CyberWire Daily - Cleaning ransomware out of the Play Store (but snakes still get into the walled garden, so watch your apps). Vigilantes, vulnerabilities, and industry news.
Episode Date: January 25, 2017In today's podcast we hear about Russia's arrest of a Kaspersky Lab threat researcher (charges are said to be unrelated to Kaspersky). Charger ransomware is detected and ejected from the Play Store. M...obile users are urged to watch their apps—too many snakes are still getting into the walled gardens. RATs evolve and return to the wild. Shamoon 2 expands its target set. A database vigilante may be out there. Awais Rashid joins us from Lancaster University to share thoughts on IoT devices in healthcare. Michael Lipinski from Securonix wonders if state actors have become a convenient excue. Cyber fraud rises in the United Kingdom—it's safer for the crooks than stickups. M&A and venture funding news. And that Verizon-Yahoo! deal remains up in the air. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Russia charges a cyber threat researcher with treason.
Charger ransomware detected and ejected from the Play Store.
Watch your apps.
Too many snakes are still getting into the walled gardens.
Rats evolve and return to the wild.
Shamoon 2 expands its target set.
A database vigilante may be out there.
Cyber fraud rises in the United Kingdom.
It's safer for the crooks than stick-ups.
We've got some M&A and venture funding news.
And that Verizon-Yahoo deal remains up in the air.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, January 25, 2017.
In news that broke early this morning, we hear that Russian authorities have arrested a senior threat researcher with Kaspersky Lab.
Ruslan Stoyanov has been arrested on charges of treason.
Kaspersky Lab told CNBC that the investigation and arrest are unrelated to the company,
that Stoyanov is under investigation for the period where he worked for the FSB prior to joining Kaspersky.
Details are sketchy and may not be forthcoming.
Stoyanov was charged under a statute that permits secret trials.
We'll be following the story as it develops.
Checkpoint warns of Charger, a newly discovered ransomware strain found in the Energy Rescue app in the Google Play Store.
Google's Android security team has managed to interdict the malware before it reached the point of mass infection.
In the case of Charger, the extortionist's threat is release, sale, or other abuse of stolen data,
mostly contacts and SMS messages.
All your data is already stored on our servers, crow the hoods, who demand $180 in protection money.
If you've been missing the implausibly fractured English of Guccifer 2.0 and the Shadow Brokers,
and who among us hasn't been missing those boys and girls,
the lingo behind Charger will make you nostalgic for the old days.
You need to pay us, otherwise we will sell portion of your personal information on Black Market every 30 minutes.
We give 100% guarantee that all files will restore after we receive payment.
We will unlock the mobile device and delete all your data from our server. So there you go.
And no friends and family discount mentioned.
Charger also asked for admin permissions,
and of course, were those granted, would lock the infected phone.
The malware was available for about four days before being taken down,
and Checkpoint thinks relatively few devices were affected,
perhaps because the criminals were engaged in a test run.
Zscaler and Malwarebytes are warning that two newly evolved remote access Trojans, or rats, are circulating in the wild.
Zscaler reports that SpyNote is flying the false flag of a Netflix app.
Malwarebyte says that the well-known Andro rat has become more stable,
added new functionality, and increased its obfuscation.
Saudi Arabia's government is concerned about the latest rounds of Shamoon 2 attacks,
which this week were disclosed to have hit chemical industry targets as well as the labor ministry.
The incidents may indicate a shift in Shamoon 2's target set.
November's attacks involving the malware most prominently focused on aviation operations.
The original Shamoon attacks of 2012 hit Saudi Aramco.
In the wake of widely reported attacks on Hadoop and MongoDB instances, it appears that
a database vigilante, that's what Motherboard is calling him or her or them anyway, is on
the mean streets of cyberspace, finding poorly secured databases, warning their admins.
The warning may be too subtle for most admins to pick up on.
The vigilante is inserting an empty folder into the vulnerable database and naming it YourDBIsNotSecure.
We're ambivalent about vigilantes and other gray hats,
but the chairman of the not-for-profit GDI Foundation tells Motherboard that, quote,
it looks like a friendly warning, end quote, which is one way of looking at it.
Database admins, look to your defenses.
The Anthem data breach remains one of the most significant we've seen,
with over 80 million customer records stolen from the health care company back in February 2015.
The story was back in the news recently when California's attorney general announced
that state actors, most likely China, were responsible for the breach.
Not everyone is comfortable with that attribution.
Mike Lipinski is CISO at Securonics.
I think we're starting as an industry to start using the state actor concept.
It happened with Yahoo. It's happening now with Anthem.
It's happened with OPM. A lot of them are blaming the state actor concept.
And I just think that we're getting a little too perilous with
using that as a get out of jail free card. It's, you know, regardless of whether it's, you know,
me attacking your system or a state actor attacking your system, I think we have to
make sure that we're providing the same protections to eliminate that from happening.
I understand that the logic behind using a state actor excuse is that, well, they're well-funded,
they have a lot of tools, they have a lot of money, we can't possibly stop them from getting
in if they want to get in. But I guess my argument to that is, if you look at all the current reports
that are out that, you know, the after the fact, just like this Anthem one, or if you even look at
the reports that, you know, the NSA released and their review of all of the breaches over the last three years,
these companies aren't exploiting any new vulnerabilities in these attacks.
