CyberWire Daily - GandCrab hoods may be back with new ransomware. Video-on issues. Broadcom-Symantec talks are off, for now. Treason or just business? Robo-calls. A decryptor for Ims0rry ransomware.
Episode Date: July 16, 2019The retirement of GandCrab’s hoods may have been exaggerated. Video conferencing tools RingCentral and Zhumu may have picked up Zoom’s issues in the tech they licensed. Broadcom’s projected acqu...isition of Symantec is on hold, at least for now. One Silicon Valley executive calls another company “treasonous.” The US FCC wants to reign in robo-calls. And there’s a free decryptor out for Ims0rry ransomware. Emily Wilson from Terbium Labs on recent Terbium research on transnational crime. Guest is Wim Coekaerts from Oracle on security in the age of AI. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_16.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The retirement of GandCrab's hoods may have been exaggerated.
Video conferencing tools RingCentral and Zuma may have picked up Zoom's issues in the
tech they licensed. Broadcom's projected acquisition of Symantec is on hold, at least for now. One
Silicon Valley executive calls another company treasonous. The US FCC wants to rein in robocalls.
And there's a free decryptor out there for I'm sorry ransomware.
free decryptor out there for I'm Sorry Ransomware.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, July 16th, 2019.
The gang behind GandCrab Ransomware may have said it folded its tent after making plenty
of money and deciding that people had learned their security lessons
and could now be left unmolested.
But their retirement may have proven as exaggerated as their altruism,
which no thinking person ever took particularly seriously.
Krebs on Security offers some reason to think
they might have pitched their tent on fresh criminal ground.
This time, they seem to be involved with the R-Evil strain of ransomware,
also known as Sodin and Sodinokibi.
Expect to hear about more infestations in the future.
In general, the hot targets for ransomware these days
seem to be municipal governments and school districts.
They depend upon their data being available,
but they're often poorly protected.
Two other video conferencing services appear to be vulnerable to the same security issues that Zoom confronted last week.
The video-on problem also afflicts RingCentral and Zoomoo, BuzzFeed reports.
It's not surprising, as both companies license Zoom technology, and their white-badged versions
are susceptible to the same problems.
Zoom technology, and their white-badged versions are susceptible to the same problems.
Broadcom's proposed acquisition of Symantec is on indefinite, perhaps permanent, hold.
The two companies suspended talks when Symantec balked at going below its asking price of $28 per share,
thinking that anything less would amount to an unacceptable undervaluation.
The news drove down Symantec's stock yesterday.
The company's stock price closed at $22.84 Monday for a drop of 10.7%. Broadcom's stock closed up a bit, rising 1% to $288.34.
The deal might not be off entirely, however.
CRN reports that Broadcom hasn't yet given up on the deal,
and that talks could resume at some future point.
Peter Thiel, Palantir chairman and co-founder, on Sunday called for an investigation of Google
for treasonous behavior with respect to China. He suggested that the company had been thoroughly
penetrated by Chinese intelligence agents, and that its willingness to work on a search engine for Chinese use
that would be managed and closely censored by Beijing,
while at the same time declining work on U.S. defense projects,
raised questions about Mountain View's trustworthiness.
He's not saying Google and Huawei are toss-ups as far as security is concerned,
but his remarks tend in that direction.
BGR's take on the story points out the possible hypocrisy,
observing that, to be sure, Google hasn't covered itself in privacy and free speech glory lately,
but then neither has Facebook.
And then it goes on to note that Thiel serves on Facebook's board.
Well, privacy shenanigans surely fall short of treason,
which the Constitution primly restricts to levying war against the United States
or in adhering to their enemies, giving them aid and comfort.
And besides, you'd need either two witnesses or a confession in open court.
In fairness to Mr. Thiel, he's probably speaking metaphorically,
but perhaps there's also a bit of glass in that house from which the stone is being cast.
but perhaps there's also a bit of glass in that house from which the stone is being cast.
Independently of Thiel's remarks, The Intercept has published a report noting Google's cooperation with Chinese spyware vendor Semtian.
Semtian's products are widely used in China,
and they've found a ready market in repressive regimes across the Middle East and North Africa.
Oracle recently released a report titled
Security in the Age of AI,
the result of research on how C-suite executives,
policymakers, and the general public
view cybersecurity and technology.
Wim Kokarts is Senior Vice President
of Software Development at Oracle.
So if you look at it at a high level today,
I guess it's a two-part answer to this.
One is on-premises, of course, you know, security is important.
However, security software using AI and ML is not quite incorporated yet.
There's very little use of AI or machine learning on-premises by the industry in general.
