CyberWire Daily - Daily: Ransomware evolves (and gets brutal). Dataminr blocks IC--bad Gov-industry blood?
Episode Date: May 10, 2016In today's podcast we hear about the Panama Papers database. We also discuss updates concerning the Bangladesh Bank heist investigation. New ad-fraud malware, Viking Horde, shows up in the Google Play... Store. In ransomware news, CryptXXX is no longer so easily decrypted, Bucbi exploits RDP vulnerabilities, and Triumfant shares what they've learned about Locky. We also talk to Accenture's Malek Ben Salem about big data security frameworks. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. back. If you're not killing these people, then who is? That's what I want to know. Starring Kaley Cuoco and Chris Messina. The only investigating I'm doing these days is who
shit their pants. Killer messaged you yesterday? This is so dangerous. I got to get out of this.
Based on a true story. New season premieres Monday at 9 Eastern and Pacific. Only on W.
Stream on Stack TV. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K at checkout. That's joindelete me.com slash N2K code N2K. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, May 10, 2016.
There are some recent developments in the Bangladesh bank hack story.
Investigation appears to be following two lines.
One of those lines leads toward insiders.
The Wall Street Journal says the
U.S. FBI has evidence that at least one bank employee was involved in the diversion of funds
into a bogus account. Anonymous sources have also told the journal there are reasons to think that
individual may have had several accomplices. The other line of inquiry runs toward alleged
vulnerabilities in the SWIFT system used to manage international fund transfers.
Authorities in Bangladesh claim they see signs of poor technical practices,
including questionable password management, that rendered the bank open to hacking.
They want to interview SWIFT technicians, a police official told Reuters,
to determine whether their actions were intentional or negligent.
SWIFT, for its part, dismisses the Bangladesh police allegations
as false, inaccurate, and misleading.
Representatives of SWIFT, the Bangladesh Bank,
and the New York Federal Reserve Bank
are meeting today in Switzerland to discuss the incident.
On the malware and exploitation fronts,
image magic vulnerabilities continue to be exploited in the wild.
Newer versions of the popular software
aren't vulnerable, but older instances remain in widespread use. Policy-based mitigations are
available for those older versions. Checkpoint warns that another serpent is frolicking in the
Google Play Store's walled garden. They're calling it Viking Horde, and while its principal purpose
seems to be ad fraud, it could easily be adapted to
hurting bots for spam and DDoS campaigns. Cryptex is that nasty strain of ransomware
for which Kaspersky recently developed and released a decryption tool. Well, Cryptex has
evolved. Proofpoint says the ransomware is now able to evade that decryption tool. The Cryptex
authors are also thought to be responsible
for the long-familiar Reviton malware
and have been closely tied to the Angler exploit kit.
They're also distributing it through new vectors.
The Register reports that the Hollywood gossip site PerezHilton.com
has been compromised to serve up Cryptex.
Buckbee ransomware, little seen since its discovery in 2014, appears to be making a comeback.
Palo Alto Network's researchers have found it brute-forcing its way into servers via vulnerable
remote desktop protocol connections. This mode of attack, unusual for ransomware,
seems connected to a wave of RDP capers against corporate networks, which Fox IT reported last week. Palo Alto says the
criminals behind Buckbee claim to represent the Ukrainian Right Sector, a political organization
opposed to Russian involvement in Ukraine. But this could well be a false flag or provocation,
especially since, as Palo Alto points out, the use of the ghost algorithm suggests a
Russian provenance for the exploit. As usual,
attribution is murky. Other strains of ransomware remain a threat. We spoke to Triumphant CEO John
Prisco. His company recently completed a study of Lockheed, and here's what he had to tell us.
We came across it as a result of finding it at a customer site.
And then we were asked to build signatures or filters to identify it when it was seen again.
We set about to prove that signatures would be useless in detecting lock-in. We did prove that because the malware attack mechanism morphed five times within a 24-hour period. So
if I write a signature to catch it, it's going to morph into something else so that my signature
is useless. Prisco says their approach at Triumphant is to monitor the user's system
to establish what normal use looks like. When processes begin to deviate from the norm, we see that deviation and we record it as an anomaly.
