CyberWire Daily - Election-season cyber incidents in Germany. South Africa works to recover from a ransomware attack on government networks. Cryptojacking botnet moves to Windows targets. Ransomware notes.
Episode Date: September 16, 2021Denial-of-service at a German election agency, as Federal prosecutors investigate GhostWriter. More nation-states get into election meddling. South Africa works to recover from a ransomware attack aga...inst government networks. A cryptojacking botnet moves from Linux to Windows. A ransomware gang threatens to burn your data if you bring in third-party help. Ransomware cyberinsurance claims rise. Rick Howard checks in with Tom Ayres from Lead Up Strategies on Cyber Piracy. Caleb Barlow shares insights on CMMC. And it’s a really good week to patch. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/179 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Denial of service at a German election agency
as federal prosecutors investigate ghostwriter.
More nation states get into election meddling.
South Africa works to recover from a ransomware attack against government networks.
A crypto-jacking botnet moves from Linux to Windows.
A ransomware gang threatens to burn your data if you bring in third-party help.
Ransomware cyber insurance claims rise.
Rick Howard checks in with Tom Ayers From LeadUp Strategies on cyber piracy
Caleb Barlow shares insights on CMMC
And boy, is it a really good week to patch
From the CyberWire studios at DataTribe I'm Dave Bittner with your CyberWire responsible for running next week's elections,
was subjected to a distributed denial-of-service attack, AFP reports.
The incident occurred as federal prosecutors continue their investigation
into a cyber espionage campaign against the Bundestag and other targets.
The incident was brief and of minor effect,
but it contributes to concerns about the security of the elections scheduled for the 26th of September.
The incursions into Bundestag networks, and the parliamentary email accounts in particular,
have been traced to Russian intelligence services,
and they're believed to be contributions to a broader campaign
intended to disrupt or influence elections.
While Russian operators have been most often associated
with election influence and interference,
especially in that part of the popular mind
that pays attention to such things,
after all, Fancy Bear and Cozy Bear
achieved their Western media
fame from their operations during the U.S. 2016 election season. But Russia isn't the only country
that's in the business of election meddling. This week's summit, sponsored jointly by AFCEA
and the Intelligence and National Security Alliance, included a discussion of election security.
Speaking at the conference, U.S. Army General Paul Nakasone, Director NSA and Commander,
U.S. Cyber Command, said, as quoted by Signal magazine,
What has changed with influence in regard to the elections, first of all,
there is more than one adversary. It began with just the Russians, and now it is the Russians,
the Chinese, the Iranians. It is a number of different actors. In terms of 2022, our focus
right now is obviously being able to generate the insights of what adversaries are doing
and who might be doing that. That focus will move very, very quickly to being able to share that information with a broad range of partners.
End quote.
The September 6th ransomware incident in South Africa has spread through the networks of the country's Department of Justice and Constitutional Development, according to Bleeping Computer.
No group has claimed responsibility, and no stolen data have appeared on the usual dump sites.
The department says it has no evidence that any data were compromised
and that it's working to restore its networks.
Thus far, the most important service disruptions have been in child maintenance payments,
which are on hold until the systems that deliver them are more fully restored.
Security firm Akamai, which has been tracking the Kinsing cryptojacking botnet, reports
that the threat has evolved from Linux malware to Windows malware.
Kinsing has rat capabilities as well as its primary coin mining functionality.
There are several things an organization can do to help protect itself against kinsing and similar crypto-jacking attacks.
Akamai recommends that a good place to start is by monitoring processes on your systems for abnormally high resource consumption and suspicious network activity.
Abnormal high CPU usage for a given process may be an indicator of crypto mining activity, end quote.
Ransomware gangs really don't want you calling for help. Don't call the cops, they say,
and don't bring in a hired negotiator to dicker with them. Ragnar Lager earlier this month
threatened to dump stolen data should victims work with law enforcement or seek the assistance of third parties.
A second ransomware gang, Grief, has adopted a similarly aggressive stance.
Bleeping Computer reports that Grief has said it would delete decryption keys if a victim brought in a third party to negotiate its ransom.
We'll burn your data if you get a negotiator, is how the register describes the threat.
