CyberWire Daily - Mitigating PrintNightmare. New ransomware strains in circulation. Router firmware patched. Russia denies brute-forcing anyone. What the reinsurance rates tell us.
Episode Date: July 2, 2021Mitigations for the PrintNightmare vulnerability are suggested. Wizard Spider has a new strain of ransomware in its toolkit. A new RagnarLocker strain is in circulation. NETGEAR patches router firmwar...e. Russia reacts to US and US reports of a GRU brute-forcing campaign: Moscow says it didn’t do it. Kevin Magee from Microsoft shares some of the tools he uses to keep himself and his team up to date. Our guest is Andrew Patel from F-Secure on how to prepare security teams for AI-powered malware. And a quick look at the true costs of cybercrime. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/127 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Mitigations for the print nightmare vulnerability are suggested.
Wizard Spider has a new strain of ransomware in its toolkit.
A new Ragnar Locker strain is in circulation.
Netgear patches router firmware.
Russia reacts to U.S. reports of a GRU brute forcing campaign.
Kevin McGee from Microsoft shares some of the tools he uses to keep himself and his team up to date.
Our guest is Andrew Patel from F-Secure on how
to prepare security teams for AI-powered malware and a quick look at the true costs of cybercrime.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 2nd, 2021.
CISA and U.S. CERT urge users to disable Windows Print Spooler in domain controllers and other devices not used for printing.
Microsoft's June update addressed CVE-2021-1675, being referred to as Print Nightmare,
but that update didn't foreclose the possibility of exploitation.
foreclose the possibility of exploitation. Security Boulevard reports that researchers briefly and inadvertently posted a proof-of-concept exploit for Print Nightmare last month,
so this particular cat was at least briefly out of the bag. The CERT Coordination Center
suggests two mitigations, both of which come at cost of some printing functionality.
which come at cost of some printing functionality. Option one is to stop and disable the print spooler service. Option two is to disable inbound remote printing through group policy.
Bleeping Computer reports that FortiGuard Labs researchers have found the trickbot gang
Wizard Spider using a new ransomware variant, Diavol. Diavol has strong similarities to Conti,
enough for high confidence in a circumstantial attribution. It doesn't have any built-in
methods for avoiding installation on machines with Russian language packages, as does Conti,
but like Conti, Diavol uses asynchronous I.O. operations for file encryption queuing,
and it uses similar command line parameters to achieve similar functionality.
Diavol is also a bit of a throwback in that it's straight-up encryption ransomware.
It doesn't appear to have any of the now-customary ability to exfiltrate data
as part of a double-extortion scheme.
WizardSpider, generally regarded as a financially motivated
criminal gang, suffered a bit of a setback when a number of TrickBot servers were taken down
earlier this year, but TrickBot has survived the takedown and Wizard Spider has stayed in business.
BlackBerry has an account of the new RagnarLocker ransomware variant,
recently used against ADATA,
manufacturer of DRAM and NAND flash products.
This version of RagnarLocker
does follow the current criminal best practice
in that it's a double extortion tool.
It steals data before it encrypts them.
Security Week reports that Netgear
has patched firmware flaws in its routers.
Microsoft researchers discovered and reported the issues.
Yesterday's joint announcement by U.S. and British intelligence services
that they detected a large-scale brute-forcing campaign run against Western targets by Russia's GRU
prompted a predictable response from Russia's government.
The Russian embassy in Washington issued a long statement in which it both denied any Russian involvement and complained that Russia itself was under constant U.S. cyber attack.
Quote,
It's high time to put things in order on the American soil from where constant attacks
on critical infrastructure emerge.
We emphasize that fighting against cybercrime is an inherent priority for Russia
and an integral part of its state policy to combat all forms of crime.
End quote.
With the recent conclusion of the Russo-American summit, RT-CLUX,
one would have hoped for better.
Quote,
We hope that the American side will abandon the practice of unfounded accusations
and focus on professional work with Russian experts
to strengthen international information security.
End quote.
That's Russian official sources after the Geneva meetings.
RT also notes that Russian Foreign Minister Lavrov said after the summit,
quote,
Moscow sent more than 40 appeals to Washington regarding American cyberattacks,
but received very few responses.
End quote.
This and other protestations of Russian innocence, like those published in RT,
strike most observers as unconvincing,
but it certainly looks as if the aquarium has let the bears out.
The Register suggests a road not taken by Moscow's diplomats. People should be thanking the Kremlin for the
free pen testing. Thanks, Vlad, for the cyber checkup and the containerization case study,
the register says. Recent cyber incidents have exacted a fiscal toll on their actual and potential victims.
Security firm IronNet places the average cost to affected companies of the SolarWinds compromise
at 11% of annual revenue, which is high enough by any account.
IronNet told IT Brief that one of the reasons for the high impact
is that organizations still have a tendency to fight off attacks on their own,
and they might well do better with more information sharing. But you needn't actually
be hit with a cyber attack or a cybercrime caper to take a bit of a financial bath.
