CyberWire Daily - NotPetya still looks like an act of state; intended result or not, companies warn of possible material effect from the attack. Another S3 database found exposed.
Episode Date: July 7, 2017In today's podcast, we hear that NotPetya still looks like a Russian campaign to Ukrainian authorities, and experts remain skeptical that affected data can be recovered. Companies warn that NotPety...a may have a material effect on earnings. WikiLeaks dumps Gyrfalcon and BothanSpy documents from Vault7.  Johannes Ulrich from SANS and the ISC Stormcast Podcast on no SQL database security. Andy Greenberg, senior writer at WIRED, on his July 2017 issue cover story on Ukraine cyberwar. And pro wrestling fans now have something in common with registered voters, data.gov.uk, and the National Geospatial Agency. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
NotPetya still looks like a Russian campaign to Ukrainian authorities,
and experts remain skeptical that affected data can be recovered.
Companies warn that NotPetya may have material effect on earnings. WikiLeaks dumps Gyre Falcon and
Bothan Spy documents from Vault 7. And pro-wrestling fans now have something in common with registered
voters, data.gov.uk, and the National Geospatial Agency.
Agency. I'm Dave Bittner in Baltimore with your Cyber Wire summary for Friday, July 7, 2017.
Ukraine hasn't backed off from attributing the NotPetya campaign to Russia. We'll speak a bit later with Wired senior writer Andy Greenberg, who's taken a long look at Russia's hybrid war
against Ukraine and learned why he thinks this conflict has been a testing ground for the Russian way of war in
cyberspace and elsewhere. The relatively small amount of ransom paid in the course of this
global attack, a bit more than $10,000 since the beginning of the attack, according to reports,
was moved on Tuesday from the Bitcoin wallet nominally established to collect payment.
People who claimed responsibility for the malware surfaced in dark web chat rooms
to offer decryption for 100 Bitcoin, slightly more than $260,000,
but their offer has been met with general skepticism.
Petya's author released decryption keys for the ransomware's original form.
That won't help victims of NotPetya, which is now understood to be a distinct bit of malware masquerading as Petya.
It's generally agreed that NotPetya spread initially from a compromised software update for Emidoc tax accounting software,
widely used in Ukraine.
Bleeping Computer reports, sourcing Cisco and others, that Emidoc's vendor, Intellect
Service, had been backdoored three times and that it hadn't updated its servers since 2013.
The other damage the malware did around the world may have been simply collateral damage,
or perhaps welcome gravy from the attacker's point of view.
Recovery proceeds and affected companies are still seeking to get a handle on the extent
of their financial hit.
In some cases, losses may prove material, that is, investors take note.
This may involve a hit to revenue and share price.
The companies who sustained NotPetya infections found their IT far more affected than their
OT.
That, of course, could change with subsequent evolution of such threats.
Maersk, the shipping industry leader that was particularly troubled by NotPetya,
is not among those companies who found deficiencies in their security practices.
Robert Van Troijen, Maersk's Asia-Pacific chief executive, said in a call to reporters on Friday,
quote, Maersk's Asia-Pacific chief executive said in a call to reporters on Friday, There was nothing in terms of patches that we missed.
There was no cybersecurity measures that we didn't take.
So we were already in quite a strong position.
Ventroygen also said that Maersk did not believe it was specifically targeted.
So in the company's view, the incident was the adventitious result of global infestation.
Maersk says it's too soon to quantify the malware's effect on quarterly revenue.
The company said the disruptions it experienced had little effect on the physical handling of cargo.
Instead, NotPetya's effect on the 76 ports that Maersk operates was to disrupt documentation and data flow, including customs and cargo release processes, which led to congestion and caused some customers to cancel orders.
How many cancellations isn't clear yet. Maersk continues to assess the damage.
On Thursday, WikiLeaks continued its weekly dump of alleged CIA tools with documents purporting to describe two implants,
Gyre Falcon for Linux and Bothan Spy for Windows.
The alleged Linux implants still are regarded by many observers as a novelty,
but their utility in compromising servers also makes them an obvious sort of move.
As yet has been the case with the Shadow Broker's release,
there's no plausible public explanation yet of how WikiLeaks is getting its material.
The professional wrestling impresarios at the WWE this week disclosed a breach on customer data.
Researchers at security firm Chromtech found an unprotected database on, you guessed it, Amazon Web Services,
that contained personal data for about 3 million
wrestling fans. The database didn't include, according to the WWE, passwords or credit card
data, but Forbes reports that it sure contained a lot of other stuff. Among that stuff would be
home and email addresses, earnings, birthdates, ethnicity, children's age ranges, and gender.
earnings, birthdates, ethnicity, children's age ranges, and gender.