What Grief actually
wrote on their tour-hosted blog was this, quote, we want to play a game. If we see professional
negotiator from recovery company, we will just destroy the data. Recovery company, as we mentioned
above, will get paid either way. The strategy of recovery company is not to pay requested amount or to solve the case, but to stall.
So we have nothing to lose in this case, just the time economy for all parties involved.
What will this recovery companies earn when no ransom amount is set and data simply destroyed with zero chance of recovery?
We think millions of dollars.
Clients will bring money for nothing, as usual.
End quote. And it's signed,
Grief Ransomware Gang, without so much as a sincerely, a yours truly, or even a respectfully,
still less a deferential naval very respectfully. If you're keeping score, Grief is the child of
BitPamer or Doppelpamer, or maybe both. And these, in turn, were begat by the ironically named Russian gang EvilCorp.
EvilCorp has been under U.S. sanctions for some time.
The general opinion among those who think about these things,
like the security firm Emsisoft,
which has made a specialty of working against ransomware,
is that these kinds of sanctions flow down to the progeny.
So if you're within reach of U.S. law, it's not a good idea to pay the ransom,
since grief can't be legally paid in any case.
Marsh's annual report finds that claims associated with ransomware attacks
have accounted for roughly a fourth of European cyber insurance claims
between 2016 and 2020. Quote, ransomware claims accounted for 32% of cyber claims in 2020.
This has been a significant increase. Indeed, ransomware claims accounted for 14% of cyber
claims notifications from 2016 through 2019. The 2020 notifications have pushed that overall percentage up to 24%,
nearly double what had been reported in the previous four years.
End quote.
So, the more recent rates of ransomware claims are running even higher
than the long-term figure suggests, amounting to about a third of them.
And Marsh points out that, if anything,
this rate understates the frequency of ransomware attacks themselves.
It doesn't include many unsuccessful attacks.
Quote,
This figure would be even higher if malicious cyber claims events
had not been stopped in their tracks.
For many cyber attacks,
the ultimate objective is the extortion of a ransom payment.
However, when a proficient IT department or external emergency response team is able to stop the attack, And finally, Wired offers some sound advice.
With this week's patches from Apple, Microsoft, and Google's Chrome,
this would be a good time to update all your devices.
Do you know the status of your compliance controls right now?
Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices,
home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. I recently checked in with Tom Ayers from Lead Up Strategies on the topic of cyber piracy.
Here's Rick.
If that music sounds familiar, it is.
It's from the Pirates of the Caribbean movie soundtrack.
Because today, we're talking about pirates.
Arrgh!
I'm joined by Tom Ayers, an advisor with the RAIN Corporation,
CEO of a consulting group called Lead Up Strategies,
and a retired major general of the U.S. Army where he spent most of his career as a judge advocate.
And he published an opinion piece in the Wall Street Journal back in May about an archaic law buried deep in the U.S. Constitution
called Letters of Mark and Reprisal that we used to fight pirates with back in the 1800s.
And the great thing about it is
we might be able to take advantage of the law today
in the fight against cyber pirates.
Tom, I read your essay.
It's really interesting.
So tell me what a letter of mark and reprisal is.
The letters of mark and reprisal
were not invented by us.
It's French.
The idea was to help fight pirates. It was to give
merchantmen the opportunity to arm their ships and then go out and fight pirates. What it really
did was it gave them standing in admiralty court. So if they actually sunk a ship or if they took
a ship captive, the title of that ship would go over to them. So that was really important.
Ships were expensive. If they acted without a letter of marque, then if they captured a ship,
it would become the government of France or the government of Spain, wherever they were from.
It was called prize money. So it was an incentive for them to go on and take on these nasty pirates.
And it was a way for the national navies to really expand their reach.
It's in the Constitution. In Congress's power, it specifically says that Congress can grant
letters of mark and reprisal. And our Constitution doesn't have that many words.