When it comes to cloud computing, the major cloud vendors have been working on incorporating
machine learning and
visual intelligence across different areas of cloud, whether it's security or basically looking
at availability of systems and optimizations from a performance point of view. From a security point
of view, it's certainly been the most important one. What I mean by that is we often talk about
robots, and it's harder for humans to react very quickly to huge incoming
threats such as the denial of service attack or swiftly responding to being able to take
systems offline or disable network ports or so.
And we've seen that be a very important part for artificial intelligence and machine learning
to play a huge role.
And that is detecting and looking at different access patterns,
whether it's daytime access,
then suddenly something happens at night.
Machine learning algorithms can be trained on that
and swiftly respond to it.
And that's different from humans that are looking at a screen
and don't actually know what's going on
or don't have the history to respond to that.
So I'd say within cloud computing,
security is definitely, certainly at Oracle,
security is a number one priority. It's absolutely critical for us and our customers that we protect our data. And one of the things that I believe is probably important to mention is that the cloud
providers can scale. We have lots of security experts that are well-trained. One advantage of
cloud computing also is sort of the cookie cutter model. There's a lot of homogenous deployments of environment. We know exactly what's deployed in data centers. Every single server is
accounted for in every VM. That also helps machine learning. The only way machine learning algorithms
get really good is by providing huge amounts of data. At CloudScale, we provide massive amounts
of log files and access patterns to these algorithms to get them more tuned and optimized for having no or very few false positives so that we're very efficient here.
And that's really only possible when you have a CloudScale model, and it makes it much more difficult for on-premises customers that want to be in charge of drone security to do the same thing, basically. Yeah, it's interesting because I wonder myself if there's been over the past, oh, I don't
know, year or so, sort of a recalibration, particularly at the sea level, when it comes
to how people are thinking about artificial intelligence and machine learning.
A few years ago, certainly from the vendor side, AI and ML was a huge focus.
There was just a huge push on it.
Partly, like what your report bears
out here is that people seem to be recognizing that it has a part to play, but not at the expense
of the human side of things. Again, it's interesting in the context of on-premises and the move towards
cloud. And it's a certain segment of customers that are still not quite cloud ready, so to speak,
or they're seeing this move to going
to a cloud vendor in the next few years.
And when that's the case, they likely will focus more on the human aspect because like
I mentioned before, a lot of these machine learning techniques apply at scale and it's
not as efficient or necessarily as effective when deployed within a smaller data center.
And so if companies that are looking at moving to the cloud
will likely see local security experts hiring people,
trying to get their existing deployment cleaned up,
know what's installed, and so forth,
they'll probably focus more on the human aspect.
And then companies that take that step towards cloud
computing sooner rather than later,
they automatically get the benefits from the machine learning as provided by the cloud vendor.
And one thing to keep in mind is that retrofitting existing data centers from a security point of view is very difficult.
And it really starts with doing an% of the real estate was known and was
patched. 0.1% was this one server running one application server that by accident wasn't patched.
And that's how they got in. Is that a security software issue? Well, on the front end it is,
but on the back end, it's basically a system administration issue where all these existing homegrown data centers have so many servers with different operating systems, with different server models, different architectures, different vendors that are all interconnected.
And it's just near impossible for existing data centers to purely secure it, just because of its heterogeneous nature.
And so that just requires humans to just basically go on the data center floor and say,
what's this server?
Have we identified this?
And what software is running on it?
Part of what makes customers nervous is the unknown of where do we start?
Where do you stop?
So that's certainly an important aspect of educating how cloud security is beneficial, but also how that works.
That's Wim Kokarts from Oracle. The report is titled Security in the Age of AI.
Tired of robocalls? Our favorite is a call one of our stringers got years ago while living in Oklahoma.
Good evening, said the robot, off to a good start.
Although I am recording, I hope you will have the courtesy not to hang up on me.
Ha, yeah right, 3PO.
Our stringer says he courteously heard the recording out, but can't recall exactly what it was selling,
although whatever it was could probably have been for the cheaper at the Lawton Mall.
The mid-1980s were crazy like that, but those proto-robots were winsome, at least the oaky versions were.
But that was the early paleorompotic era.
Now the calls have evolved beyond the entertaining and the naive, and the current versions are a lot more intrusive.
They've been for some time a pervasive nuisance.
And now they seem to make up the same fraction of inbound calls as junk mail takes up in the local letter carrier's mailbag.
inbound calls as junk mail takes up in the local letter carrier's mailbag.
Telcos have been discussing controlling robocalls for some time, with a few having announced the pending availability of tools designed to let customers block the robots.