They're attacking things that we've known about for many, many years.
So there's really not an excuse if we're doing our jobs well to allow these breaches to keep happening
if we get a little bit more diligent about taking care of our environments.
What's the takeaway here? What's a better way for Anthem to have handled the situation?
From a breach standpoint, I think all organizations, and I won't just pick on
Anthem because it's really every organization you've read about or heard reported on in the
last couple of years, the data that they needed to identify the attack quickly has been in their environment.
We've always been able to go in after the fact from a forensic standpoint and determine who did
what, when, and how. We're just not using that data well in a proactive fashion on the whole.
You know, you've got your prevent, detect, respond components of security. Prevent, you have to agree,
is going to fail.
I think that's what we're saying with the whole state after breach.
If people want to get in bad enough, they can.
So, okay, if we're going to subscribe to that concept,
then that brings us to our detect and respond component of our security infrastructures.
I think that's where we need to get better.
I think we need to get better at finding that breach when it happens.
So we don't allow people to stay in our networks, you know, 200, 300 days and
exfiltrate data and, you know, leave. The breach is inevitable, but the exposure doesn't have to be.
That's Mike Lipinski from Securonix.
Cisco is patching its WebEx Chrome plugin. Users are advised to update.
The vulnerabilities addressed are potentially serious. KPMG reports that cyber fraud cost the United Kingdom some 124 million
pounds in 2016, and that's a lot. KPMG tracked fraud cases in British courts to arrive at its
figures. And who's behind the rise in cybercrime? Skids, to a significant extent.
Ilya Kolicchenko, CEO of web security firm Hitech Bridge, told us that, quote,
what is particularly alarming is the rise of small online fraud committed by teenagers and people with almost no technical skills, end quote.
Cybercrime is seen by many hardscrabble crooks as a relatively low-risk, high-payoff proposition, especially when compared to stick-ups and muggings.
In industry news, RiskIQ buys Macabim for its brand-threat project management capability.
Cisco is acquiring AppDynamics for a reported $3.7 billion.
Reuters floats the rumor that Keysight Technologies is considering buying Ixia.
Reuters floats the rumor that Keysight Technologies is considering buying Ixia.
Venture Capital hasn't been idle either, as Sentinel-1 closes a $70 million Series C round, and Secret Double Octopus, specialists in multi-factor authentication,
gets $6 million in Series A funding from Jerusalem Venture Partners.
And finally, what does Verizon have to say about the new SEC investigation of
Yahoo's breach disclosure and Yahoo's announcement that its deal with Verizon will be delayed at
least until April? Well, nothing. As far as we can tell, Verizon is keeping its counsel and holding
its corporate tongue. Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+. bitch is a thought-provoking and wickedly humorous film from searchlight pictures stream night bitch
january 24 only on disney plus cyber threats are evolving every second and staying ahead is more
than just a challenge it's a necessity that's why we're thrilled to partner with threat locker
a cyber security solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. And I'm pleased to be joined once again by Avas Rashid.
He heads the Academic Center of Excellence in Cybersecurity Research at Lancaster University.
Professor Rashid, certainly the IoT is top of mind these days with the major
hacks that we've seen, the botnets and so forth. Today, though, you wanted to talk about IoT when
it affects the healthcare industry. Yes. We have recently seen, as you note,
that IoT devices have been used in large-scale attacks. And let me start by saying the Internet of Things is a very promising development
where we can use a high level of connectivity in really a number of key applications,
such as digital health, whereby implantable medical devices or body area networks can help us.
But one of the things we need to bear in mind is that one of the things we must not do
as we design these devices to ignore security, because in due course, as we have seen in other
domains, such as industrial control system and critical and national infrastructure, once these
devices are connected to other networks, that opens them up to various potential vulnerabilities
and attacks. And we've already seen this in high profile attacks. So there are a number of threats that we need to think about. So first of all, there is the,
what you would call the telemetry interface in these devices, where potential attackers can,
you know, eavesdrop or replay forged commands, for instance, to make the device do something that
it shouldn't be doing. We've already seen the use of these devices in malware. Can you imagine somebody's pacemaker, for instance, being used as part of a botnet?
But there are also more subtle ways in which these things can be compromised. So you don't
necessarily need to, for example, make the device do something. You can just do enough to the device to cause sensor actuator
failure, thereby compromising trust in the device. Or you can maliciously inject some data that no
longer allows you to trust the information that you are getting from the device, and in which case
it is absolutely useless. So how can organizations protect themselves from that kind of thing?
So how can organizations protect themselves from that kind of thing? I think the fundamental principle that we need to use with regards to health IoT is if it is not secure, it is not safe.
And that's the fundamental thing.
A lot of these, we have a very good understanding of safety within the health environment. And I think we need to extend that towards security and ask the question,
if this device is not secure from a cybersecurity perspective, is it really safe to utilize in a
health setting? And we are increasingly seeing regulators actually get much more aware of these
issues. The other thing that we really need to think about is that these devices don't operate on their own. They will come into contact
with a range of other systems simply because they are networked. And it is not just about
securing what's on the device, but also the environment in which these devices are placed
and actually understanding the interactions with that environment and how we may secure
those interactions so that the device itself is,
a device and the data it is utilizing is protected in an effective fashion.
Professor Avas Rashid, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at
blackcloak.io. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you.