CyberWire Daily - Maritime shipping hacks remind observers of NotPetya. Spyware through the firmware. New ransomware strain. Huawei in Europe. Go ahead, Lefty, give ‘em your fingerprints.
Episode Date: October 5, 2020Attacks on maritime shipping organizations raise concerns about global supply chains. Someone’s pushing spyware through the firmware. Someone else is messing with the heads of Trickbot’s masters. ...A new ransomware strain, Egregor, shows again that a ransomware attack amounts to a data breach. Huawei may be losing ground in Europe. Mike Benjamin from Lumen on DDoS ransoms. Scott Algeier from IT-ISAC looks back on 20 years of information sharing. And criminals give their fingerprints to police, virtually. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/193 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Attacks on maritime shipping organizations raise concerns about global supply chains.
Someone's pushing spyware through firmware.
Someone else is messing with the heads of TrickBots masters.
A new ransomware, Ygregor,
shows again that a ransomware attack amounts to a data breach.
Huawei may be losing ground in Europe.
Mike Benjamin from Lumen on DDoS ransoms.
Scott Algier from ITISAC
looks back on 20 years of information sharing,
and criminals give their fingerprints to police virtually.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary
for Monday, October 5th, 2020.
Shipping company CMA-CGN continues to work through the RagnarLocker ransomware attack
that hit its business systems a week ago,
G-Captain reports. While CMA-CGN has in public statements said that it continues to move cargo
and that it's working to restore the affected IT systems to resume fully normal operations,
the shipper's recovery is still apparently far from complete. This morning, CMA-CGN's site offered the following updates. and electronic data interchange. Maritime and port activities are fully operational.
We are providing alternative and temporary processes for your bookings and are committed
to processing them as quickly as possible. Some in the industry, notably in Australia,
have complained of hack-related bottlenecks, particularly where administrative downtime
affects scheduling. In severity and potential impact, the incident is being compared by Bloomberg and others
to Merck's 2017 NotPetya infestation.
Bloomberg also takes note of Thursday's disclosure by the International Maritime Organization
that its own systems had been disrupted as marking a new phase of maritime trade's vulnerability to hacking.
The IMO and
CMA-CGN attacks are probably unrelated, the timing coincidental, and neither affect safety of
navigation. But they are being taken as a warning of how global trade and the supply chains that
depend on it, so much of which is seaborne, have become susceptible to disruption.
Kaspersky researchers report, according to Wired,
that spyware leaked from the now-defunct and controversial-when-active Lawful Intercept Shop
hacking team has turned up in malware being run by Chinese-speaking threat actors.
The malware they're deploying is also unusual in that it alters its target's unified extensible firmware interface.
Installation in the UEFI renders this attack harder to detect and eradicate
than more conventional malware. The malware currently in circulation is said to be based
on VectorEDK, whose code was obtained from Hacking Team in 2015 by Phineas Fisher and
leaked online, along with a great deal of other
company information. Vector EDK has since been repurposed to drop spyware Kaspersky calls
Mosaic Regressor as its payload in targeted machines. Vector EDK was originally designed
to be installed by someone with physical access to the targeted device, but Kaspersky is unsure
how it's currently being installed.
The connection the researchers draw between the code and a Chinese group
is so far principally linguistic,
although even that evidence retains a degree of ambiguity.
But there's other evidence, notably in fish bait and command and control servers,
that points to APT41,
a group generally believed to work for China's Ministry of State Security.
Krebs on Security describes, with credit to researchers
at security intelligence shop Intel 471,
a campaign designed to disrupt TrickBot.
On September 22nd and again on October 1st,
someone sent bogus configuration files to TrickBot infected devices,
effectively disrupting the botnet's command and control.
Who's responsible is unknown.
Disgruntled insider, competing criminal gang, law enforcement or intelligence agencies or vigilantes are all possibilities.
TrickBot is closely associated with the gang that runs Rayak ransomware.
Trickbot is closely associated with the gang that runs Rayak Ransomware.
The effect of the disruption, Krebs says,
seems for the most part to have been to enrage the hoods as they chatter in their markets,
which many of them are woofing their intent of upping their ransom demands, and so forth.
The story is still developing.
Who's messing with Trickot remains to be seen.
AppGate Labs have analyzed a new strain of ransomware, Egregor.
The researchers think it looks like a Sekhmet spinoff,
and they note that Egregor has been following the recent, now routine ransomware trend of stealing information before it's encrypted.
