CyberWire Daily - More from Vault7. How and why the DPRK hacks. FIN10 hits North American businesses with extortion demands. UK unis sustain ransomware infestation. Free decryptors are out, and ISACs seem to be working.
Episode Date: June 16, 2017In today's podcast, we hear that WikiLeaks has dumped more of Vault7. More attribution of WannaCry to North Korea, where Hidden Cobra and the Lazarus Group appear to be one and the same. FIN10 cybercr...iminals are asking US and Canadian businesses for a big payoff to head off a big doxing. Conventional ransomware hits British universities. Kasperky and Avast release free decryptors for Jaff and EncrypTile. Markus Rauschecker from UMD CHHS reviews China's new cyber laws. Jocelyn Aqua from PwC describes attitudes toward AI. The ISAC process seems to be working. And patch early, patch often. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
WikiLeaks dumps more of Vault 7.
There's more attribution of WannaCry to North Korea,
where Hidden Cobra and the Lazarus Group appear to be one and the same.
Fin10 cybercriminals are asking
U.S. and Canadian businesses for a big payoff
to head off a big doxing.
Conventional ransomware hits British universities.
Kaspersky and Avast release free decryptors
for JAP and Encryptile.
The ISAC process seems to be working,
and patch early, patch often.
process seems to be working, and patch early, patch often.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, June 16, 2017.
It's been a week of patching news.
If there were any patch skeptics out there, if they've been paying attention, they ought to have a moment of clarity.
Not only did Microsoft take the unusual step of reaching back into the grave of beyond-end-of-life Windows software
to fix the ghosts of operating systems past, but WikiLeaks is back too.
Julian Assange's persistent gadflies yesterday released another tranche of files from their Vault 7,
which they claim consists of leaked CIA hacking tools.
from their Vault 7, which they claim consists of leaked CIA hacking tools.
The documents in this round concentrate on exploits affecting at least 25 home router models,
including devices from Linksys and D-Link.
That number could be considerably higher, observers are saying.
With relatively minor modifications, the implant could be used against upwards of 100 models.
The principal implant described in the leaks, it's called Cherry Blossom,
is said to have been used since 2007.
Updated routers are probably not susceptible to this particular form of exploitation,
which ought to provide yet another reason to patch these usually ignored and all too easily overlooked devices.
We know it's tough and we're certainly not going to cast the first stone
with respect to home Wi-Fi devices. Still, good hygiene might as well start at home. Consider
putting a bright 10-year-old in charge if you've got one of those knocking around the house.
The Washington Post reports that the NSA is attributing the WannaCry ransomware campaign
with moderate confidence to North Korean espionage services. Much of that
confidence derives, of course, from the sort of circumstantial evidence long cited by Semantek,
Kaspersky, Dell SecureWorks, and others. Telefonico's 11 Paths security research unit
is among those pointing to countervailing circumstantial evidence, some of it linguistic
clues and metadata, but consensus is moving
swiftly toward DPRK attribution. In the alert U.S. CERT issued earlier this week, for example,
the FBI and the Department of Homeland Security explicitly identified the Hidden Cobra threat
actor with the Lazarus Group, which of course is widely held to be a DPRK security service.
So why the wild sloppiness and direct
conventional criminality so many discern in Hidden Cobra and the Lazarus Group? A long piece in Wired,
citing conversations with FireEye analysts and others, suggests that from Pyongyang's point of
view, there's more rationality here than might appear under Western eyes. North Korea is an
international pariah and knows it.
It's subject to heavy sanctions, and these bite deeply into its economy.
It has powerful enemies, and even its nominal friends really don't care for it very much.
So the DPRK will grasp at whatever asymmetrical advantage it can.
It will also look for ways to grab much-needed money,
and if bank robbery will do it, then bank robbery will do,
as the Bangladesh Bank and the New York Federal Reserve learned firsthand.
As far as the indiscriminate opportunism of attacks in cyberspace,
well, if you've got little to lose, why not?
Extortion in both its familiar forms, embarrassing doxing and ransomware,
surfaced again this week. FireEye has described a group, Fin10,
which is seeking to extort Bitcoin from North American businesses.
