CyberWire Daily - Data center ransomware. Third-party breach hits telco customers. Buran and Buer on the black market. The Great Canon opens fire. Russia trolls Lithuania. Big bad BEC.
Episode Date: December 5, 2019Data center operator CyrusOne sustains a ransomware attack. Another third-party breach involves a database inadvertently left exposed on an unprotected server. Buran ransomware finds its place in the ...black market, as does the new loader Buer. China’s Great Cannon is back and firing DDoS all over Hong Kong. Russian trolls are newly active in Lithuania. And a business email compromise scam fleeces a Chinese venture capital firm of $1 million--enough for a nice seed round. Robert M. Lee from Dragos on the evolution of safety and security in ICS. Guest is Sean O’Brien from @RISK Technologies on how states and cities need to prepare against election-targeted cyber attacks. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/December/CyberWire_2019_12_05.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Data center operator Cyrus One sustains a ransomware attack.
Another third-party breach involves a database inadvertently left exposed on an unprotected server. Buran ransomware finds its place in the black market, as does the new loader,
Boer. China's great cannon is back and firing DDoS all over Hong Kong. Russian trolls are newly
active in Lithuania. And a business email compromise scam fleeces a Chinese venture
capital firm of $1 million. enough for a nice seed round.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday,
December 5th, 2019. The large U.S. data center company, Cyrus One, has sustained a significant
ransomware attack. According to ZDNet,
the ransomware strain involved is R-Evil, also known as Sodinokibi. Cyrus One, which owns and
operates 45 data centers in the Americas, Europe, and Asia, as of this afternoon hadn't addressed
the attack on its website, but some of its customers have advised their own customers, in turn, that they may
experience some service disruptions. Sources tell ZDNet that Cyrus One is working with law
enforcement and that it's quietly working with its customers to resolve problems with data availability.
The exposed AWS S4 bucket that UK-based Fetus Security found earlier this week
now has a known owner. TechCrunch traced
it to Deardorff Communications, which apparently does some marketing work for Sprint. The database,
found on an unprotected cloud server, contained just over 261,000 cell phone bills and other
documents belonging to AT&T, Verizon, and T-Mobile subscribers. It's thought that these were collected as part of a campaign to induce people to switch
carriers.
The information exposed in the incident included bank statements, subscribers' online usernames,
passwords, and account pins.
Deardorff Communications told TechCrunch that they secured the database yesterday.
McAfee offers some updates on the Buran family of ransomware it
first described in May. Buran, that is, Blizzard, is widely traded in russophone criminal markets,
where it's flacked as a stable offline crypto-clocker. That's their word, not ours. We
think they probably meant crypto-locker. With flexible functionality and support 24-7.
The rig exploit kit is a common delivery mechanism.
Elsewhere in the criminal-to-criminal market, Proofpoint is following Boor,
which it describes as a new loader.
Boor has been distributed through Malvertising that redirects to the Fallout exploit kit.
It's also being pushed by phishing. The payload carried in malicious
Word document macros. The going price for Boer is $400. China's Great Cannon distributed denial
of service tool is back in battery and firing against Hong Kong dissident organizers.
AT&T's Alien Labs says that the Great Cannon, which had been relatively quiet for some months,
has been turned against LIHKG, a service widely used by protesters.
The tool injects malicious JavaScript into webpages behind the Great Firewall.
These, in turn, hijack users' connections to make repeated requests of the targeting site.
LIHKG says that Cloudflare has been a help to it during this period of attack,
and also that it thinks it has reason to believe that what it calls a national-level power is behind the attacks. There's little doubt that such power is being applied by Beijing,
so that national-level power would be China. The point is interdiction. The Chinese government,
which has ratcheted up the level of kinetic violence
it's prepared to use against the ongoing protests,
wants to be sure that it's jammed the protesters' communications.
Small cities and towns are finding themselves in the crosshairs lately,
falling victim to ransomware attacks, phishing schemes, and other online scams.
They've also got their hands full preparing to secure upcoming elections.
Sean O'Brien Brehm is chairman and CEO with At-Risk Technologies.
I don't think anyone in the world would have guessed that someone in a polling county in Pueblo, Colorado
would be directly assaulted from somebody from Moldova, Russia, or East Timor for that matter.
would be directly assaulted from somebody from Moldova, Russia, or East Timor, for that matter.
So I think where we're at is people are doing the best they can with the resources and funding and knowledge that they have.
And when you describe the spectrum of things that we're up against,
I mean, what are the various types of attacks and where are they coming from?
If you look at the attacks, they range from something very simple, which is, you know,
20, 10 years ago, when you wanted to zip up a bunch of files, you right mouse clicked
on it and you hit WinZip and the files were zipped up.
And then someone says, well, why don't I build, why don't I build some encryption that goes
on top of that so I can then encrypt the files?