One place higher costs show up is in the insurance market.
The reinsurance broker Willis said that for the July renewal season, cyber reinsurance rates have risen by up to 40%.
Reuters reports, citing a study by Coveware, that the average ransom payment made by a business to restore data after a cyber attack was $220,000 in the first quarter, up 43% from the last quarter of 2020.
first quarter, up 43% from the last quarter of 2020. James Vickers, chair of Willis International,
told Reuters that reinsurers that have been writing cyber are looking at considerably worse results than a few years ago. I don't think people had really imagined the extent of the
ransomware attacks going on. These are big jumps. Here's one comparison. Property reinsurance rates for the U.S. state of Florida were up as well in July, but only by 30 percent, not the 40 percent seen in cyber policies.
And remember, hurricane season is just getting underway in the Sunshine State.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian
and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives
and their families at home. Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
For several years now, artificial intelligence and machine learning have been popular buzzwords in the cybersecurity world,
practically irresistible to the folks in marketing.
The terms may have reached cliché status, but under the hood, it can be powerful, effective technology.
Andrew Patel is a researcher at the Artificial Intelligence Center of Excellence at F-Secure,
and he and his colleagues have been looking at ways to train up AI systems on the attack side
to better prepare our defenses for that inevitable day when the bad actors unleash AI-powered malware on the world.
Artificial intelligence is really being used as a blanket statement right now, mostly for machine learning.
being used as a blanket statement right now,
mostly for machine learning.
So that's the way that when someone talks about artificial intelligence,
or has done in the last few years, that's what I immediately kind of switched to,
is talking about machine learning.
I mean, artificial intelligence has a large range of stuff
that it represents, all the way from when you talk about games,
you know, game AI, like the AI that will play StarCraft against you
if you play against a computer,
or all the way up to artificial intelligence
as in actual machine intelligence running on a computer.
So right now, though, I think that when I think of artificial intelligence,
it's just the default of what people are referring to, which is machine learning.
Well, and for several years now, we've had folks who are selling products
that help defend against malware.
They've made hay out of the fact that their products are using AI to help you defend
yourself. But I think more and more we're hearing that AI may be being used by the folks who are
producing the malware themselves. And that's something that you and your team are tracking.
Well, I mean, I would say that if the folks who are making the malware
are using machine learning techniques right now,
it's most likely for data analysis stuff.
But there's no way of us really knowing that,
bar getting a hold of their computers that they're using to do this stuff.
So there's speculation, but no real evidence of that.
As far as putting machine learning methodologies into malware,
I mean, there have been academic publications which talk about that,
but they're really quite academic.
that, but they're really quite academic.
And examples like one being Microsoft that used a neural net to further obfuscate a payload inside an executable, which is basically a technique to make reverse engineering even
more difficult.
So there's no, as far as I can tell, nobody has been looking at building malware where the logic has been created with machine learning techniques.
I see.
Now, do you imagine this sort of thing being kind of self-contained,
where it would be using these capabilities within a single system that it had infiltrated,
and or would it be able to phone home and say,
hey, on this system, here's where we had success, here's where we had failure.
So the next time a system gets infected, it's been able to learn from the experience of previous attempts.
So, I mean, right now what I envisage is training it offline.
You train it on your own infrastructure and then you would use it as a tool
when you arrive on an actual target infrastructure.
It's a tool that allows you to automate
some of the steps that you would have had to do manually
if you're an attacker.
But as far as learning as a deployed tool,
that's something that would be a more futuristic thing, I think.
So essentially what we're doing is,
instead of hand-coding the logic to do those steps,
we're training it to build that logic.
And for very simple scenarios, of course, one can hand code that logic.
But when it gets more complicated, then hand coding that logic becomes really messy and
unmaintainable.
So this approach might be better for more complicated or more generalized attack scenarios
that we want to look at.
And suppose this sort of thing is unleashed on the world, what sort of adjustments would
need to be made to people's defenses?
One of the reasons for doing this would be that a tool like this could execute a series
of steps very quickly.
So that would be the change, I think, that once this sort of thing becomes a reality,
then the idea of having a period of time to react to something kind of goes away
because the whole attack chain can happen very, very quickly.
So it really allows the attacking system to be both nimble and fast.
Yeah. I would suggest that for the time being,
tools like these would be useful
against environments which have low security,
which have bad security,
that for instance might not be running
breach detection solutions or IDS
that might not have their antivirus up to date
or proper firewall rules.
That would have misconfigurations that could be
attacked. So a tool like this would be really useful for an attacker to be able to do more
things than they have time in the day to do otherwise, because they can just, when they
find a system that's a low security, they can just run the tool. When they find a system that's
much more hardened, you'll still require a human to figure
out how to attack it and how to be stealthy and not get noticed. That's Andrew Patel from F-Secure.
There's a lot more to this conversation. If you want to hear the full interview,
head on over to CyberWire Pro and sign up for Interview Selects,
where you'll get access to this and many more extended interviews.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And joining me once again is Kevin McGee.
