CyberWire Daily - Carbanak gets trickier and more ambitious. Ransomware updates. It's beginning to look a lot like 1949 (at least from Moscow).
Episode Date: January 20, 2017In today's podcast, we hear about how the Carbank cyber gang is getting trickier and more ambitious. In other cybercrime news, ransomware takes off after more databases. There's a new ransomware-as-a-...service offering in the black market. Emily Wilson from Terbium Labs addresses perceptions of terrorists on the dark web. Simone Petrella from CyberVista provides her perspective on cyber security workforce issues. A new strain of Android ransomware hits Russian-speaking users. Locky's back, but in a feeble sort of way. Cybercriminals lock files at a cancer service not-for-profit. Russian policy wonks seem to suggest that we're not at the point in history where 2016 yielded to 2017. Instead—calling all Cold Warriors—1948 just ticked over into 1949. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. In other cybercrime news, ransomware takes off after more databases. There's a new ransomware-as-a-service offering in the black market.
A new strain of Android ransomware hits Russian-speaking users.
Locky's back, but in a feeble sort of way.
Cybercriminals lock files at a cancer service not-for-profit.
Russian policy wonks seem to suggest that we're not at the point in history where 2016 yielded to 2017.
Instead, calling all cold warriors, 1948 just
ticked over into 1949. I'm Dave Bittner in Baltimore with your Cyber Wire summary and
we can review for Friday, January 20th, 2017. There's a fair amount of extortion news at week's end.
Ransomware criminals who've been hitting Elasticsearch and MongoDB databases
have begun to devote similar attention to CouchDB and Hadoop.
The tools for attacking MongoDB and Elasticsearch, as well as a list of vulnerable installations,
are now being sold by Kraken Zero on the black market for about $500.
The attacks on databases have been unusually damaging,
sometimes wiping the data beyond reasonable prospect of recovery.
Elsewhere in the criminal markets,
the Satan ransomware as a service is being offered to criminals
who lack the time, resources, or technical chops to come up with their own attacks. They offer a wizard to walk aspiring crime lords through the process,
as criminal markets and the ways the goods for sale there are designed and hawked continue to
ape legitimate markets. Bleeping Computer has the details through researcher Xylitol.
They offer a very thorough look at Satan, the malware, not the fallen angel.
Unfortunately, there's so far no readily available way of decrypting files that fall victim to Satan,
so remember to back up your data.
Fortinet has discovered a new strain of Android ransomware that targets Russian-speaking users.
It's unusual in at least two respects.
First, its demand is very large, 545,000 rubles, about $9,100,
at least an order of magnitude more than the cost of the Android devices whose screen it locks.
Second, it asks for payment by credit card as opposed to the customary cryptocurrency.
This suggests several possibilities.
Android endpoints are highly valued in certain markets,
or the hoods behind this one are inexperienced or overreaching,
or the goal is actually carding, perhaps as gravy on top of the main course of extortion.
Lockheed Ransomware seems to be making a minor comeback after its temporary eclipse during the holidays, but it may be on its way to supersession by the Spora ransomware strain.
An unusually repellent extortion attack has hit an Indiana cancer service's not-for-profit.
The Muncie-based Red Door has seen its files encrypted. Police are investigating, but it's
worth noting that even the most benign and uncontroversial not-for-profits can find
themselves in cybercrimin criminals' crosshairs.
Back your files up.
And if you're a security professional looking for a chance to do some pro bono work,
take a look around at your favorite charities and consider offering your services.
Trustwave and Forcepoint are tracking the evolution of Carbonac.
The gang, long known for attacks on financial services that are thought to have brought in something north of a cool billion dollars,
have begun, as we noted yesterday, to use legitimate Google services for their command and control traffic.
It's worth noting that Forcepoint and Trustwave have said they've reached out to Google for some cooperative way of addressing this problem.
What's equally interesting is the way in which CarbonX seems to have expanded their target set.
They now appear to be going after businesses in the retail and hospitality sectors, too.
Many observers are talking about a de facto state of cyberwar between the United States and Russia,
which seems overstated, where, for example, is the physical destruction,
to say nothing of the casualties one associates with warfare.
But it might not be an exaggeration to call it a de facto state the casualties one associates with warfare.
But it might not be an exaggeration to call it a de facto state of cyber-cold warfare.
This is especially so since what we now call information operations were prominently featured in the first Cold War as propaganda, disinformation, running agents of influence, and so on.
