CyberWire Daily - Chrome zero-day patched. Ransomware against infrastructure. Notes from RSAC 2020. Julian Assange’s extradition hearing.
Episode Date: February 26, 2020Google patches a Chrome zero-day. Ransomware attacks against infrastructure. DoppelPaymer prepares to dox its victims. How CISA and NSA cooperate. Dallas County, Iowa, finally drops charges against pe...ntesters. Mr. Assange’s evolving defense against extradition to the US. Notes on RSAC 2020. And if you were a superhero, which superhero would you be? Justin Harvey from Accenture on his RSA observations, guest is Keith Mularski from EY on ransomware. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_26.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. Hey, everybody. Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data
brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for
you with detailed reports so you know exactly what's been done. Take control of your data and
keep your private life private by signing up for DeleteMe. Now at a special discount for our
listeners. Today, get 20% off your DeleteMe plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout.
The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k
at checkout. That's joindeleteme.com slash n2k, code n2K.
Google patches a Chrome Zero Day.
Ransomware attacks against infrastructure.
Doppelpaymer prepares to dox its victims.
How CISA and NSA cooperate.
Dallas County, Iowa finally drops charges against pen testers. Mr. Assange's
evolving defense against extradition to the U.S. Notes on RSAC 2020. And if you were a superhero,
which superhero would you be?
Coming to you from the 2020 RSA Conference in San Francisco,
I'm Dave Bittner with your CyberWire summary for Wednesday, February 26, 2020.
Google has patched a Chrome Zero day that's undergoing active exploitation in the wild.
Mountain View isn't saying much about how, where, or by whom the vulnerability is being exploited.
It's CVE 20202020-6418.
In fact, Google's not really saying anything at all,
confining itself to this terse observation.
Google is aware of the reports that an exploit for CVE-2020-6418 exists in the wild.
The zero day is a type confusion issue,
one in which an app initiates data execution of a certain type of input,
but is subsequently fooled into treating the input as a different type.
Exploitation could give an attacker the ability to run malicious code within an application.
Two other non-zero days are also fixed in the update.
Users are advised by multiple experts to patch.
Energy Wire says the Coast Guard has confirmed
that the ransomware attack against a natural gas facility
CISL warned of on February 18th
was in fact the same incident the U.S. Coast Guard reported
in a December Maritime Safety Information Bulletin.
Dragos offered the same evaluation last week.
FireEye notes the ways in which industrial systems
have become increasingly attractive targets for ransomware operators. The extortionists are now frying bigger fish than Heartland school
districts. Concerns about ransomware are high on the list for those charged with defensive
infrastructure. As FCW reports, CIA Director Krebs observed this week at RSA. As if to give point to
those concerns,
a small electrical utility in Massachusetts,
the Reading Municipal Light Department,
has disclosed that it sustained a ransomware attack last Friday.
Another big trend in ransomware is stealing files in addition to simply encrypting them.
Bleeping Computer notes that the operators of Doppelpamer ransomware
have now adopted the increasingly common tactic of adding doxing to the traditional threat of data loss.
Doppelpamer has established a site where it will post private files stolen from victims who declined to pay their ransom.
An RSAC panel hosted by CyberScoop featured the directors of two major U.S. agencies, NSA's Cybersecurity Directorate, led by Ann Neuberger,
and the Department of Homeland Security's Cybersecurity and Infrastructure Security
Directorate, led by Christopher Krebs. The organizations see their roles and missions
as complementary and offering a good scope for collaboration. Work against the Russian
influence operations and other information operations that targeted the 2016 elections and that have since continued spurred more effective information sharing. And Microsoft's
January patches provided an important opportunity for the two agencies to reach out to the public
on an urgent matter of online security. Dallas County, Iowa has ended its bungling and discreditable
treatment of two coal firefire penetration testers,
dropping all felony burglary and criminal trespass charges against them,
InfoSecurity magazine reports.
In another legal case, the extradition hearing in the matter of Mr. Julian Assange
continues at Woolwich Crown Court.
Reuters reports that barristers working on behalf of the WikiLeaks proprietor
branded U.S. allegations that Mr. Assange helped the then U.S. Army Specialist Bradley Manning
hack into classified systems as lies, lies, and more lies,
a position that the American prosecutors, of course, are unwilling to accept.
Mr. Assange's counsel also took on another central U.S. contention
that WikiLeaks' publication of material then-specialist
Manning stole put lives at risk. On the contrary, argued lawyer Mark Summers, when Mr. Assange
learned that unredacted copies of the material he'd received and prepared to share with various media
were about to become public, he tried to warn U.S. authorities, calling the State Department
and asking to speak with then-Secretary Hillary Clinton to warn her that lives were on the line and that something needed to be done.
She didn't take his call, Mr. Assange's defense team said,
and no one got back to him in the promised couple of hours.