They're demanding, it seems, between 100 and 500 Bitcoin in payment,
which equates at current rates to between $247,000 and $1,237,000.
So this isn't lowball extortion.
The threat is doxing and disruption.
Fin10 will put sensitive corporate data up on Pastebin if they've not paid within 10
days.
After the 10-day deadline expires, documents will be posted every 72 hours.
Once all the documents are out, and if they still haven't been paid, the crooks threaten that, quote,
your computer network will be taken down in a large-scale attack, end quote.
The criminals pose as known Serbian or Russian cyber gangs,
using the names Angels of Truth, Tesla Team, and Anonymous Threat Agent,
but FireEye thinks that's probably misdirection.
Their English is too good, their Russian too poor to carry off the imposter,
and their familiarity with Canadian and American targets suggest a lot of local knowledge.
More conventional ransomware has disrupted at least two British universities this week,
University College London and Ulster University. The institutions are in the process of recovery.
There's some good news this week, too.
First, on the ransomware front, two security firms have released recovery tools.
Kaspersky has released a free decryptor for JAF ransomware,
and Avast has done the same for Encryptile.
So bravo, Kaspersky, and bravo, Avast.
There's also some good news in the midst of the very bad news
about the crash override industrial control system malware that's been identified in the 2016 Ukrainian grid hack.
The silver lining here is that the ISAC process seems to be working.
We spoke with representatives of the DNG ISAC and the American Gas Association this morning,
and they told us that while the threat to their sector is as great as the threat to the electrical power distribution system, they were pleased with
how quickly their members responded to the quiet warnings Dragos sounded to them last
Friday.
Their guards up, and mitigations are in place.
So bravo, Dragos.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney Plus.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Joining me once again is Marcus Roshecker. He's the Cybersecurity Program Manager at the University of Maryland Center for Health and Homeland Security.
program manager at the University of Maryland Center for Health and Homeland Security.
Marcus, great to have you back. Saw a story come by on The Hill, and it was about the new cybersecurity laws coming from China. Give us a breakdown here. What are we dealing with?
Yeah, everyone's watching this very closely. China has passed a cybersecurity law,
a pretty comprehensive law. And as I said, everyone's watching it very closely to see what this will
mean. Businesses are concerned that this law is very vague and very broad. And businesses are
thinking they don't really know how to necessarily comply with the law. There's a lot of questions
about some of the terminology in the law and what the requirements will be that are placed on
businesses that are doing business
in China.
So there's a lot of uncertainty and a lot of unease about this new law coming through.
At the same time, human rights experts are also very concerned about this law, again,
because of its vagueness and, in some cases, outright censorship provisions in the law that will put a limit on freedom of expression
and other statements that might be critical towards the state.
The law is going into effect, and we'll have to see what the outcome will be.
Of course, China is saying that this law, a big part of it is to improve the privacy for their citizens,
but that's being met with some skepticism. Absolutely. To its credit, China is trying
to address the cybersecurity issue as most countries are. Certainly, there are many human
rights organizations that are seeing this law with a great deal of skepticism because there
are provisions within the law that call for a lot of monitoring and privacy invasions and outright censorship of certain activities online.
So that certainly goes against a lot of the human rights values that are generally accepted.
But China argues that some of these restrictions are necessary if it is to secure its networks and its Internet and provide for greater security.
One of the issues that multinational corporations specifically are looking at in terms of this law are these restrictions on cross-border data flows.
This is of special concern to these businesses because, as we all know, these multinational corporations are moving data around the world continuously, 24-7. So this
new Chinese law actually restricts that data flow. The law says that any data that's generated
within China must be kept in China and stored in China. So this is of special concern to a lot of
businesses who are multinational, who are moving data around, to have this new restriction placed on them.
That provision may or may not apply to every business. It applies specifically to, quote,
critical information infrastructure, but no one's really sure what that means. That term isn't
really defined. So there's just a lot of uncertainty about the law in general and about
these specific provisions that are creating
a lot of unease for businesses that are operating in China. All right. Well, it certainly bears
watching. Marcus Roshecker, thanks for joining us. Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Jocelyn Acqua.
She's a partner with PwC, focusing on emerging technology and data protection laws.
Prior to that, she spent several years in senior positions at the U.S. Department of Justice.