But the Washington Post has a piece on a speech one of President Putin's advisors
gave back in February that seems to offer a look at cyberspace under Eastern eyes.
Andrei Krutschke told InfoForum 2016 that we're living in 1948. That is, we're living in the last
year of the U.S. monopoly of nuclear weapons. In 1949, Krutschkeek said, Truman had no choice but to start taking the USSR,
aka Russia, seriously. Krutschkeek promised that in cyberspace we were about to move into 1949.
If he's right, one hopes there's a George Kennan for the cyber age out there.
If there is, we'll read his or her forthcoming long telegram with interest.
there is, we'll read his or her forthcoming long telegram with interest. As the Trump administration takes office, former New York Mayor Rudy Giuliani has been designated as a lead for cybersecurity
policy. The role is more facilitator than director, still less czar, but the appointment has attracted
attention because of the patchy security on Mr. Giuliani's consultancy's website. We heard from Mike Patterson, CEO of Plixer International, who sees a lesson here for everyone.
The problems with Giuliani's website, Patterson says,
quote, reinforce the magnitude of the problem they face coming into office.
When it comes to targeted attacks, which they will definitely be facing, there is almost no defense.
Because of this, they may consider entirely new communication
methods with all new hardware and software protocols. This will make bridging their
discussions to the internet very difficult and as a result, much more secure. He foresees air
gaps and toughness on crime. Finally, are we forgetting anything? Oh, there's apparently
some big event going on about 40 miles south of us today.
What did we miss?
Ah, right, just kidding.
It's Inauguration Day down in the District of Columbia.
Wherever you are, and if you're in the United States, whomever you voted for,
we hope you'll join us in wishing both President Obama and President Trump the best of luck
as they step into the next phase of their and our lives.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me once again is Emily Wilson.
She's the Director of Analysis for Terbium Labs.
Emily, we've sort of been making our way
through the report that you put out recently, separating fact from fiction, the truth about
the dark web. I think, myself included, I think a lot of people have this perception that the dark
web is full of, you know, terrorists and bad guys. But your report sort of brought out the fact that
maybe that's not the case? Yeah, it's definitely a
question that we get asked fairly frequently and understandably so. You know, this is a situation
where people want to know what kinds of things are taking place and what's considered to be a more
kind of unregulated part of the internet. And, you know, we ran into some interesting situations
here, both with extremism, a category for weapons, and then a category for what we called weapons of mass destruction.
Sort of an absence of evidence issue.
Absence of evidence is not evidence of absence.
It's merely kind of an indication of rarity.
And so we found one incident of extremism in the work that we were doing, in the sample that we took.
Again, the study is based on a random sample of URLs. And we thought that was really interesting because, you know, these events
are some of the most popular topics of conversation for people who are first looking at the dark web.
Once you get past drugs and fraud, then you naturally turn to kind of more extreme,
nasty activity. And really, these things are very rare. That's interesting for a
few reasons, right? Because one, just because they're rare doesn't mean they don't happen.
We certainly see extremism pop up from time to time, you know, whether you're dealing with,
you know, a Mujahideen handbook or the official ISIS site that popped up, I guess that was last
fall, you know, and was quickly taken down by Anonymous,
or something like weapons, where we know that weapons exist on the dark web. We've seen them,
we know kind of where they are, but we didn't see any in our sample, which I think is a really good,
a good indicator of how rare these things actually are. But, you know, I think the other thing to keep in mind about weapons is to take that with a grain of salt. You know, the larger and more intricate the weapon, the more you run into an issue of
how are you actually going to ship that?
Right, right.
This doesn't mean that ISIS isn't online.
It just means that ISIS chooses not to use this particular locality to do their business.
Sure.
And I think that there is a tendency to lose the nuance
in encrypted and anonymous communication
as necessarily being on the dark web.
You know, I think it's a few things, right?
So certainly encrypted communications
and fully private communications are important
to people who are trying to plan
and carry out kind of terrible attacks.
I think also, you know,
there are plenty of Tor hidden services and our study was based on out kind of terrible attacks. I think also, you know, there are plenty of Tor hidden services,
and our study was based on just kind of a sample of Tor hidden services in this case.
There are plenty of hidden services that are designed to never be shared
or are designed to be shared with a select group of individuals.
And when you are dealing with something that is that important,
it is unlikely that that link is going to get out to anyone else.
And so it's going to be very difficult to measure or capture or find.
All right. Emily Wilson, always interesting. Thanks for joining us.