The U.S. Federal Communications Commission is unimpressed by their efforts.
Commissioner Jeffrey Starks last Thursday released the responses the FCC received from
the phone companies to its request for information about what they were doing about robocalls.
Commissioner Starks wrote,
Reviewing the substance of these responses, by and large,
Carrier's plans for these services are far from clear.
In our action last month, the Commission committed to studying this issue
and delivering a progress report within a year.
If we find that Carriers are acting contrary to our expectations,
we will commence a rulemaking.
To that end, as I noted in my letters,
I expect to be updated by carriers as progress is made
on offering free call-blocking services
and recommend that carriers not stop until the job is finished.
The sooner, the better."
Note the emphasis on free,
as some of the robo-killers on offer have been paid options you could add to your phone service.
And finally, with all the problems people have been having lately with ransomware, especially local governments,
it's nice to close with some good news.
Emsisoft has released a free decryptor for the I'm Sorry strain of ransomware.
So bravo, Emsisoff.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Emily Wilson. She is the VP of Research at Terbium Labs.
Emily, it's great to have you back. You and your team over at Terbium recently published some reports on fraud and transnational crime. This is called the next generation
of criminal financing. What do we need to know about this? So I've been hearing anecdotally for a few years from
law enforcement here in the U.S. and international law enforcement that they've seen more and more
stolen payment cards showing up in organized crime groups and street gangs. Of course, we've
seen this play out in the cybercrime realm as well. But hearing from people that this is an
issue on the ground, we wanted to look into it and see what the problem actually looked like.
Because a little surprisingly, there isn't really data available on the scale of stolen payment
cards being used by organized crime groups out of Eastern Europe. That seems like the kind of
thing we would know already, but we don't. So we set out to look into this, looking at criminal cases in North America, in the U.S., in Canada, and from a variety of countries in Europe to see where we could find links between payment card fraud and these major sort of international pernicious crimes like organized crime groups, like terrorist financing, things like human trafficking and
drug trafficking, just to see where that shows up and see if we can get a better sense of the
problem. And that's what we turned into this report that you're referencing here, looking at
sort of the distribution of these crimes across North America and across Europe to see how and
where stolen data is being used for this and sort of tip of the iceberg of how big the problem
actually is. So let's dig in then. Can you give us a couple examples of what you found?
One of the case studies that really stands out to me is a Sri Lankan organized crime group based in
Canada running international carting operations, in this case out of Australia, out of a grocery
store in Australia. And they effectively found a grocer who was willing to let them install a compromised point of sale system. They sent over an agent to help
install it and recruited someone locally to sort of take the fall for it, someone who would be a
shop boy who would sort of show up for a few weeks and work there and then disappear once they'd
finished their skimming ring. They sent over parts of this point of sale system, this compromised point of sale system from Canada and from the US. And in the end, it turns out the
whole operation was being financed by some unknown individual out of the UK who had commissioned a
certain number of cards to be skimmed. And, you know, this is one of those examples where you
have four or five different countries at play here. You have people being, you know, sent around
the world and promised different locations they're going to be moved to afterward to, you know, hide out and wait for the
heat to die down. And in conversations that law enforcement recorded between a few different
operatives in this organized crime group, they were bragging about how they really got this
operation down to a science. You just move people around, we send them here, we send them there.
And it seems like they were willing to take sort of commissioned efforts from anywhere around the world. That's just one example of the sort of physical skimming ring location, and then to purchase the hotel rooms they were actually
going to hold these victims in while they got new identities created for them, right? We see
sort of these purchasing patterns for all of the operational costs that these groups might
experience, which makes sense. If you're an organized crime group, why would you tie your own
name to these purchases you're making, and why on earth would you spend your own money on it when
you could just use someone's stolen credit card and the bank is going to just write off the charges
the sophistication and the complexity here is primarily to try to evade law enforcement
i think it's partially to try and invade law enforcement i think also just the pure financial
costs involved here right there are times when we see sort of law enforcement
evasion as with the human trafficking ring or perhaps with this carding ring that I mentioned.
There were other examples I'm thinking here in particular about some of the material support
to terrorism cases that we saw where you have someone who is working on creating terrorist
propaganda for ISIS and then is using stolen payment cards to sort of
just fund their lifestyle choices to buy clothes and buy food. And that's a little bit less to
evade law enforcement and a little bit more, you know, I just don't want to spend my own money on
this. You know, fraud isn't really a crime in this guy's eyes. So I'm going to just use someone
else's cards to buy all of my expensive clothing. Well, it's an interesting report. It's the next generation of criminal financing. Emily Wilson, thanks for joining us. Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.