CyberWire Daily - Deciding to pay ransom - the cases of JBS and Colonial Pipeline. Gangland branding. Constituent management system hit. Notes on the FBI’s partial recovery of DarkSide’s ransom take.
Episode Date: June 10, 2021JBS discloses that it paid REvil roughly eleven-million dollars in ransom. REvil not only had a good haul, but the gang made a few points about its brand, too. Colonial Pipeline explains, and defends,... its decision to pay ransom. The US Congress has a third-party problem that constituents may or may not notice. Dan Prince from Lancaster University on the science of cybersecurity. Our guest is Kris McConkey from PwC on their Cyber Threats 2020 - Report on the Global Threat Landscape. The FBI’s recovery of some of the ransom Colonial Pipeline paid to the DarkSide was good, but it doesn’t necessarily represent a new normal. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/111 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
JBS discloses that it paid R-Evil roughly $11 million in ransom.
R-Evil not only had a good haul, but the gang made a few points about its brand, too.
Colonial Pipeline explains and defends its decision to pay ransom.
The U.S. Congress has a third-party problem that constituents may or may not notice.
Dan Prince from Lancaster University on the science of cybersecurity.
Our guest is Chris McConkie from PwC
on their Cyber Threats 2020
report on the global threat landscape.
And the FBI's recovery
of some of the ransom
Colonial Pipeline paid to the dark side
was good,
but it doesn't necessarily represent
a new normal.
From the CyberWire studios at DataTribe,
I'm Elliot Peltzman, filling in for Dave Bittner with your CyberWire summary for Thursday, June 10th, 2021.
The Wall Street Journal reported in an exclusive last night that JBS paid its R-Evil attackers $11 million in Bitcoin to restore the systems and data affected by the gang's ransomware attack.
That makes the $4.4 million Colonial Pipeline paid look like chump change,
especially now that the FBI has recovered $2.3 million of the pipeline operator's payment.
Andre Nogueira, chief executive of Brazilian meat company's U.S. division,
described his decision to pay.
He told the journal,
It was very painful to pay the criminals, but we did the right thing for our customers.
The payment was made after most of JBS's plants had returned to operation.
The company says it had all of its data backed up and that as far as it could tell,
no customer, supplier, or employee data had been compromised.
So why pay, especially when recovery seemed to be well-organized and making good progress?
Noguera said it represented a kind of insurance.
The company's IT experts couldn't guarantee that our evil couldn't find its way back in.
Noguera said, quote,
We didn't think we could take this type of risk that something could go wrong in our recovery process. It was insurance to protect our customers, end quote. Thus, payment appears to have been a way of hedging against the possibility of re-attack.
It's worth noting that JBS used an outside consultant to negotiate with the extortionists.
Payment was apparently one of the options on the table from the outset.
the extortionists. Payment was apparently one of the options on the table from the outset.
For all of its high-minded posturing about its operations being as proportionate and discriminating as one could wish of any well-behaved privateer, or socially conscious
hood straight out of Sherwood Forest, R-Evil wasn't shy about attacking a company headquartered
in Brazil when it hit JBS with ransomware. We heard from Zero Fox on the
matter, and they think the evidence confirms what they've thought, more or less, all along.
Quote, our evil did not conduct much vetting of JBS as a target, relying simply on the fact that
the parent company was headquartered in Brazil. It is a common practice in the cybercriminal underground to associate targets with the geographic location, industry types, and revenue
numbers listed on their open-source business profiles. End quote. A side benefit for R-Evil's
branding was that the attack seemed to be motivated by simple greed, a point R-Evil has taken some pains to drive home in its communiques.
They're crooks, not spies, and they'd like you to appreciate the distinction.
So JBS was a target of opportunity. It was available because it was in Brazil,
a country not on the Kremlin's do-not-touch list. All of this is good for their bad business.
not touch list. All of this is good for their bad business. As ZeroFox observed, R-Evil also gets to show that they're not afraid of Uncle Sam, and that's equally good for attracting new affiliates
as it is for frightening prospective customers, as they call their victims. ZeroFox says, quote,
R-Evil has previously used public-facing interviews to amplify their mystique and to attract more Colonial Pipeline CEO Defended Paying Ransom
It was a tough crowd, but he stuck to his point.
Bloomberg Quint reports on the reception Colonial Pipeline CEO, Joseph Blount Jr., received from Congress during his testimony.
It was chilly.
The company's failure to have adopted a stronger security posture was criticized, as was its decision to pay ransom, the FBI's recovery of much of the money notwithstanding.
Two things are noteworthy. First, the heat Colonial
took from its congressional inquisitors renders implausible the speculation that the company paid
the Dark Side's ransom in cooperation with the FBI. The better to help the Bureau cripple the
Dark Side's infrastructure. Colonial Pipeline CEO Joseph Blount took responsibility for the decision,
which he presented to both the House and Senate as the result of a tough cost-benefit calculation.