Keith Malarski held leadership positions with the cybersecurity team in the Pittsburgh office of the FBI,
and under his team's watch, several high-profile criminals
and organizations were brought to justice. These days, Keith Malarski is with the team at EY.
He stopped by our booth at RSA to share his insights. I had spent 20 years at the FBI. And
you know, at that time, you're eligible to retire. Just a great opportunity to kind of still continue
fighting the fight. But just from the other side, Ernst & Young gave me just a great opportunity to kind of still continue fighting the fight. But just from the other side, Ernst & Young gave me just a great opportunity to come and be a leader in their cyber practice
and continue doing threat intelligence and incident response and being able to help clients just from the other side.
So it's been a great transition.
What sort of insights have you gained from being on the other side?
Has it given you a fresh perspective from what you had before?
I think one of the things was the state of cybersecurity is a lot worse than I thought.
You know, being on this side, I thought it was a little bit better.
The other thing is just it's all about defense.
You know, whereas when I was in the FBI, you know, you're doing offensive, defensive and investigations.
So it is a little bit of a different beast, but fun nonetheless.
So in terms of the things you have your eye on these days, particularly when it comes to ransomware,
what are you and your colleagues at Ernst & Young focused on?
So when I look at ransomware, I really look at that as probably the biggest cyber criminal threat affecting companies today.
You know, in the past, you know, you had different banking trojans and they were doing account takeovers.
Over the last five, six years, the banks have gotten really good at stopping big wire transfers going out.
So these organized crime groups, it's not profitable to do those big wire transfers because they're just not as successful, but they're leveraging
that, that access that they had now to do what we're calling enterprise hunting ransomware or
big game hunting ransomware. I'm curious too. I mean, from your point of view, I know the,
the line from the FBI forever has been, don't pay the ransom.
Right.
Now that you're on the other side, do you still believe that's the way to go?
Well, yeah.
I mean, I believe that you shouldn't pay the ransom because that's just giving money to a criminal organization.
And I believe that if you have really good cyber hygiene and security practices put in place,
that you can prevent the majority of these attacks.
And so you shouldn't even be in a position to have to pay these ransoms.
So, you know, what you really want to kind of do with these groups is kind of put together
a playbook because they all do follow a pattern.
And once you know their playbook, you can build defenses around that.
Yeah.
Everybody has a limited budget, right?
And they have to allocate the various things that,
you know, dial in the percentages to various things.
What's your tips for folks
who have ransomware front of mind?
How should they be approaching that
from a practical point of view?
Well, I think you have to use intelligence
to really drive your business practice.
You really need to understand
where your crown jewels are.
You need to be able to know where your risks are
and make a business decision based on a risk.
You know, can you be 100% secure?
Absolutely not.
But you need to manage, you know, your risk to a level
where you're comfortable that, hey,
my spend is at this right level to lower my risk to this level
and that's acceptable, you know, for that. And that's what you have to do. And the only way to do that is really
to have good intelligence on where your crown jewels are and also, you know, the techniques
and tactics used by the threat actors out there. Well, what are you tracking in terms of evolution
in these ransomware groups, how they're coming at people? What are the trends there?
So one of the biggest trends that we're seeing lately
is because people don't want to pay the ransom
or they're restoring from backups.
What we're seeing then is now a couple of the groups,
I just saw Doppelpamer, Maze is another group right now,
where since they're in your network for 30 to 45 days,
they're stealing documents.
And now they're saying, if you don't pay the ransom, now we're going to post your
confidential documents. So we're seeing a trend for them to try to really make sure that they
get that money from you. Turn up the heat. Turn up the heat. Yeah. That's Keith Malarski from EY.
To return to RSAC 2020, what's our sense of the conference this year?
We will say that the event is well attended despite the last minute high profile cancellations
announced last week. It is perhaps a bit more subdued than we've seen in previous years.
Some of the sense of reserve is no doubt due to concerns about COVID-19, the coronavirus strain
that prompted those 11th hour withdrawals.
Hand sanitizer stations are much in evidence and people seem less apt to shake hands.
More generally, and with respect to the business of cybersecurity,
we're getting a vibe that people see small businesses, the mom and pops, as underserved by the sector.
Finally, inspired by Cisco's launch of its SecureX platform at RSAC,
and especially by the news that SecureX's internal name had been Thanos, MarketWatch
wonders what superheroes exemplify the spirit of various cybersecurity companies.
Technically, Thanos is a supervillain, but we'll leave that aside. They confined themselves to the Marvel Universe,
so DC superheroes need not apply.
Iron Man was the superhero most companies chose
as their muse and role model,
followed by Captains America and Marvel,
with Sue Storm, Vision, Shuri, Doctor Strange,
and Ant-Man, the Hank Pym version, thank you very much,
also crossing the finish line.