She joins us today to discuss the results of a PwC survey,
a revolutionary partnership, how artificial intelligence is
pushing man and machine closer together. Both industry and consumers were extremely
enthusiastic about the potential for AI, that they started to reap the benefits in their personal
lives just from music and exercise trackers and things to that effect where they're seeing
choices provided to them based on their realizing AI and voice recognition.
They see that the potential for medical breakthroughs and other life-changing technology advancements are going to happen within the next few decades.
And they see how exciting it is.
That said, they also, one important part, which I thought was interesting, is the top issue, privacy and cybersecurity,
they thought that that would be resolved immensely by AI.
Cyber and privacy are both significant concerns.
But one of the things that I found a little disconcerting is that 87% of the folks surveyed
thought privacy was a major concern of using AI.
And so the reason why I got looped in is because I am a privacy lawyer
by trade. And now I'm a consultant to industry who are looking at trying to strategically think
about these emerging tech issues and build privacy in. And so while it's clear that in the cyber side,
So while it's clear that in the cyber side, we are using AI to do a lot of beneficial things now, scanning for vulnerabilities and seeking patterns for attribution and ensuring that systems are being monitored.
And that's only going to get better and only more successful. And we're going to improve our cybersecurity.
cybersecurity. But at the same time, I think there is a significant concern about what the other side of AI is, whether AI is going to be used to hack into systems, to inject malware, to dupe other AI.
And the longer and more complex that the systems are, how can humans be intervening and observing
what's going on? My most important takeaway was the fact that there is a lot of room
for considerations of the trustworthiness of AI and the privacy and the ethics that come with that.
Do you think that 87% number reflects the reality of the situation? In other words,
does that align with what we see on the technical side is what would be a reasonable concern when it comes to privacy and AI.
I do. I think that, you know, every day there's another data breach, there's another hack.
There's so much information about the benefits of AI.
One of the things I thought was very comforting is that while this is such a concern,
what people want to do with their data is really be able to share it. You know, a significant
portion of the respondents also said that they recognize that their data could be used for
medical breakthroughs to improve the lives of others, but they want to make sure that it's
going to be secure, that it's not used in the back end to discriminate against them, that they want
to be able to share data in a protected way, and they want AI to be used this way. And so the concern is on multiple factors. It's multiple issues. So
I think that what my goal would be is to work with companies and work with our teams in-house here
to really start thinking about all of the privacy and trust issues that come with building these new products and the new technology,
and what to do to resolve that now while we're starting out and build that into the systems
and build that into the academic world that's thinking about these issues.
One of the words that was sprinkled throughout the report was this notion of amplification.
And it strikes me that part of what people are looking toward AI to do
is not necessarily replace the humans in the equation, the things that the humans do,
but to provide a sort of a backup or an advisor or a multiplier to allow people to process and handle more data than they'd be able to do,
but still partner with the people.
Yeah, that's true.
And I think it's being used and a lot of tools are being developed to prevent computers from being hacked
to make sure that there's no insider threat type of issue where people are accessing things they shouldn't.
AI is really going to solve a lot
of our cybersecurity problems. That said, there is the human part of it that still needs to happen
because of the intuition, because be able to look at everything and really know what's going on in
a system and then being able to make a real assessment. In fact, if you think about it, in terms of making these decisions,
it doesn't benefit humanity if there's a decision by AI that just gives you the answer, but not how
they arose to the answer. So if they can point out where in a population is most likely to get
certain type of cancer, but can't get you to the understanding of where they came up with that
using all of the additional technology that's being inputted into the AI and the data,
it doesn't solve all of the problems that humanity needs.
And so having that conversation between human and AI is essential.
And it's not the underlying problem now.
We're not at that stage yet.
Now we're not at that stage yet, but to not think through these issues now, that when you're using it to amplify, at one point we suspect and we see from the investment in driverless cars
and all of these areas of autonomous AI that this is something that we need to think about now
while we're building our systems, while we're advising strategically
on how to build in privacy and trust and ethics, it's for all of that.
That's Jocelyn Aqua from PwC.
The report, A Revolutionary Partnership, How AI is Pushing Man and Machine Closer Together, can be found on the PwC website. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.