Effectively, he had no choice, he said, in view of the severe consequences of protracted disruption
of fuel delivery. Blount said, quote, I know how critical our pipeline is to the country, and I put the
interests of the country first. I made the decision to pay, and I made the decision to keep the
information about the payment as confidential as possible. It was the hardest decision I've made
in my 39 years in the energy industry, end quote. When asked how much worse things could have become had Colonial not
paid the ransom, Blount answered, that's an unknown we probably don't want to know,
and it may be an unknown we probably don't want to play out in a public forum.
The second interesting thing about the testimony is the extent to which congressional attitudes
about paying ransom have hardened,
and how willing members of both houses are to criticize the private sector for lax security.
It's only fair to mention, after the high dudgeon on display around Capitol Hill this week,
that Congress itself has also had some cybersecurity issues.
The Hill reports that iConstituent, a vendor that provides constituent management
services, the elected officials equivalent of CRM, to some 60 offices of both parties,
was hit by ransomware, leaving members of Congress unable to contact their constituents
for several weeks. Even Solins grapple with third-party risk.
Good thing constituent service isn't really critical infrastructure.
And finally, the FBI's recovery of about $2.3 million of the approximately $4.2 million
Colonial Pipeline paid the dark side is encouraging and a good thing.
But as an email from Data Barracks, the UK-based business continuity and IT recovery shop,
warned us this morning, you'd be unwise to assume that the Feds or anyone else can be relied upon
to do the same for you should you become an unwilling customer of a ransomware gang.
For one thing, whatever the FBI did to recover the money, and it probably had to do with their
ability to obtain a private key for the wallets whose contents the money, and it probably had to do with their ability to
obtain a private key for the wallets whose contents the Bureau retrieved, you can't count on that
being possible every time. For one thing, the crooks also learned from the school of hard knocks
and are less likely to repeat whatever mistakes made the FBI's recovery operation possible.
Data Barracks Managing Director Peter Grokut said, quote,
These innovations by authorities are still new, so it takes a while for them to become properly
established. There's also no guarantee the highest echelons of law enforcement will come to your aid
if ransomware strikes, so it's dangerous to rely on it as a way out, end quote.
It's better to prepare to defend yourself.
We heard as much yesterday from FBI Special Agent Doug Doman of the Bureau's Boston Field Office during a Cato Networks webinar.
You want to let the local FBI know when you've been attacked, but remember that they're not an incident response team.
Incident response is fundamentally the affected organization's responsibility.
And while the FBI will go after the bad guys,
you should be prepared to do your own remediation and local on-site investigation.
So be prepared.
Scout. Thank you. with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io. The team at PwC recently published their Cyber Threats 2020 Year in Retrospect
annual report. Chris McConkie leads PwC's cyber threat operations practice,
and he joins us to share their findings. It's a really interesting thing for us to do every year because we have a whole bunch
of different services that basically put us in direct contact with some of the threat
activity that's happening.
So we do a lot of incident response work around the world every year, several hundred cases
in about 40 different countries.
We have some managed security services, and we also have a full-time threat research team that provides threat intelligence services to clients.
And so the year-in-retrospect report is really this thing that we try to do every probably February, March time,
consolidating everything that we see across all of those different services and trying to link that together with this sort of big-picture rationale for why is it happening,
who's behind it, what do we think is going to happen next,
big picture rationale for why is it happening, who's behind it, what do we think is going to happen next, and try to distill that down in a way that's actually something that we can publish
and that's easily digestible by clients and other people that want to read stuff like that.
Based on the information that you've gathered in this report, what's your outlook for the
coming year? Where do you suppose we stand? Oh, I got a really hard one to pin down, just given how much
stuff's happening at the minute. I know we saw a lot of stuff in 2020, but 2021 already looks like
it's shaping up to be a year full of zero days. So having had a year where there's a lot of really
interesting threat activity that hasn't involved any exploits, we're back to seeing a load of zero days in VPN solutions, in firewalls, in email servers,
and things like that that can be exploited on a mass scale. And actually, even the Exchange one
recently is a really good example where that was privately held by a bunch of threat groups
before it became publicly known. And as soon as it became publicly
known, then you had the whole world and their dog piggybacking on it. So it doesn't really take long
for people to look at what's being patched, pivot that round and actually turn it into a usable
exploit. And for internet facing systems, that basically means you've got everybody trying to
scan the whole internet to find vulnerable systems. So I think we will start seeing more and more of that stuff happening. And obviously, the criminals getting in on the
ransomware game is going to continue. The supply chain side of things, I think we will see more of.