The better to yield leverage over the victim and diversify the illicit revenue stream.
We'll unfortunately probably hear more of Egregor in the near future.
The Wall Street Journal sees the international mood shifting against Huawei,
as Germany moves toward restricting the Shenzhen company's participation in its 5G infrastructure.
Other European nations are also shying away from Huawei.
Sky News summarizes a report from the UK's Huawei Oversight Group to the effect that GCHQ had
discovered what it characterized as nationally significant vulnerabilities in Huawei Kit.
Nikkei Asia reports that Greece is also joining the anti-Huawei camp.
If it's true that all politics is local, it might be equally said that all conflict is regional.
Greece is apparently motivated by tensions with its inveterate rival Turkey
to move closer to the U.S. in its own security policies.
And finally, Forbes calls a dark-trace reminiscence of a hacker it once tracked as exposing the world's dumbest hacker.
Back in 2018, Dark Trace was monitoring an attempt to gain access to a luxury goods company.
The attackers had gained the ability to exploit a fingerprint scanner, and so far, so good from the crook's point of view at least.
scanner, and so far, so good from the crook's point of view, at least. But then it occurred to the criminal masterminds that what they should do to gain access was upload their own fingerprints
to the database the scanning system used, while deleting other legitimate fingerprints.
Dark Trace AI, of course, noticed the changes. Good idea, peeps. Give the cops your fingerprints.
Good idea, peeps. Give the cops your fingerprints.
Not all online criminals are Lex Luthor or Professor Moriarty, are they? Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
It has been reported by many, and on this one I have to agree personally,
that since the pandemic started, many people's sense of time has been distorted.
It's not uncommon to see someone quip on Twitter that,
man, last week was the longest month of my life.
It is in that context that Scott Algier joins us.
He's executive director of the ITI SAC, and they are marking 20 years of information sharing.
In the cyber world, that is a long time, and it's an achievement worth celebrating.
The concepts of the ISACs, information sharing and analysis centers, originated back in the late 90s, the PDD-63 with President Clinton.
And the idea was we wanted a way for the critical infrastructure owners and operators to share
threat information with each other, both from a cyber perspective as well as physical security.
And the whole concept back then was that the critical infrastructures are owned and
operated by the private sector, but there's a national security component to securing them as
well. It's important for the government from a national security perspective that they be
secured. So the concept was to figure out a way to get industry and government to share information with each other. And the way to do this was to set up industry-specific forms for private sector information sharing
and then connect those forms to government organizations.
And since then, the information sharing community has grown.
Back in 2000, there were two or three information sharing organizations,
and now there are some 26 organizations that belong just to the National Council of ISACs,
and there are probably dozens of more information sharing organizations
throughout the country that are operating independently and on their own.
Where do you suppose we're headed? What's the future of ISACs?
I think the future of the ISACs is a couple of things.
Number one is we need to continue to help make sense of the information we're providing
to the members.
So I think the ISACs will continue to focus on information sharing, but I think we're
seeing more and more of the ISACs devoting resources to the analysis component, helping members make sense of what's being shared, helping to prioritize the information.
I think the other area where the ISACs are looking to enhance their capabilities is this collaboration, which also helps with the analysis. So one of the things we're talking about within the IAT ISAC is
a lot of our member companies are monitoring some of the same actors,
which is great, but is there a way that we can free up some
resources by having some other member companies take
other actors? So let's monitor other actors
and then bring the analysis from those actors into
the larger ISAC community. So instead of having
multiple companies focus on the same actors, there's a way that we
can spread out the analytical resources and the analytical
capacity where we can look at more actors and then share the
analysis from that member company
across to the other members within the ISACs.
That's Scott Algier from the IT ISAC.
Cyber threats are evolving every second, Thank you. solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Mike Benjamin.
He's the head of Black Lotus Labs, which used to be under the company known as CenturyLink.
But Mike, there's been a name change there.
Before we dig into today's topic, can you give us a quick little update there? Yeah, absolutely. So on September 14th, the company is now changing
its name to Lumen Technologies. And it's really an acknowledgement of all the technology we've
been working so hard on for the last 10 years to help our customers with networks and compute
and security. And talking a bit more
about where we're going to take that technology platform to the future and to help our customers
build their technology and really deal with this new world of data analytics and robotics. It's
really an exciting place to bring our technology to our customers. All right. So CenturyLink is now Lumen. Well, I hope the transition goes well. Our topic for today is DDoS ransoms. Now, that's an interesting combination of a couple of things there. What can you tell us about that?