WWE said the exposed database has now been secured,
and that the WWE is working with Amazon Web Services and cybersecurity companies Smartronics and Praetorian to manage data infrastructure and cybersecurity and to conduct regular security audits.
We've heard, of course, from industry experts on the matter.
Ryan Wilk of New Data Security notes that this is the third exposure,
what he calls a non-breach breach, of sensitive data in less than a month.
He lumps it in with the experience of DeepRoot Analytics and Data.gov.uk.
We might add the contractor-exposed data belonging to the National Geospatial Agency.
the contractor-exposed data belonging to the National Geospatial Agency.
Wilkes says the incident continues to show that sophisticated hacking is not required to obtain troves of identity data that can be used to create fraudulent identities or access online personas.
We have hit a turning point where financial and identity cybercrime has become something that a person with the most basic computer skills can dabble in.
has become something that a person with the most basic computer skills can dabble in.
End quote.
The kind of data collected in this incident are, of course, the sorts of things marketers want to know,
but they need to take better care of it.
Another way of summarizing the issue is this, courtesy of our wrestling desk.
Brother, if you fail to secure your data on S3, whether you think you're a face or a heel,
exposing your data on AWS makes you what the late classy Freddy Blassie would have called a pencil neck geek.
So, don't be one.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off. Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Johannes Ulrich. He's the Dean of Research at the SANS Technology Institute, and he also hosts the Internet Storm Center Stormcast podcast. Johannes,
welcome back. We wanted to touch base today about NoSQL database
security. What do we need to know about that? Well, NoSQL databases is a new generation of
databases that distinguish themselves by being cheaper, simpler, and most of all, faster than
traditional databases. They don't have a lot of these features that the traditional databases
pride themselves off like consistency or being able to relate large data sets. Instead, they're
very simple and fast lookup databases that makes them very popular, for example, for web applications.
Now, from a security point of view, the problem is that when they started removing features from these databases, they also removed a lot of the security features that you're accustomed to from databases.
For example, some of these databases may not have the authentication or encryption options that you're used to from these more traditional and larger databases. And that led to some large breaches recently.
For example, Cloud Pets, a company that does offer little stuffed animals
that your kids can talk to.
Now, in that case, the database that hosted all the voice snippets
from these kids talking to these pets was exposed
and was available for everybody to download.
So what are some of the options for securing a NoSQL database?
The problem with NoSQL databases is that there are so many of them. There are literally dozens
of different databases. You certainly should not allow any network access to these databases,
aside from very restricted internal systems.
The tricky part here is that, of course, often these databases are hosted in the cloud,
and that may put some requirements forth where you do need to connect to the database across the network.
So you have to be really careful how you configure this and then educate yourself.
Before you implement a database like this make sure you read
the actual manufacturers the vendors security guidelines and implement whatever security
features there are even if they may be a little bit less than what you're used to so even with
these uh limitations there are some benefits for using a no s database? Yes, there are benefits. And there's, for example, speed.
For example, on web applications, one problem is where do you store all this
volatile user information that you need to store as the user browses your site?
Like, for example, the shopping cart and the like.
Some of these databases allow you to store all of this in memory,
which of course is very fast and makes the application work a lot better.
All right. Interesting information. Johannes Ulrich, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
My guest today is Andy Greenberg.
He's a senior writer at Wired, and his cover story, Lights Out,
appears in the July issue on newsstands and available online now.
The story describes the recent cyberattacks against Ukraine,
specifically the attacks against their electrical grid, and the implications those attacks could have on critical infrastructure around the world.
Andy Greenberg joined us from New York, and I began our talk by asking about his trip to Ukraine.
You know, I write a lot about theoretical cybersecurity research, also real attacks,
but usually from a sort of analyst's perspective.
And so I went in part just to try to tell this from the victim's perspective.
I wanted to find Ukrainians who could tell me about the experience of cyber war, like
what it felt like to have the power turned out in your home or to be in an institution
like a electric utility or government agency when it came under this sort of long series
of cyber attacks.
And it turned out that I was very lucky to find that one of the main Ukrainian
researchers who's been following this whole sort of epic hacking spree had had the power turned
out in his home. So that tied things together really nicely. And Alexei Yatsensky at this
company, ISSP, became one of the main characters in the story. I'm curious, from your perspective,
how much do you think this is the Russians sort of trying to get inside the heads of the people in Ukraine?
And how much of this is a message to the rest of the world?
I think it's really tough to say which it is of those two things.
I think it's both.
They are trying to wage a hybrid war on Ukraine.
I mean, the war in the east of Ukraine is certainly not signaling to the rest of the world.
of Ukraine is certainly not signaling to the rest of the world. That's a real war that Russia is waging to weaken, I think, what it sees as a potential threat to its sphere of influence.
It doesn't want to have a kind of Western-style, NATO-friendly democracy right on its border.