Obviously, there's been some really sophisticated espionage stuff in that space, but we've seen
previous instances of financially motivated groups doing the same thing as well with the
likes of FIN7 and FIN9 targeting supply chains before. So again, we might see more of that. And on the software supply chain
side of things, I think we may see more of that as well. I don't know whether we'll see it on the
same level of profile as the likes of SolarWinds. But for example, at the minute, there's one of
the Chinese espionage actors that's inside a Russian software organization that's used by
about 20% of Russian
companies. So obviously from an espionage perspective rather than anything destructive,
but again, that sort of stuff is happening, I think, more and more frequently.
So from a threat perspective, I think we'll probably see a bit more of the same.
From a defender's perspective, I guess one thing that was really interesting to see in 2020 was
just the level of both cooperation and willingness from both government and private sector to start kind of naming and shaming some of the groups behind this.
So I think that sort of lean forward posture in terms of being able to get some of the stuff in the public domain, follow it up with sanctions, those sorts of things is actually going to be really helpful in the future as well.
That's Chris McConkie from PwC.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Daniel Prince.
He's a senior lecturer in cybersecurity at Lancaster University.
Daniel, great to have you back.
We wanted to touch today on the science of cybersecurity.
What do you have to share with us?
Well, as you'd expect being an academic in an academic institution,
in a science and technology faculty,
I'm quite passionate about the scientific discipline
and also exploring its role within cybersecurity,
which is obviously my other research area.
And one of the challenges that I see is actually the application
of the scientific disciplines to many of the cybersecurity challenges that we see today.
A lot of cybersecurity has almost grown up
in an ad hoc or organic fashion around the problems
and trying to solve the immediate problem, firefighting.
And I think there's a lot to be learned
from the application of
scientific methodology to practices like penetration testing and obviously we see a
lot of scientific rigor in in terms of practices around digital forensics but there are some areas
that i think we can really look at in terms of applying and understanding the different research
methods that we have available from computer science and other disciplines
and apply to some of the cybersecurity challenges that we have today.
Tell me about that. What do you propose?
So if we take, for example, penetration testing,
which is a module that I'm kind of working on revising at the moment,
so much of the material that revising at the moment, you know,
so much of the material that we see at the moment is how do we break into a system? How do we, you know, run a port scan? How do we get to the end point of whatever the penetration test is? And
we've traditionally taken the approach of teaching the underlying technologies and the main concepts of each of these types of attacks
so they can be broadly applied.
But if you think about what a penetration test is,
it's a series of developing theories and then testing hypotheses.
And you develop a theory about where there might be a weakness in the system
and you need to then test against that system.
And what I think the scientific and you need to then test against that system and what i think the
science sort of scientific rigor can bring to to some of this is some formal methodologies both in
terms of quantitative and qualitative analysis of how do we apply these research methods to
to these particular problems so that we can learn and we can inform and that's i think
the important part is one of
the key things around the scientific approach is that formal feedback part to help develop our
knowledge base more broadly. So is this a matter of having a certain type of discipline overlaid
onto the process? Yes, I think discipline is the right word. And I think it's also, again, tied with
this idea of professionalism around cybersecurity. And by that, I don't mean that people in the
industry aren't and haven't been professional. I mean, it's about the increasing maturity
within cybersecurity as a discipline. You know, when I go back 10, 11 years, cybersecurity wasn't
discipline you know when i go back 10 10 11 years cyber security wasn't really a concept except in science fiction and now it is a big industry and i think the important part for for us is to say
well if we are creating these professional bodies to to actually recognize professionalism and we
see that happening in the uk and and in other countries how do we ensure
that those professionals are applying appropriate techniques understanding the discipline and what
does that discipline mean we can't just take existing research techniques and methods and
just apply them directly we have to understand how they need to be adapted for the for the
particular research and practical applications that we do within cyber security. We have to understand how they need to be adapted for the particular research
and practical applications that we do within cybersecurity. And we have to situate it within
that context. Could we see things like peer review come into play? Well, I mean, we do start,
we are seeing that, you know, when we think about things like bug reports and vulnerability reports,
they do get peer-reviewed.
And so we do have aspects of it.
And we certainly see a lot of these kind of academic, if you like,
disciplines being applied in the industry.
And I think there's just more that we can do.
This was recognized back in five or six years ago in the UK when there was a national investment into a research institute for the science of cybersecurity deliberately to start to really transform the practice of cybersecurity from best practice to kind of scientifically accurate and rigorous approaches. And I think that's the other
important thing, you know, as professions increase in their professionality and their maturity,
they go from a best practice to a discipline. And I think understanding how we can take the best of
scientific disciplines and apply them to this emergent industry
and a significant growth industry
will add a significant amount of benefit
for everybody involved.
All right.
Well, Daniel Prince, thanks for joining us.
Thank you. Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing Cyber Wire team
is Peru Prakash, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, And I'm Elliot Peltzman, filling in for Dave, who will be back tomorrow.
Thanks for listening. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.