Locky is like any other process. It has to run on your computer for it to be able to
begin doing its damage. And when we see a rogue process running, we find it, we identify it as malicious,
and we shut it down. It's a combination of proactive techniques trying to identify Lockheed
before it takes hold, and reactive ones acting quickly when the system detects the intrusion.
Antivirus, which is effective in about 20% of all attacks, shuts processes down in a hurry,
but it only shuts the ones down that it has a signature for. So the best of both worlds is to
be able to identify something without a signature and to shut it down quickly. And that's a tall
order. So that's why Lockheed and other ransomware has been so successful.
We are working on speeding up the process. We've got the accuracy down, Pat.
Now we have to speed it up so that we can shut these processes off in milliseconds.
That's John Prisco from Triumphant. Their website is triumphant.com,
spelled with an F instead of a PH.
The security industry is showing some understandable ambivalence about information sharing.
Zero-day vendors are feeling the heat.
Their alleged unwillingness to tell defenders about the exploits they've discovered is seen as weakening security generally.
Some security startups dislike the decision by Google and its partners to restrict
VirusTotal access to just those who contribute to it. VirusTotal administrators explain the new
policy this way, quote, all scanning companies will now be required to integrate their detection
scanner in the public VT interface in order to be eligible to receive antivirus results as part of
their VirusTotal API service.
Additionally, new scanners joining the community will need to provide certification
and or independent reviews from security testers
according to best practices of anti-malware testing standards organization.
End quote.
And Twitter's move to block data miner from feeding the U.S. intelligence community
is called by eWeek the foreseeable fruit of a bad relationship government has allowed to develop between
itself and the IT industry. Finally, the world, including us, has been waiting for access to the
Panama Papers searchable database. But since the data hit the internet yesterday, the results have
been disappointingly unsurprising and don't seem to contain anything likely to bring down any more governments. Canadian tax enforcement authorities
are taking an interest in the database, as are transparency advocates in New Zealand.
There are a few more than 30 U.S. citizens who appear mentioned in dispatches, but they seem,
for the most part, people who've been involved in quite public investigations of various forms of allegedly dodgy behavior over the last couple of decades. We searched, because we knew you'd ask,
for all three currently active major party U.S. presidential candidates. No joy, kids. Also,
no Satoshi Nakamoto. But we admit it was a casual search. No spouses, no aliases, etc.
So while we won't say there's nothing to see here,
move on, we ourselves will move on. Everyone else, feel free to gawk.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated
Amy Adams stars as a passionate artist
who puts her career on hold
to stay home with her young son.
But her maternal instincts
take a wild and surreal turn
as she discovers the best
yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking
and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24
only on Disney+. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Joining me is Malek Bensalam.
She's the R&D Manager for Security at Accenture Technology Labs,
one of our academic and research partners.
Malek, I know one of your areas of research is big data.
And I'm curious, what are the challenges when it comes to security when dealing with big data?
Yeah, security and privacy challenges are magnified by the velocity and the volume, as well as the variety of big data.
Organizations have to understand how sensitive the data they capture is
in order to be able to apply the right security controls to it.
They have to understand how they're using that data
so that they can manage it and store it appropriately. If it's used frequently, it has to be stored in data lakes that are easily accessible with the right security controls.
If it's not used frequently, they have to think about how long they need to keep it.
They need to think about who gets access to the data,
They need to keep it. They need to think about who gets access to the data, especially if it's in a big data platform where it's stored in a distributed fashion. And they have to obviously have a data recovery plan in place for it.
variety mostly, as well as the velocity that that data is captured, we need real-time mechanisms to be able to label the data as sensitive or not, analyze it in real-time, and apply the access
control mechanisms in a real-time manner as well. So what exactly does that mean when you're talking
about the real-time analysis of that data? So what I mean is the ability to look into the data in real time and identify how to classify it.
Is this sensitive data? Is this extremely confidential, highly confidential data?
Or is this data that can be accessed without any specific restrictions internally, basically open for access
to all employees in a company, for example, in order to encourage innovation and sharing.
Those decisions have to be made quickly as the data is being gathered, as otherwise companies
will be behind in terms of applying the right security controls on that data.
All right. Interesting stuff. Malek Ben-Salem, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and
their families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.