CyberWire Daily - Daily: Medical device, record hacks. (Un)welcome new ransomware: Alfa, Ranscam. ISIS online decline?
Episode Date: July 12, 2016In today's podcast we hear some reports that ISIS may be losing some social media ground. NATO agrees to increase cyber cooperation. A newly described malware dropper is apparently tailored to work ag...ainst specific European energy companies. 600,000 patient records are breached in the US. There's a decryptor out for Jigsaw ransomware, but not for the newly introduced "Alfa" or "Ranscam" (and Ranscam doesn't even bother to decrypt in the first place). Markus Rauschecker highlights some of the challenges with information sharing. Google and Niantic deal with Pokémon Go security issues. And don't enter some strangers' home, even if you see Reshirom EX on their sofa. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
ISIS may be shrinking in social media country, even as it shrinks in the Levant.
NATO will increase cyber cooperation.
A newly described malware dropper is tailored to work against European energy companies.
Patient records are breached in the U.S.
And medical devices become increasingly attractive to hackers.
There's a decryptor out for jigsaw ransomware,
but not for the newly introduced Alpha or Ranscam.
And Ranscam doesn't even bother to decrypt in the first place.
Google and Niantic deal with Pokemon Go
security issues, and don't enter some stranger's home, even if you see Reshiram EX on their sofa.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, July 12, 2016.
ISIS may be declining in cyberspace even as its territory in physical space shrinks under
military pressure.
The AP has reported a 45% decline in the jihadist group's Twitter traffic over the last two
years.
Such trends tend to be ambiguous and quantification is seldom as straightforward as a simple number
might lead one to conclude, but there does appear to be some shrinkage of the caliphate's online presence.
Eric Knight, industry veteran and president of cloud security shop SimpleWAN,
tells us that in his view, government efforts against ISIS are one part of the story.
Quote,
Hacktivist groups have contributed to the Islamic State's weakening online presence.
What the U.S. government is doing is helping,
but you also have groups like
Anonymous actively going after Twitter accounts controlled by these groups. It's becoming a war
with diminishing returns for ISIS. It's taking a lot more work for ISIS to get messages out,
end quote. So it seems information operations can be self-organizing on both sides of a conflict.
The recently concluded NATO summit featured agreements for increased
cooperation in cyberspace. Some of this is against trans or sub-national groups like ISIS,
and other aspects of it are directed toward threats from nation-states.
And the nation-state in question when it comes to NATO vigilance is typically Russia.
Sentinel-1 reports finding a malware dropper built to target specific European energy companies.
It looks like a battlespace preparation tool, a precursor to the previously observed Fertim campaign.
This inevitably reminds people of last December's attack on Ukraine's grid.
While neither Sentinel-1 nor observers are exactly saying Izmusk-V, signs do seem to point generally toward the Kremlin.
saying, izmuskvi, signs do seem to point generally toward the Kremlin.
Kaspersky Labs has looked into industrial control system hosts and finds more than 90% of them vulnerable to remote exploitation.
That's not exactly what legal experts would call an admission against interest,
coming as it does from a security company,
but it's not an implausible figure,
and it does suggest that SCADA systems remain unpleasantly exposed
to the ministrations
of determined attackers. InfoArmor has published a report, Healthcare Under Attack, that describes
a wave of patient record theft the company discovered and disclosed to the National Healthcare
and Public Health Information Sharing and Analysis Center, the NHISAC, back in May.
Some 600,000 records are thought to have been affected.
More than 3 terabytes of data are for sale in dark web markets.
InfoArmor's chief intelligence officer, Andrew Komaroff,
who supervised preparation of the report,
told us that unfortunately there's little individual patients can do to protect themselves against this sort of incident.
Komaroff said, quote,
On the traditional anti-fraud level,
it is highly recommended to be subscribed on credit monitoring services, end quote.
But even so, the risk of PII details being disclosed remains high,
and with it the attendant risk of fraud and online bank theft.
StealthBits' Adam Laub called the episode, quote,
Another perfect example of the fact that attackers are after two things, and in this order, credentials and data, end quote. He urges enterprises to look to poorly
secured credentials and unchecked data to better protect their patients' information.
The breaches appear to have been accomplished through exploitation of remote desktop services.
BalaBit co-founder and CTO Balazs Schiedler notes that remote access to data is commonplace.