So when we have some words, I think we ought to take advantage of them. And we haven't taken
advantage of this part of the Constitution really since the Barbary Wars in the early 1800s. The idea was
our Navy was very small. When we first started issuing letters of marque, we had one ship,
really, a 14-gun, the Enterprise. And so they started building the six frigates. And with this
letter of marque idea, lots of merchantmen started arming their ships, and we expanded the size and
the reach of our ability to defend ourselves and take on pirates or the British ships. So it was very
important. Also during World War II, there's some controversy over the Goodyear blimp. It said it
had a letter of mark from Congress. It might've been just a phone call because there's nothing
really on the books about the letter of mark, but they started hunting for submarines on the
West Coast after the attack on Pearl Harbor. So that was what made me think, if it was good
enough for the age of flight after the age of sea, why not in the age of cyber? The analogy is not
perfect because in the letter of marque, they had standing in an admiralty court and they were
able to get this prize money, take title. Now, I'm not talking about a letter of marque, they had standing in an admiralty court, they were able to get this prize money, take title.
Now, I'm not talking about a letter of marque that would allow them to retake data and then keep data or to take intellectual property that's been stolen by pirates.
That's a thought.
That's an idea.
But that's not what I'm talking about.
I'm talking about as that found an array of incentives to enlist private enterprise in a war,
let's look at an array of incentives to enlist private enterprise in a war. Let's look at an array of incentives to enlist private enterprise in this cyber war that we seem to be in these days.
Are you saying that we could use these letters of Mark to authorize, let's call them volunteer
privateers to take down bad guy cyber infrastructure or maybe bad guy cyber operations?
I don't think that'd be the logical first step. That would take some more thought.
I think that might be somewhere we need to go in the future.
What we see right now is that those who hack against us,
they are using safe haven and they're operating out of countries
that if we were to strike back, it might be seen as an act of war.
So in the original days, letters of marque were used.
The pirates were given safe haven in countries like Tunis and Morocco and places like that.
And so the same thing.
The United States didn't want to get in a war with those countries, but they wanted
to be able to attack the pirates that were getting harbor in those safe havens without
it being an act of war.
So I think that's something worth thinking about, but it's not something I would say
would be the first step.
As a steadfast romantic myself, I really love this idea.
It appeals to the swashbuckling way I'd like to view myself, that we actually officially authorize an arm of, let's say, FireEye or the Palo Alto Networks Unit 42 to seek out and destroy bad guy infrastructure like Errol Flynn did in the old 40s movies.
to seek out and destroy bad guy infrastructure like Errol Flynn did in the old 40s movies?
And truth be told, the idea of it was one of the reasons
I got into security back in the day originally.
But when I finally come to my senses and start thinking practically,
there is one thing that I've learned in my cybersecurity career,
if I've learned anything at all,
it's that just because you hit back
doesn't mean that the bad guys will give up.
Escalation would most certainly happen.
And I don't know if I want to see what happens if we get into that situation.
I agree with you, Rick.
But what if you were, even in the first stages, say you allow somebody, if they're hit from a certain IP address,
that you would then allow them to immediately counterpunch and take out that portal with some kind of bot.
So something that would be very limited.
And again, I'm not a techie,
so I don't know if that's even possible.
But I like the idea if you could have a limited response
immediately that would counterpunch,
that would affect the ability of them to attack us.
I knew if I waited around long enough that I could call myself a pirate.
How great is that?
And it's certainly an out-of-the-box idea.
Thanks, Tom, for all of that.
That was Tom Ayers, the CEO of Lead Up Strategies,
a lawyer and a retired major general of the U.S. Army.
And we will link to his essay in the Wall Street Journal in today's show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
It's not just a challenge, it's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And I'm pleased to be joined once again by Caleb Barlow.
He is the CEO at Synergistech.
Caleb, a lot of talk about CMMC, and I wanted to check in with you on that.
First of all, what is it?
What does it mean?
And it's something that you and your world have an intimate relationship with here.
So can you give us some tips on how folks should be approaching this?
Well, Dave, before we start, we probably need a disclaimer for listeners, right?
Okay.
This is content for mature cyber environments only.
Immature environments may find the following content disturbing.
It may result in pounding one's head against the wall,
going to one's boss for additional budget,
or feeling that one should go out right away
and hire a consultant.
So listener discretion is advised for this content.
Fair enough.
So look, all kidding aside, right?
CMMC is the U.S. government's response
to leveraging its purchasing power
to change behavior in the private sector.