And then someone else comes along
goes wow why don't I take that technology that was meant for good and turn it to evil so on one end
you've got a very simple attack which is merely taking good technology and taking into the bad
technology with ransomware then you have the more targeted uh environments where well I'll go ahead
and build some kind of spyware Iware so I learn a little bit about
you, and then I can more effectively orchestrate my attack. And then you have the really, really
good guys who are going to do non-malware-based attacks using rootkits or great tradecraft and
just being network traffic-based attacks. And unfortunately, when it comes to elections,
all of the above apply. Because when you think about it, if you really just want to create doubt in the election, let's go ahead and
do what I call, you know, kind of the sore losers of the internet. When you think about a lot of
people that do ransomware, you may remember when we were kids and we played baseball and the lot,
or we played basketball or soccer or football the guy who brought the ball
sometimes doesn't like losing so he takes his ball and go home right that's really what a ransomware
guy is right it's like it's really not going to be that good at maybe potentially hacking you he
bought a kit so he's just going to take his ball and go home and ransom you and when you think
about a more advanced attack um those are going to be where I just slow the network down.
But both of them get the same results, especially when you think about elections, right?
If I ransom something and shut it down because it doesn't work at all, I still degrade the American people's trust in the election process.
If I slow it down such that people are waiting out in line as the poll lines and eventually
someone's got to come out there and say the polls lines are so long, I'm sorry after this
person, no one else can vote.
Now you're getting into a really sophisticated attack that creates even more doubt than maybe,
oh, well, this county was blue, so they were doing it on purpose to avoid red from voting
or this county was red and they're keeping from blue from voting so despite whether it's a sophisticated attack that might create greater
dispersion and doubt or a less sophisticated attack that clearly was based upon ransomware
both are going to erode trust in the fundamental uh principles of democracy which is their ability
to vote now the states and the cities, the towns and
the counties that have to contend with this, in your estimation, are they outmatched or do they
have a chance at rising up to this challenge? You know, having worked with people that work
in the government, being a former guy that used to work in the government, especially,
you know, a former military officer, you know, servant leaders are servant leaders, right? they're going to do the best they can with the tools they have so when you think
on every day on a daily basis inside the dod that's that's instilled in the rugged individualism of
being american people will rise to the occasion so i don't think it's a fact that the average rugged
individual won't go out there and try and get this done. I think the issue is what resources they have available to them.
It's not so much that you've got this mismatch between this Herculean rock star hacker
that's the best in the world.
They're just going against people that are doing the best they can
with probably not enough resources or knowledge on what they're up against.
That's Sean O'Brien Brehm from At-Risk Technologies.
Britain's National Crime Authority announced today that a Russian gentleman, one Maxim Yakubets,
has been indicted in the U.S. on charges related to his alleged involvement in two distinct international hacking and bank fraud capers
that ran from May of 2009 through the present.
The indictment came from a joint investigation by the NCA,
Britain's National Cyber Security Centre, the NCSC, and the US FBI. Mr. Jakobets, a 32-year-old Muscovite, is alleged to be the proprietor of Evil Corp, which the NCA describes as the world's
most harmful cybercrime gang, responsible for losses in the hundreds of millions of pounds
in the United Kingdom alone.
He is alleged to have employed dozens of henchmen, and presumably henchwomen too,
who operate his gang from the romantic venue of Moscow Cafe Basements.
So is Mr. Yakubets in custody? Alas, no, he's safely in Russia. But should he decide to vacation abroad, the U.S. will be ready with extradition paperwork and a proper escort stateside.
If he's considering a holiday spot, we hear the Maldives are lovely this time of year
and that either the Secret Service or the U.S. Marshal Service
will happily arrange a junket through Guam for him.
He should bring his friends, make it a company outing.
They've worked hard.
And finally, if you needed any more motivation to take the risk
of business email compromise seriously, that's BEC, the scam technique in which someone spoofs
a company bigwig's email address and tells the finance department, for example, to get their
skates on and transfer a lot of cash pronto to some account they may or may not have heard of.
Look east, and then a little bit farther east. It
happens everywhere, but in this case, security firm Checkpoint says the victim was an unnamed
venture capital firm in China that thought it was dealing with an unnamed tech startup in Israel.
It was dealing with that startup, but the scammers succeeded in interposing themselves
into the communication. The crooks posed as employees of an Israeli startup
interested in raising funds from the VCs. They used email addresses with a domain that was similar
but not identical with the company's actual domain. They succeeded in getting the VCs to give them
one million dollars. The gaffe was blown when the real startup noticed that it hadn't received the
investment it had negotiated, but by that time it was too late, and the money was gone, baby gone. Innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Robert M. Lee.
He's the CEO at Dragos.
Rob, it's great to have you back.
I wanted to take a little trip down memory lane with you,
and I want to start with a personal
story of my own. My grandfather spent his entire professional career working in a steel mill,
in the melt shop of a steel mill. Started sweeping the floor at 17 and retired at 65 with his gold
watch and spent his entire life in that same company. And I remember him telling me stories
about how along the way, the technology changed when it came to making steel. Part of that was
better chemistry, better testing. He said you know they shifted from knowing the
steel was right by the color and the smell to actually being able to test
things and eventually computers came on board and and that increased the
quality of the steel and it increased the safety of the plant.