Quote, in the case of healthcare firms in question,
attackers initially used a normal user account and then acquired super-user privileges
using local privilege escalation. End quote.
He advocates closer monitoring of remote access to identify such misuse.
It's not only patient records, but medical devices themselves
that are increasingly of interest to hackers.
It's not so much that they're interested in directly attacking someone's health by hitting, say, a dialysis device, although that too is a risk.
Rather, medical devices are attractive because they often afford a poorly protected way into medical records, which themselves are easily sold on the black market.
in the black market. TrapX and Cyber Risk Management tell ThreatPost that the typical goals are either data compromise or that other evergreen motive for IoT hacks, botnet wrangling.
There's mixed news on ransomware today. Checkpoint Software has produced a decryptor for Jigsaw,
to which we say, bravo, Checkpoint. The bad news comes in two parts. The criminals behind
Cerber ransomware have produced a successor, Alpha, for which there's so far no remedy.
And the newly observed Ranscam is also out in the wild.
Ranscam should give everyone who's considering paying the ransom pause because, as its name suggests, Ranscam is a scam.
The hoods behind it won't decrypt your files because they can't.
They were too lazy to write code that would have encrypted the data in the first place.
Instead, Ranscam simply deletes your files upon infection.
It's just telling you they've been encrypted.
So save your Bitcoin and do remember to regularly and securely back up your files.
Another word of advice coming in from multiple sources.
Use Pokemon Go with caution.
Google and Niantic, Niantic being,
of course, Pokemon's corporate parent, are working on a fix to a problem arising for many users of
the wildly popular game. Demand has outstripped Niantic's ability to sign on new trainers,
so many of you are using your Google account to get into the game. But if you do that,
you're giving the game full access to your Google account. That's a lot of permissions,
But if you do that, you're giving the game full access to your Google account.
That's a lot of permissions, more than are needed and more than you should prudently give.
Think, do you want Jesse to be able to read your Gmail?
Delete stuff from your Google Drive?
Do you want everyone to know exactly where you are, even Meowth?
Finally, Pokemon trainers, take a good look around you as you pursue the Pokemon in augmented reality.
Some map glitches are directing people to places better left unvisited. So even if you see Charmander and Reshiram EX in some random
stranger's living room four blocks away, don't go there. That's the kind of thing Team Rocket would do.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. and I'm joined again by Marcus Roshecker.
He's from the University of Maryland Center for Health and Homeland Security.
Marcus, I saw an article in the Wall Street Journal recently.
The article was called,
Should Companies Be Required to Share Information About Cyber Attacks? First of all, give us an overview. What are they talking about here in this article?
Yeah, this issue of sharing cyber breach information or information about cyber attacks
that a company, an organization has suffered. I mean, this idea has been around for a while now.
And the basic idea is that if we're sharing information of companies that are seeing
cyber attacks, that have experienced a cyber attack, if these companies are sharing information
with other companies or with the government about that attack, then other companies and the
government can learn from the attack and then use that information to better protect other companies
or the government. So that's the basic concept behind information sharing when it
comes to cyber attacks and cyber breaches. There is some controversy about the cyber information
sharing because on the one hand, yes, everyone kind of agrees that information sharing is a good
idea. Situational awareness is a good idea. The more we know about what the threats are,
what's out there, what's coming our
way, the better everyone will be prepared. But it's a lot easier to talk about this than to
implement it, because there are some serious concerns about implementation of actual cyber
information sharing. And we've seen that when Congress has been trying to pass cyber security information sharing legislation
it took them a while to actually pass a law that creates a framework for sharing this kind of
information privacy groups and civil liberties groups are very much opposed to cyber security
information sharing legislation because they argue that personally identifiable information
could be shared government could get information about individuals without actually going through the proper warrant procedures
or other privacy protections that are out there.
Back in December, Congress passed the Cybersecurity Act. What was that designed to cover?
This creates a voluntary framework for companies and other organizations to share information
with each other or with government and also thereby gain some liability protection for
sharing that information.
It's really supposed to encourage this information sharing and information sharing on the technical
aspects of the breaches so that other organizations and government can really learn about what the
threats are that are out there and then in real time be able to protect others from the same
threat. It's important to note, though, that this is a voluntary framework. No company is being
compelled to actually share this information, and companies can choose not to share information if
they don't want to. All right. Time will tell. We'll keep an eye on it. As always, Marcus, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's the Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. Thank you. insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.