To our industry's shame, not a one of them chose Dr. Charles Xavier,
the Silver Surfer, an obvious choice, one would think, for any browser security vendor,
or the Ancient One. Sad.
MarketWatch had some suggestions for the various companies they talked to,
and their suggestions struck us as better than the company's preferred superheroes.
Again, sad. They talked to and their suggestion struck us as better than the company's preferred superheroes.
Again, sad.
For our part, we call J. Jonah Jameson.
He's what you call high energy.
Do you know the status of your compliance controls right now?
Like right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, great to have you join us here at RSA 2020.
It is great to be here.
Hopefully we're coronavirus free.
I know, I know. Everybody's
fist bumping and rubbing elbows instead of shaking hands. And there's lots of hand sanitizer being
distributed just about everywhere. You've had a little bit of time to walk around and take in
some of the sites to see. What's your sense so far on this year's RSA conference? Well,
my sense so far is there are so many vendors out there.
You have Moscone North,
which is several football field size full of vendors.
Then you've got the tunnel between the two
that has a lot of startups, smaller booths.
And then you have Moscone South,
which is, again, the same footprint as Moscone North,
several football fields of vendors.
Right.
And we're seeing a few common themes.
The first theme is that it seems that there is a lot of technical solutions
looking for business problems.
So there are so many vendors out there.
And I often wonder if I was a CISO or part of the C-suite of a,
heck, even a small, medium-sized business, let alone a G2000
company, it is absolutely overwhelming. All of the blitz of vendors, there are intelligence vendors.
Everything is intelligence-led or intelligence-embedded. There are platform plays and
everyone says they have a platform. Even if you have a little point solution,
it's better to call it a platform.
Right, that's like years ago,
it was not just a product, it's a solution.
Now it's a platform, right?
Exactly.
And, you know, there's all of the normal cast of characters that you would expect, all of the big vendors out there,
like the FireEye, the Ciscos, the Gigamons, the Palo Altos,
they're all out there.
Yeah. out there like the FireEye, the Cisco's, the Gigamons, the Palo Altos, they're all out there. And then you've got your medium and smaller players out there. There's an equal mix of cloud
and threat detection endpoint network, but we're also seeing a resurgence of identity and access
management solutions and privileged access monitoring. So I think that's really picking up
and less and less on the GRC side
and less on regulation.
And what do you think is driving those trends?
Well, I think just like we put out
in our cost of cybercrime report a few weeks ago,
the number of incidents and number of breaches are going up
and the average cost of breaches are also going up.
We've been tracking it with the Ponemon Institute for the last five years,
and it has gone up 72%, 72% in the average cost of a breach.
And just in this last year alone, it's gone up 13.7%.
So there are more breaches happening, clearly, and they are costing a lot more. So
we're seeing a lot more vendors out there. But I do believe this is probably, I think we're nearing
the end of the line here. I think the bubble is about to burst on these companies.
Just earlier this week, I was talking to someone who is a VC funder,
and she was saying that there's so many of these companies where it seems as though they don't have so much of a product
as they have a feature.
Something that would be nice to add to the things that we already have,
but it probably can't stand on its own.
I wonder how much is this a result of there's so much money in the sector right now
that maybe it's not hard to get someone to put a little juice behind you when you're getting
started up enough to come here and show your wares at RSA. Yeah, I think that there are a lot
of point solutions and add-ons out there, but I think the market for those types of organizations with their products
may be dwindling because if you put yourself in the mind or in the shoes of a CISO,
he or she grapples every day with a very large technology stack. It's really hard to continue
to add little point solutions on. And every time you buy a piece of software, there's the time
invested in procurement and doing the contracts. Then you've got to install and configure it. Then you've got
to maintain it and monitor it. So it becomes quite difficult to keep up with all of them.
What's your strategy for a show like this in terms of takeaways, of getting out there?
What are the things that you want to learn from a big show like this?
Well, I'm out here primarily to talk
to you, Dave. Oh, brother. A little pandering there. Yes. So I'm out here to talk about our
services and what we're seeing in the market. I'm also here to talk to our biggest clients and
customers. Absolutely. And I think the tertiary goal is to really walk the floor and look for
those nuggets, those diamonds in the rough.
Because I know I'm not going to find the diamonds in the rough in the big halls, really.
Yeah.
It's going through investment alley, the startup alley with all these little vendors.
And you'll find one or two of these that perhaps make good acquisition targets or good partners or allies in the fight.
acquisition targets or good partners or allies in the fight. And being able to find these innovative solutions is really core to our business.
All right. Well, as always, Justin Harvey,
thanks for taking the time out of a busy show to come visit us.
Thank you.
Thank you. of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire
podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're
co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire
team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Thanks for listening.
We'll see you back here tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.