And I tell you that story to ask you this.
Can you take us through, can you think of a good example to kind of give us some insight and some perspective as to how that has affected ICS, how that path has happened in ICS?
And what are some of the implications of that process that we're living
with today? I mean, that was beautiful, man. I know you're asking me for an example, but that
was a much better example that I'm going to be providing you. That was great. And you should be
proud of that. I mean, that's wonderful to see kind of the evolution of that industry. And that's
what we're seeing everywhere. We're seeing, you know, back in the day, if you will, before
networking and IP based technologies and
ARPANET and DARPANET, we had control systems and control systems were isolated systems,
sometimes nomadic, sometimes not of just systems that were serving a purpose of taking an input
and getting to an output. I mean, it's a physical kind of system. And then we saw connectivity,
and we started seeing these environments that were never networked before starting to become
networked. And the same way that you might have had a power plant that was good at producing power,
but now you could network it so you could actually get information off the plant and
make it a little bit more efficient, and to make it safer and more productive.
the plant and make it a little bit more efficient and to make it safer and more productive.
Then we saw site-to-site interconnectivity, and we started seeing even things like SCADA or supervisory control and data acquisition systems, basically the control systems that
set above control systems to be able to make multiple plants and multiple sites efficient
and work together more effectively and safer and more productively.
multiple sites efficient and work together more effectively and safer and more productively. And then we're starting to see this advent of what some of the community, some of our
European partners will call like Industry 4.0.
We're starting to see beyond site to site, but even company to company and the immersion
of the industrial world in every aspect of our lives and connected in where the operator,
you know, their shift schedule is timed in with maintenance schedules, timed in with
the recharging of maybe consoles or using, I think of like Caterpillar and they're doing
some amazing work about, you know, hey, instead of having the same operator use the same backhoe every single day why don't
we rotate it around and let us know which ones are the right ones to take advantage of for their
maintenance schedule and it's it's the interconnectivity of not only just plants now but
every individual component and learning from the larger community we're seeing cloud-based technologies be able to drive efficiencies and
refinery, which is saving so much money or allowing companies to generate so much more
money that they could rebuild the facility every couple of years. I mean, it's just amazing.
The downside of that, of course, is you're increasing connectivity to where systems have
much more control and have more input, which means the ability to modify
those systems from an adversarial-based approach exists in ways that it never did before. At the
same time that adversaries are learning industrial systems to not only go and exploit a system,
but learn the industrial operations and how to manipulate the physical process.
So you have a community that's doing the right thing. They're learning
and evolving and building a better world. But just by the very nature of that, you're introducing
opportunity for adversaries to go and disrupt that now interconnected world. So the thing that I
usually like to tell executives and others in this space is the security component of this is just a natural evolution
of the fact that you're able to take more advantage of what you're doing and then take
more advantage of of the systems than you've ever had before and it's a component just to
deal with that risk and let that beautiful industrial automation and the value that it's
bringing to safety and productivity be there and be present and get the full value out of it.
So it's been wonderful to watch the world evolve in this way. And I think it can be easy to opine
about, well, I want to go back to manual controls or I want to go back to when it was different.
And those days weren't better. It's just the things that we are doing are making a better
world. We just need to be thoughtful in the way that we do it.
You know, I think it strikes me also thinking about some of the conversations I had with my grandfather
towards the end of his life that I think he had a little bit of frustration that the folks who were still in the plant
who had that institutional knowledge who could go and knock on the door of the folks who are running the computers and say, hey, something doesn't smell right. Like it literally doesn't smell right.
To make sure that you don't discount the opinions from those folks who are out there on the floor
of the plant. Well, I think that's well stated. And this goes to the topic of not only IT,
but IT security and operations security, whatever you want to call it.
But the mission is still the mission.
The mission hasn't changed.
And the people closest to the mission are going to have the best expertise.
And that's generally the operators and engineers.
And you want to codify that knowledge and scale that knowledge as our workforce changes.
You don't want to dismiss it.
One of the first things I tell any
company that's going down the path of industrial security is to build the culture first. Like,
take a box of donuts, a case of beer, go meet your operators and engineers. They're going to tell you
more things than that system ever could. The human expertise of that operator or engineer is going to
be better than the individual system. But the trade-off is you
can't scale that. You can't document every component of it. And so as we get more and more
of a large industrial world, we need to scale knowledge. We need to document knowledge. But
that does not mean dismissing the expertise we have, because it's really just that expertise
that we're trying to pull from. All right. Well, Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up for Cyber Wire Pro. It'll save you time and keep you
informed. Listen for us on your Alexa smart speaker too. The Cyber Wire podcast is proudly
produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.