And, you know, general concept is they take away your files and then demand money to get it back.
So in the DDoS ransom space, the threat is they're going to take away your Internet connection.
Now, in some cases, they will knock it offline for a couple of minutes as a warning shot to prove that you should pay the ransom.
And other times it's no more than just an email saying, pay us some money and then we'll do it. And so it varies in sophistication, but the general premise is we're going to knock you off the internet if you don't give us some amount of money.
And what sort of ransom notes are they sending out here?
How menacing are they being?
So this has been going on for a number of years,
and they vary in level of sophistication.
The latest wave that we've seen uses two names
that they've used for a while. They use the names Armada Collective and Fancy Bear. Now,
the latter obviously referencing a nation-state actor group from Russia. We don't have any reason
to believe they're actually associated with the Russian government. They just like the name. It
sounds menacing, like you said. So the notes on the more sophisticated side will be delivered in line with an actual attack,
and they will actually list components of the potential victim infrastructure and say,
we're going to attack you at these exact places, thus sharing that they've done their homework,
they know about the organization, and that there's a real reason to have fear.
On the low-end sophistication side, they'll reuse Bitcoin wallets, they'll list nothing,
and they'll just spam email app. So it does vary in terms of how much homework the actors do.
But when they do attack, we've seen attacks of over 100 gigabit. So their attacks here in the
last few weeks have not been nothing. Of course, in many cases, 100 gigabit can be absorbed by the right protections in place.
But for those that don't have mitigations in place, that's a lot of traffic and can absolutely impact infrastructure.
If you find yourself receiving one of these warnings, one of these threats,
is this the kind of thing where you could go and order yourself up some DDoS mitigation?
Yeah, absolutely. Especially at volumes of 100 gigabit,
DDoS mitigation will take care of that.
It's also important to note the actual attack types they're using
are UDP reflection and amplification.
So for those that aren't familiar,
effectively they spoof the origin of a packet
to, say, an open NTP server.
And when the NTP server responds, it responds with a larger data volume than the request,
thus amplifying the request data.
And they send it to where the spoofed packet says it came from, which is really the victim.
And so they bounce it off there.
Now, the nice part from a DDoS mitigation perspective is a lot of these protocols aren't
widely used by companies or even home users.
SSDP is not widely used across the WAN of the Internet.
Even NTP, where it is widely used, it's okay if you filter it for a few minutes in general while an attack is going on.
The only one that gets kind of sticky is DNS, where you really do need DNS to do your day-to-day browsing or run your business.
You really do need DNS to do your day-to-day browsing or run your business.
So when they use DNS, it gets a little more difficult.
But there's relatively easy ways in order to stop a UDP-based DNS attack by forcing it to flip to TCP and other staple things where spoofing is no longer an option.
So what are your recommendations here?
If I get a ransom note like this in my inbox, what should my course of action be?
Well, the question we always get asked is, should you pay?
And so I will give my opinion for a moment here, which is no.
The recommendation here is in the security market, everybody here is trying to raise the cost of an actor being successful.
We want to make it harder.
Therefore, they can be successful
less often and less people will enter that trade. And so by paying them, we're going the wrong
direction, so to speak, in regards to raising the cost for an actor. And so the other thing to keep
in mind is if you follow the ransomware market, they've become rather sophisticated with their
customer service and their predictability to payment. They've almost become a business. Now, I, again, don't
recommend paying in the ransomware space, but with the right ransomware actor, you do have a certain
predictability to the fact you're going to get your files back. In this space, the DDoS actors
are in a position where generally they're not really knocking people offline. A lot of times
they don't even follow up on their threats.
And so there's even less of a reason to make that payment.
So really what my suggestion would be, make sure you understand how you're protected.
Make sure that things are either in highly distributed environments where attacking them is difficult
or that there is a DDoS mitigation of some sort in front of that asset that can't be highly distributed.
And work with other people in the industry to help find who these folks are and let's
lessen their ability to make those attacks happen.
All right.
Good advice there.
Mike Benjamin, thanks for joining us. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Plus, there are two scoops of raisins in every box.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment called Security Ha.
I join Jason and Brian on their show for a lively discussion of the latest security news every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
And check out the Recorded Future podcast, which I also host.
The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics.
That's at recordedfuture.com slash podcast.
recordedfuture.com slash podcast.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.