It stands for the Cybersecurity Maturity Model Certification, or CMMC. And basically, all 300,000
suppliers to the defense industrial base that touch controlled, unclassified information are
going to have to start to comply with it. And, you know, my, one of our divisions, a company called
Red Spin, was actually the first company to be certified at this level and also the first company to be
certified to do these assessments or authorized, I should say, to do these assessments. And here's
the big thing about it, right? The documentation requirements are quite significant. And, you know,
what I want to talk a little bit about today is what you need to think about in this
is if you've ever been in a manufacturing environment
where you needed to comply with ISO 9000
or you've gone through a Six Sigma process,
this is like that for security.
And it's all effectively based on the NIST framework
as its underpinning.
So people are going to be very familiar with it,
but it requires a few
things like, you know, your documentation needs to describe both your policies and your procedures.
Those are two different things. They need to be updated regularly. Everybody's got to understand
it. And the documentation requirements are just not trivial. But here's my point, Dave.
Documentation requirements are just not trivial, but here's my point, Dave.
It's going to be required for those dib suppliers, but it's also a really great framework for anybody else that's maybe historically been using the NIST CSF to think about maybe how they up their game and so up their cybersecurity posture, particularly on the documentation.
How heavy a lift is this? I mean, if I'm coming into this, can you frame it in a way of it's going to take, you know, X percent more effort on our part to be compliant
here? Or is that even a good way to look at it? Well, Dave, your listeners can't see this, but
you and I are on video and this is my documentation. It's a binder three and a half inches thick.
That is a major, major, major fall into the phone book.
It is a major freaking lift, right? Right, okay.
But here's the thing. Don't hurt yourself.
It doesn't ask you to do anything that you didn't think you were already doing.
And that was the fascinating thing about this is when we approached, oh yeah, we do all that.
And then we started to look at our documentation. We're like, oh, well, maybe we kind of implied that, but maybe it wasn't quite as crisp. So here's the thing. A couple of things it's looking for to demonstrate maturity. One, have you kept your documentation up to date? So every major incident, did you go back in and update what worked and what didn't work? Every major cyber exercise, every change in the organization
of who's responsible for what, did you update the documentation? And one of the key tests that we
used to pass this was, you know, Dave, if you fell into a volcano and weren't able to administer
systems tomorrow, would the documentation be good enough that the next person could step in and figure out what to do?
And if you think about it, a lot of people, the documentation is probably there, but is it really crisp enough to do that? So let me give you an example, Dave. Let's say something like
multi-factor authentication, right? So if you're the admin over MFA and you follow the volcano,
can your team understand the policy of what and where you do this?
Like, where does multi-factor authentication need to be applied?
Where do you keep the exceptions?
Like, you know, okay, we've got an exception on this system because it just won't support MFA.
So how do you track the exceptions?
Do the procedures, are they articulate enough that if somebody needs to set it up again,
they know how to do it? And then here's the interesting thing. CMMC goes beyond just the security team to let's say the CFO. If I go to the CFO, can I say, hey, you know, you've said
your policy requires multi-factor authentication. Where is that in your budget? How do we know that
you're funding this? And can you demonstrate that this requirement
is properly being funded?
But also it turns to HR and says,
okay, when Dave quits because he wins the lottery
and goes onto a desert island
and I go to hire the next admin,
how do I ensure that I'm hiring an admin
with the skills to manage that system?
So it's really comprehensive
and, again, required for Dibs suppliers that are in that 300,000, but also worth looking at for
everybody else is a great framework to take your kind of NIST CSF to the next level.
Yeah, really, it sounds like it overlays a certain level of discipline and organization to the,
as you mentioned, things you may already be doing.
Well, here's the funny thing.
When we went through this, our CFO, now we're a public company, right?
So, you know, Sarbanes-Oxley and everything else.
Yeah.
You know, our security team's like, oh my gosh, this is a ton of work.
We've got to get all this stuff documented.
Our CFO's looking at us like, why are you guys crying?
He's like, this is what I do every day as a public company.
I can't do anything without having crisp controls and having them documented.
So in a lot of ways, once you get past all the political drama and everything else around this,
this is all stuff that the rest of the industry has been doing for years.
And security professionals are just catching up.
All right. Well, Caleb Barlow, thanks for joining us.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
team is Elliot Peltzman, Trey Hester, Brandon Karp, Bharuprakash, Justin Sabey, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. ambitious, but also practical and adaptable. That's where Domo's AI and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
alerts and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.