CyberWire Daily - More on EKANS, the ransomware with an ICS kicker. Shipping company customer-facing IT disrupted in cyber incident. Coronavirus as phishbait. Election security, new DoD rules, and insider threats.
Episode Date: February 3, 2020Dragos publicly releases its full report on EKANS ransomware, the first known ransomware with a real if primitive capability against industrial control systems. An Australian logistics company struggl...es with an unspecified malware infestation. Coronovirus fake news used as phishbait. Election security may get an early test in Iowa. The US Department of Defense issues new cybersecurity rules for contractors. And two cases of insider threats (alleged insider threats). Joe Carrigan from JHU ISI with reactions to ransomware legislation proposed in Maryland. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_03.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Dragos publicly releases its full report on ECAN's ransomware,
the first known ransomware with a real, if primitive, capability
against industrial control systems. We'll be right back. issues new cybersecurity rules for contractors, and two cases of insider threats, or alleged
insider threats.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Monday, February 3rd, 2020.
Industrial cybersecurity company Dragos this morning publicly released its full report on the ECANS ransomware that has recently afflicted industrial control systems.
ECANS is referred to as SNAKE in some sources, ECANS being snake spelled backwards.
ECANS was interesting because it was, as Dragos explains, a relatively straightforward ransomware strain.
It encrypted files on infected machines and displayed a ransom message.
The difference, however, was interesting.
Beyond doing these things, ECANN's also, quote,
featured additional functionality to forcibly stop a number of processes,
including multiple items related to ICS operations, end quote.
That is, it included a mechanism that hit processes in a static kill list.
It is, as Dragos explains, a relatively primitive attack mechanism
but this is something new with ransomware.
ECANS, at least, intentionally targets industrial systems.
The malware has been active, it is believed, since about the middle of December.
Dragos, which as a matter of policy studiously avoids attribution, in this case does offer some
grounds for skepticism of early reports in January from other observers and researchers
that linked ECANS with Iran. Dragos finds that linkage tenuous at best and sees few,
if any, of the markers that some had believed
indicated the hidden hand of Tehran at work. Australia's Toll Group, a logistics company that
operates a fleet of seven cargo ships, has shut down some systems while it investigates and
recovers from a suspected cyber attack, according to industry publication Splash 24-7. What kind of
attack Toll Group may have sustained is unknown,
and the company has said little beyond saying that it's reverted to manual operations
in place of some systems it shut down out of caution.
The company says it's working with experts to bring its systems back online.
It appears, according to Business Insider,
that the affected systems are customer-facing business systems,
and in particular those systems customers could use to track shipments.
This judgment is based mostly on public customer complaints,
and the customers seem to be growing increasingly salty,
as manual backups appear to have been unequal to the task of providing a minimally acceptable alternative
to the automated systems that have been temporarily closed pending remediation. Toll's systems display a message when customers
inquire about their stuff. Something went wrong with the connection. We're sorry,
the site is taking too long to respond. This should be a short-term issue.
Once more is known, perhaps the incident might serve as an object lesson in preparing manual backup
and readying a strong corporate communications plan as part of planning for resilience.
As usually happens with any news story that achieves widespread circulation
and considerable penetration into popular consciousness,
the coronavirus epidemic continues to be used as fish bait to spread malware.
Tech Republic, citing research by both Kaspersky and IBM's X-Force,
reports that emails circulating in Japan and purporting to be from a disability welfare service provider
are serving as an infection vector.
The inducement to open a malicious Word document attached to the email
is the false report that the virus has broken out
in three Japanese prefectures.
It hasn't, of course, but if you're frightened
into opening the attached file,
you'll be likely to come down with a case
of the Emotet Trojan.
The Iowa caucuses represent the first round
in the U.S. presidential primaries,
and they meet today.
As is usually the case,
the party that doesn't hold the White House is the
interesting one to watch, and of course this year that would be the Democrats. Although, as Politico
notes, caucus voting is lower tech than it will be in other contests, Iowa affords the first look
at how 2020's vote will proceed in the face of expected cyber disruption. Watch for reports of
influence operations designed to disrupt the caucuses.
Watch also for the less likely but still possible attempt
by foreign state actors,
and we're looking at you, Russia, as usual,
to directly manipulate the vote counting.
The state of West Virginia intends to make
casting a ballot by smartphone
an option for disabled voters this year,
NBC News reports.
One hopes the gain in accessibility will outweigh the risk of cyber attack and that proper safeguards will be put in
place. Mondack says that the city of Chicago's lawsuit against Marriott over the hotel chain's
2018 data breach has survived a motion to dismiss. The lawsuit is a consumer protection action,
alleging negligence in securing customer data.
The long-anticipated cybersecurity rules the U.S. Defense Department
wants the defense industrial base to live by
reach their final form at the end of January.
CMMC Model Version 1.0 will be phased in over the summer of 2020.
The Defense Department is open to receiving
comments on the rules, as NextGov reports, but in outline the new guidelines establish a five-level
system that grows more stringent with the sensitivity of the work a company performs.
Previously, contractors had been required to attest that they adhered to practices recommended
by NIST. The new rules will require certification by paid, accredited, third-party assessors.
It's expected to take six months to a year to be ready,
so if you're the sort to be interested in U.S. federal contractor inside baseball,
now would be the time to start getting familiar with CMMC Model Version 1.0.