He is the Chief Security Officer at Microsoft Canada.
Kevin, it's always great to have you back. You know, one thing that I know that we all struggle with
and I wanted to check in with you on is just keeping current.
You know, the tools that you use, the resources you use
in the midst of doing your job, how do you make sure that you're up to date?
Thanks for having me back, Dave.
And this really is one of the most consistent questions I get asked by colleagues or customers or my students.
And even random folks on social media.
And it turns out to be my favorite question to answer is, what have you been reading lately?
How do you keep up?
The simple answer is I read everything I can. And the more detailed the problem, I think the more detailed and more sophisticated the inputs
I need to be keeping up on. Because ultimately, a big part of my role as a leader is just keeping
up not only with what's happening in the industry, but also world events and the threat landscape in
general. This can mean everything from simply sorting out what
matters are happening throughout the day, but also what threats are emerging. And the sheer volume of
information is just staggering and growing in complexity. So I really need to be very selective
of what I'm ingesting, what I'm reading, what I'm consuming. And not just what, but how, when,
and why really matters as well too. Yeah. How do you come at that from a time management point of view?
I really look at it from three horizons of information I need to be consuming,
and I call them now, today, and tomorrow.
And I know this is why I'm in security, not in marketing.
That's the best I could really come up with for how to segment it.
But now my tool of choice is Twitter.
And if it's in the newspapers,
it's already too old. I really need a real-time monitor. So I have a monitor above my workspace
and continuously drips columns of tweets and lists of people of topics that I follow. And
whatever piques my interest, I'll create a new column to track a trend or a subject or event that's happening in real time. And I can
really look at it sort of like I'm watching The Matrix and see what's happening out there in real
time. I also have a daily approach to my intel, which is probably where I invest most of my time.
And it really comes down to a number of form factors, but ultimately it's two categories.
One's the news, sort of the traditional news sites, blog posts that everyone reads. The other is a very select
group of what I call trusted aggregators or curators that I follow. And for me, it's mostly
newsletters and podcasts, you know, where someone whose judgment I trust has provided a summary
or a list of the most important topics of the day. And some of my favorites are, of course, Cyberwire,
the podcast and newsletters. Pinkerton
Daily Insights is another great one. The World This Week section of The Economist, a great place
to find sort of the geopolitical aspects of the day. And it may not be a security source, but it
gives me a lot of context that I should be thinking about. Recorded Future Daily. Graham Culley, his
site's fantastic for what's happening almost in real time.
And his Smashing Security Podcast is great as well, too.
But the trick is really to find people
who are doing the hard work, the research,
and the deep reading, and then you can also deliver me
the best summarized and actionable intel.
That's where I'm really looking for my daily intel intake.
And then beyond that, the stuff that's coming up, the future stuff,
how do you ingest that? Yeah, I think that's my tomorrow section. So it's not just what interests
me, but what I need to be mindful of and what topics are going to be of future requirement
for my thinking. And those are the ones I really want to spend some time in depth to address, not just my day-to-day challenges, but my future plan and strategic
thinking. So I'm constantly seeking out recommendations to fill my blind spots
in terms of what I should be looking at. And this could be anything from talking to folks
like yourself. I always love to ask, what are you reading? It's places like the Cybersecurity
Canon Project set up by Rick Howard,
where sort of the greatest minds of our industry are nominating the key books that we should all
be reading. And also just beyond sort of reading podcast documentaries, seminars, anything where I
can sort of expand my overall knowledge base, but also really grow myself as a security professional and leader. From a leadership point of view,
how do you dial in the things that you spend your own personal time on and the things that you
delegate to the folks that you work with? I think there's a few answers to that. One would be
the chance to develop the team, to give them interesting challenges to look into and research
and see how they approach it. And the great thing about having a very diverse team with lots of different backgrounds
and perspectives are they'll sometimes approach the challenge or the problem or the research of
that solution in a much different way than I would. So sometimes casting your net wider and
allowing the team to delegate or delegating to the team to solve some of those challenges
is really, really enlightening.
And I often hear answers or perspectives
or different approaches that would have never occurred to me.
So some of the larger things that I look into,
again, I ask my team, I ask my customers,
I ask other folks within the organizations
to recommend where we should be listening to. And I take a mindfulness approach. I really try not to solution the problem or come
up with where I should be going to find out the answer. And I really step back and look at where
the data is taking me or where my interests are taking me or where a nagging suspicion in the back
of my head is taking me when it comes to a threat or whatnot. And I let that guide, you know, where I do my research.
And that's served me well.
It's sort of the hacker intuition, I guess,
that is really built into organization, that spirit of curiosity.
I let it often guide me in terms of where I research
and where I spend a lot of time thinking.
All right. Well, Kevin McGee, thanks for joining us.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We've got a long holiday weekend coming up here in the U.S., and if you're looking for something to do, check out Research Saturday,
my conversation with Tom Roeder from Minerva Labs.
We're going to be discussing rigging Windows installations.
That's Research Saturday. Check it out.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.
Thank you. that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.