So it's trying to weaken Ukraine with those kinds of kinetic attacks. But then I think that the
hacking is part of that, too. And it wants Ukraine
to look like a failed state. And I heard that from Ukrainian officials that I spoke to. That's
how they see a lot of this. It was really only Alexei Yatsensky among all the Ukrainians who
focused the most on the idea that this was actually just training, that Russian hackers
were using Ukraine as a training ground, which I think is probably the bigger picture. If you look
at some of these attacks, like the use of this crash override malware to take down a fifth of the electric
capacity of Kia for just one hour, you have to imagine that they wouldn't have put so much time,
so many man hours and resources into building this really impressive piece of code just to
take down the power for one hour. That seemed like a test run of something they're going to want to use again. It does seem like part of what Russia must be doing is trying to rattle a
saber as well and show the West what it's capable of. I think, in fact, there are probably three
things that Russia is trying to do, which is to weaken Ukraine, to test its capabilities and hone
them, and then probably to show the United States or anybody else who has
these same kind of capabilities that it can do the same and that it wants that to serve as a sort of
digital deterrence, if that's possible. Do you think Ukraine is simply outgunned?
And what is the sense of the defensive capabilities of, say, the United States versus
what Ukraine is capable of? It definitely seems like Ukraine is outgunned. I didn't hear much about Ukraine firing back in any kind of concrete way
or even being able to defend themselves.
It seems like they're just constantly remediating the last attack.
And of course, as soon as my piece came out,
there was this whole Petya, not Petya ransomware
that just completely flipped the country upside down again.
It does seem like Russian
hackers, if these are in fact Russian hackers and every piece of evidence suggests that they are,
are just running circles around the Ukrainian defenders. Yeah, in the article you mentioned
how it seems as though perhaps they're testing not only the Ukrainians but the rest of the world
to see how far they can go before there's pushback and what kind of pushback there will be? Well, definitely. I mean, I think you can kind of see that when
now that we know that it was supposedly a grassroots hacker group called Cyber Berkuts
that in 2014 hacked the Central Election Commission in Ukraine and tried to spoof the
election results, and they almost got away with it. So they did that in 2014. Then they eventually,
in 2016, tried to hack the organizations involved in the US election. You can kind of see that
because they weren't censured in any way, after that 2014 Ukraine election attack, they sort of
escalated it and tried it on the West. And that's a sign that maybe they're doing the same thing now
that they're trying something out in Ukraine to see what the diplomatic response of the world is going to be before they risk it somewhere where there may be retaliation.
Or if they do the kind of power grid attack that they did in Ukraine on the United States, there would certainly be retaliation.
But they, I think, did learn something by the fact that they were able to do that twice in Ukraine with no diplomatic repercussions.
They're facing sanctions for their invasion of Crimea and eastern Ukraine.
There's been no hacking-specific sanctions at all.
It does seem like they're testing what they can get away with, and they're getting away with a lot.
What are the take-homes for you in the process of writing this article?
What are the things that surprised you?
What are the things that, looking forward, do you think need to be addressed?
I approached this story, to begin with with as a sort of foreign case study.
What can Russian hackers do when they show no restraint is what I thought the Ukraine
piece was going to be about.
When I started to see that there were signs that this group first had planted black energy
on American utilities in 2014 and that they were, you know, the theory was that they were
testing this stuff to try it against the West in the future. The scope of it did expand. I was
ready for this to be a story about Ukraine, and it very quickly became one, I think, about Russia
and the world. But then the big surprise, of course, is that the week after we published this
piece, the whole Petya, not Petya, ransomware outbreak happened. I mean, I wrote in the story
that there's a sort of cycle to these things that in the first half of the year, this hacker group plants its seeds,
and then they sort of bring them to fruition with big attacks at the end of the year. And then it
happens definitely in 2015 and in 2016. And ISSP, the Ukrainian firm, was telling me that they
expected that in 2017 as well. Some of the Ukrainians I've spoken to think that this is because of our story, although I don't know if that's true. These hackers, if they are the same
group and the Ukrainian government now says they are, they sort of expedited the whole process and
blew up their targets in the middle of the year, even did this to Ukrainergo and Kyivinergo,
these two power utilities, which seems to be kind of burning their access
to cause immediate damage. And so that's a surprise. And I mean, of course, we're still
figuring out what happened with this whole ransomware epidemic. But it's hard to understand
the motivations of this group if they couldn't have laid low until the end of the year or whenever
they wanted to and caused another blackout or series of blackouts or other attacks. So I don't
know. I'm still trying to figure out how this latest set of attacks plays into the larger Sandworm playbook. I think we'll just
have to stay tuned as that unfolds. That's Andy Greenberg, senior writer at Wired. His cover
story, Lights Out, is in the July issue, which is on newsstands and available online now. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.