And now a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
My guest today is Simone Petrella. She's the Chief Cybersecurity Officer at CyberVista,
where she leads product development and delivery of cybersecurity training and education curriculums,
as well as workforce initiatives for executives, cyber practitioners, and continuing education. I actually think that one of the best things that's happening to the cybersecurity workforce discussion right now
is a widening of that aperture to people that have different disciplines in their background. I think one
of the biggest misnomers in cybersecurity is that it really is one particular technically niche
field. And in reality, it's not. It's multidisciplinary. And so what really makes
an organization and individual successful when they go into cybersecurity is bringing that
wealth and breadth and depth of background into their particular functional task. And so,
you know, I can tell you from my own personal experience, I had a lot of success on the threat
intelligence side, hiring either people who are trained as attorneys or former attorneys because
of the critical thinking and the assessment components. And we were able to train them up on the technical skills required to specifically
focus on cybersecurity after the fact. I think there is just a huge benefit to even just pursuing
those backgrounds as a foundational baseline for those that want to get interested in cybersecurity.
Frankly, that's what makes the field so exciting right now is there are really jobs and skill sets that require people to have
a wide spectrum of skill sets. So it's not just an area that needs to be the purview of only the
hyper-technical. And what are you hearing from the employers? Are they saying that the people
coming out of school are properly prepared, or is there a gap there?
No, unfortunately, the vast amount of employers, and there's a very interesting study that had been done by CSIS,
the Center for Strategic and International Studies and Intel Security, around this very issue.
And by and large, employers surveyed found that the people they were bringing onto jobs out of university were not properly prepared for the job tasks that they were expected to perform once they gained employment.
So there's still a gap.
Can you contrast some of the differences in skills that the private sector versus the public sector are looking for?
versus the public sector are looking for?
Yeah.
So the biggest contrast when it comes to private versus public sector is that the private sector to date currently has a completely defensive mission.
So in the government sector, there is clearly an emphasis on defense, but there's also a
significant amount of expenditure in time and resources on offensive capabilities and
exploitation activities.
time and resources on offensive capabilities and exploitation activities. And those are, you know, definitely appealing for those that are the most hands-on in proactively going out
and doing things on networks. The commercial sector is for, you know, authority and legal
and just economic reasons focused on the defense of their own networks. And so that is in particular,
not only very focused on defense, but it's an increased focus on the integration of all the
disciplines within cybersecurity that contribute to that defense. So it's not just whether you have
a background in vulnerability management and are identifying which applications are updated to
which point and which ones need patches.
And then how are you actually monitoring the activity that's going on on a network on a day-to-day basis?
But how is the output or information you're receiving from any one of those disciplines feeding the decisions and business operations of its adjacent units?
its adjacent units. And that integration and optimization of how those defensive capabilities work together is extremely critical in commercial just because they've had less time to really put
it together. Whereas, you know, in the government sector, the DOD in particular has had a longer
runtime to really get that right. What would your advice be to the employers in such a highly
competitive environment where, you know, they're vying for the most talented people?
What are the ways, in your opinion, that they can set themselves apart from the other people trying to hire those skilled workers?
To set themselves apart.
I think the hardest thing is now the way that that's currently happening is usually through salary and incentive programs.
I actually, my recommendation to employers is to take more of a community-based approach
to how they look at their staffing.
The beauty of cybersecurity as a profession is it really is cross-functional.
And so the job functions of a cybersecurity professional in the healthcare
market are not terribly dissimilar to what you would need to do in the financial services sector.
You're really just, you need the context of what you're protecting. And so I think there needs to
be more of a community model in the actual industry to pool the resources that they're
currently spending to either create on-the-job
training programs and very costly training opportunities and maybe put in a fraction
of that amount to essentially create a bigger pool of candidates that they all can select from,
because right now they're fighting over the same very small, finite pool of candidates.
I understand you're the chair for industry for the upcoming NICE conference.
What do you want people to know about that?
I would love people to know that the NICE conference, which is the National Initiative for Cybersecurity Education,
is the wonderful opportunity for employers, academic, industry, and government to come together
and really identify ways as a community to solve the cybersecurity workforce issue.
And employers in particular really have a operative seat at that table in order to articulate the most required skill sets that they need
while there's an audience of government and academia and training providers
who have the capabilities and willingness to build curriculums
to actually serve that potential population.
So it should be a wonderful time. It's going to be November 7th and 8th of 2017
at the Dayton Convention Center in Dayton, Ohio. That's Simone Petrella from CyberVista.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.