Finally, two cases show the varied forms that insider threats can assume.
These two cases are interesting in that they involve trusted insiders, and they allege that
these insiders knew what they were about. They weren't, in the government's view, instances of
well-intentioned error, but rather, allegedly, cases in which people had some things to hide and now have some
explaining to do. Quartz reports that a Raytheon missile systems engineer, Wei Sun, has been
arrested for taking a company-issued laptop containing classified information with him on
a trip to China. He's being charged with violating federal export control laws. Apparently, Raytheon's security staff found the problem
and reported Mr. Sun to the authorities.
Charles Lieber, professor and chair of Harvard's chemistry and chemical biology department,
has been charged with a single felony count
for making false statements to U.S. government agencies.
The charge is related to his failure to disclose
that he was working for China's Thousand Talents Program,
receiving $1.5 million from Wuhan University of Technology,
while he simultaneously received U.S. federal research grants.
He faces up to five years in prison, three years of supervised release, and a $250,000 fine.
The Wall Street Journal observes that it's not illegal to receive foreign grants,
but that any such relationships must be disclosed when applying for support from U.S. agencies.
A specialist in nanotechnology, Professor Lieber had received millions in grants from
the U.S. Department of Defense and the National Institutes of health. with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when
it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000
companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute, also my co-host
over on the Hacking Humans podcast.
Joe, great to have you back. Hi, Dave.
I spoke with
Ben Yellen over on our
Caveat podcast about this new bill
that is going through the Maryland
legislature about ransomware. Maryland Senate Bill 30. And I wanted to get your take on it because
I don't know, I think I was a little counter to Ben on his reaction to it. And I suspect you and
I probably align. But yeah, before we dig in, can you just give us a quick overview? What's Maryland
up to here?
Well, what they're doing is they are defining what ransomware is in this law.
Then they're making it illegal to, quote, knowingly possess ransomware with the intent
to use the ransomware for the purpose of introduction into the computer.
Okay.
Okay. And then directly above that, the paragraph says,
this paragraph does not apply to the use of ransomware for research purposes.
And they're making this a misdemeanor with up to 10 years of imprisonment and a fine of up to $10,000.
That's correct.
That's the third change that they've made.
They've made three changes to this law.
One is they define what ransomware is.
Two, they make possession of it with the intent to use it a crime.
And three, they specify what the penalties are.
Maryland law is actually very easy to read.
Comparatively, yeah, yeah.
So there's a lot of hype about this law that I've seen in the press recently, in the security press.
People should be aware of a few things.
Everything that is not related to ransomware in this law is already on the books in Maryland.
This bill repeals and replaces that existing law with the new law that includes the ransomware language.
So we're just being a little more specific about ransomware.
We're broadening the scope of the law.
And I suppose it's fair to say that as a bit of background, of course, Baltimore got pummeled by ransomware recently or in the
past year or so. Yeah. It cost them over $18 million. Yes. It was a bad situation. And that
was not the first time that it happened. Yeah. They had also had their 911 system attacked by
ransomware. Yeah. And there was a ransomware incident in Salisbury, I believe. Well, I'm
going from memory on that. When Ben Yellen and I were talking about this, Ben made the point that
he thought this was good for deterrence. I was a little more skeptical
about that. Where do you come down? I'm very skeptical about that. I don't think this will
deter anybody from possessing ransomware. Number one, Maryland is, you know, how are you going to
prosecute under Maryland law somebody in a different country? Right. Are you going to ask them to be extradited to Maryland
where you can prosecute them?
Mm-hmm.
Also, with the fact that this research exclusion
is written very broadly,
it says this paragraph does not apply
to the use of ransomware for research purposes.
Mm-hmm.
So if I have ransomware,
even if I have intent to distribute it,
and I get busted because I
live in Maryland mm-hmm and I say hey I'm just researching it yeah and how
does that how does that get out of jail free yeah how does that not a get out of
jail free car yeah I mean I guess you'd have to convince the judge certainly the
arguments would be made but you're correct it is kind of broad yes yeah I
mean my take on this is that this is a response by our legislators that Baltimore got hit hard.
Right.
And it's good for them to make a public display that we take this seriously.
We're doing something about this.
Look, we're taking action.
Yeah.
Yeah.
And this really doesn't, in my opinion, this doesn't take very much action at all.
It doesn't offer any greater security.
It does provide a penalty for something, and maybe Ben's right that that is some kind of
disincentive. I don't know how much of a disincentive it is. I don't know how many
ransomware attacks originate from Maryland. I suspect it's very low. There is another bill
that expands the scope of the Secretary of IT to include advising and consulting on cybersecurity matters.
I think that is a better bill.
It does move the state in a more secure direction.
Well, I suppose it's good that there's recognition at the state level that these sorts of things require action.
I will say that.
I will say I'm glad to see that the Maryland legislature is starting to look at cybersecurity as an issue that needs to be addressed.
Yeah, I guess an $18 million bill from Baltimore will get your attention when it comes to these kinds of things, right?
I wonder what it costs Salisbury, too.
I haven't found any reporting on that yet.
Yeah, yeah.
All right.
Well, interesting development. Joe Kerrigan, thanks for joining us.
It's my pleasure.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. Thank you. smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.