guys don't have
authorization to try to break into this building because it's owned by the taxpayers of Dallas
County, Iowa, and that the state legislature, or state judiciary rather, doesn't have the authority
to authorize a break-in or a penetration test at a county facility and he arrests the two penetration testers.
Okay.
Right.
Now, there's a video from KCCI, which is a TV station out of Des Moines, that shows
Sheriff Leonard talking and one of the senators, state senators, is questioning him and he
says that this could have ended up with five deputies on administrative suspensions
while they investigate why they killed two people at a courthouse.
The sheriff said this.
The sheriff says this.
Chad Leonard says that.
Okay.
So, first off, that's a gross misstatement of what actually transpired.
According to all accounts, the transactions, the conversations between the deputies and the two pen testers were professional and handled well.
It wasn't until Chad Leonard shows up that things went south.
And to be clear, these pen testers, I'm assuming they were not armed.
No, they're not armed.
They were not wearing ninja outfits or anything.
They were professional.
Like you say, everything was done on the up and up by the book
showing professionalism for what they do. Right. Chad Leonard arrests them for felony burglary
and possession of burglary tools, presumably being the lockpicks, right? Now, since then,
those charges have just been reduced to criminal trespass, which is a misdemeanor. Okay. And Tom
McAndrew, who's the CEO of Coal Fire, says, no, no, no, no, no. This is not
going away. Just because you're lowering the charges to a misdemeanor does not mean that this
is still valid in any way, shape, or form. And I agree with Tom McAndrew. This is bogus. This
should not be happening. This is happening purely because of Sheriff Leonard. I don't know what his
issue is with this. But it seems like we've got a bit of a turf war here.
Dare I say a pissing match between
two different jurisdictions and one saying
you don't have the authorization to do this.
And these pen testers are stuck in the middle.
Yeah, these pen testers are collateral damage to a political
discussion. A political dispute, rather.
And it's sad. And these charges should be dropped immediately against these two pen testers.
And no further action should be taken because they are not going to win in court, period.
If this goes to court in any way, shape, or form, and McAndrew has said that they are going to go to court over this and get a jury trial if it goes to court.
And they will not win.
Yeah, interesting. I think one thing you noted was, I wonder if their contract
holds the state of Iowa on the hook for legal expenses.
Yeah, that's right. Because when they negotiate this, I put that on Twitter,
when they negotiate these things, they say, we're going to have these get out of jail free cards.
And I've always wondered, I don't know this because I've not worked in a physical penetration testing organization, that if things do go south like this, is there a clause in the
contract that says that the customer is going to pay for our legal fees? And then coal fire could
go after the state of Iowa for all the costs that are associated with defending these two pen testers.
Yeah.
Because this is not going to be cheap.
No, no.
The whole thing just seems like it's spun out of hand.
It is ridiculous.
I have to say I agree with what Coal Fire CEO Tom McAndrew said.
He said, I hope the citizens of Iowa continue to push for justice and common sense.
Yeah, common sense.
That's a great way to put it.
Yeah.
Just not that common.
Yeah.
All right.
Well, time will tell.
We'll see how this one plays out.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.