CyberWire Daily - Ocean Lotus versus car manufacturers. Ransomware versus dental practices. $5 million reward offered in Dridex case. Information operations and the UK’s general election.
Episode Date: December 9, 2019Ocean Lotus puts down more roots in automobile manufacturing. Ransomware hits dentists’ IT providers as well as a Rhode Island town. The US is offering a reward of $5 million for information leading... to the arrest or--and we stress “or”--conviction of Dridex proprietor Maksim Yakubets. Russian influence operations seem to be aiming at stirring things up over this week’s British election. And an awful lot of Windows 7 machines still seem to be out there. Joe Carrigan from JHU ISI on McAfee predictions of two-stage ransomware extortion. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/December/CyberWire_2019_12_09.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindelet.com slash N2K, code N2K.
Ocean Lotus puts down more roots in automobile manufacturing.
Ransomware hits dentists' IT providers as well as a Rhode Island town.
The U.S. is offering a reward of $5 million for information leading to the arrests or,
then we stress, or, conviction of Drydeck's operator-proprietor Maxim Yakubets. Russian
influence operations seem to be aiming at stirring things up over this week's British election,
and an awful lot of Windows 7 machines still seem to be out there.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Monday, November 9th, 2019.
Bayerische Rundfunk reported at the end of last week that Ocean Lotus,
also known as APT32, a hacking group associated with the government of Vietnam, has been detected in the networks of both BMW and Hyundai.
Neither company would directly answer the news service's questions. with generalities about the company's security posture, the need for discretion in talking about specific cybersecurity incidents,
and so forth, along with offering reassurances
that they're addressing any security issues.
The company is said by ZDNet to have monitored Ocean Lotus' intrusions
into its networks for a few months,
before finally expelling the hackers at the end of November.
Bayerisch Rundfunk reports that Ocean Lotus seems to have established websites spoofing
those belonging to BMW and Hyundai, and that those spoofs may have in some way figured
into the attacks.
Engadget reports the episode as an instance of cyber espionage, with Trade Secrets as
the probable target, noting that Vietnam has in recent years entered the automobile market with its own manufacturer.
BMW is a part supplier to Vietnam's domestic producer.
The national champion, VinFast, has been in operation for a little more than a year.
As ZDNet points out, BMW and Hyundai aren't the first companies
to draw the interest of Vietnam's industrial espionage operators.
Toyota was an ocean lotus target earlier this year.
Ransomware continues to crop up in places that wouldn't appear to be high payoff targets.
Krebs on Security reported on Saturday that an IT provider that serves dental offices,
Englewood Colorado-based Complete Technology Solutions,
had suffered an infestation of Sodinokibi ransomware,
a strain also known as R-Evil that's been making a nuisance of itself in recent months.
Complete Technology Solutions offers, according to Krebs, network security, data backup,
and voice-over IP phone service. The problem apparently began on November 25th, and Krebs
says that as of this past weekend, affected practices were still turning away patients.
The operators behind Sodinokibi have devoted some attention to IT firms serving dental practices.
Two months earlier, the same strain hit in Wisconsin, where it affected service provider Percysoft and affected about 400 practices.
Some 100 have been affected in the Colorado attack. And the other ransomware incident that developed at the end of last week
hit the small Rhode Island town of East Greenwich, where municipal systems were affected. The town
hopes to be substantially up and back in business today. Both cases should serve as a reminder that
a relatively small size and low profile
confer little immunity from cyber attack. Maxim Yakubets and Igor Turashev, the two Russian
gonifs indicted in Pittsburgh last week on 10 counts connected with their use of the Drydex
banking trojan, have now got a price on their head, or at least Yakubets does. The U.S. Departments
of State and Justice are offering $5 million in Yankee greenbacks
for information leading to Mr. Jakobets' arrest or conviction.
That's the highest ever offered, computing and the Washington Post agree,
for cybercriminals of this type.
The Post has an interesting photo essay showing how crime pays for some of gangland's top dogs,
with plenty of pictures
showing the lifestyles of the corrupt and consciousness. If bad taste were a crime,
state and justice would have to up their offer to $10 million. Anywho, the Drydex duo will find it
difficult to vacation outside of Russia. Hope they like Shelly Abintz because, alas, Atlantic City or Reno seem out of reach.
Which is sad.
A bit more news out of Russia.
The World Anti-Doping Authority, better known by its acronym WADA,
has hit Moscow with a four-year ban that will take the country out of this coming summer's Tokyo Olympics.
This isn't a cyber story, not yet anyway, but it can be expected to become one soon enough.
WADA has been in the Kremlin's cyber crosshairs before.
The UK will hold its general elections this Thursday.
Campaigns are being roiled in the last week by the documents Labour brandished
to accuse the Conservatives of planning to sell the National Health Service to the US,
which seems unlikely, to say the least.
Or, to put somewhat more plausibly, the documents are said to show that the Tory government
was planning to offer effective control of the NHS's place in the health care market to a set of U.S. firms,
the goal being, they say, to sweeten Britain's offer during negotiation of a new U.K.-U.S. trade deal.
Labour's leader, Jeremy Corbybyn is hanging tough, saying
it's an important issue the Prime Minister has yet to address, and that, as The Guardian reports,
Labor won't reveal where the documents came from. Besides, even if accusations that the documents
were planted in Reddit by Russian operators, no one has yet made the case for the documents'
inauthenticity. The Washington Post points to the incident with glum alarm as a stark warning for the U.S. 2020 elections,
if only because, as the Post puts it,
politicians are not exactly serving as a deterrent right now to would-be adversaries.
So the week will prove interesting.
Finally, whether or not Prime Minister Johnson is taking a page from the art of
the deal here, there's one National Health Service cyber issue that seems beyond dispute.
According to Computing, the NHS still has about 200,000 machines running Windows 7,
which really and truly reaches its end of life next month. Which makes us think. Our radio desk has been hearing a lot of ads lately in the lower reaches of local AM,
in which someone's offering to sell Windows 7 laptops at a discount.
Get them now before Microsoft ends Windows 7 support in January, they say.
Which is a way of looking at the market we confess hadn't occurred to us.
So, up to it, world.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
Dan, joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the Hacking Humans podcast. Joe, great to have you
back. Hi, Dave. You and I were looking over some of the predictions from McAfee when it comes to things that they think are going to be coming down the pike in 2020.
And there's one here that caught our eye that we wanted to discuss today.
This was written up by John Fokker.
He's been a regular guest over on our Research Saturday show.
And this is ransomware attacks to morph into two-stage extortion campaigns.
Yeah.
What's going on here?
So we're all familiar with ransomware, right?
That you get your files encrypted and then the attacker comes in and they say, here's your keys.
Give me the money.
And if you pay them, you might very well get the keys.
In fact, most of the time you do get the keys.
Right.
But what he's saying is while you're recovering from this ransomware attack, the next thing they're going to do is start extorting you to keep the data private.
Hmm. So this is sort of an insult to injury kind of thing?
Yeah, an insult to injury kind of thing.
So if I am capable enough to penetrate your network and get inside,
or if I've bought that access from somebody,
then I have access to your documents and your data and whatever,
and I can get that data out of there as well as encrypt it.
So I can steal it and encrypt it. So I can take it for myself and have it and then deprive you of it.
So once I give it back to you through the ransom payment, I can still leverage the fact that I have
the information. So now you're faced with another decision of whether or not to pay the extortion,
the hush money. I'll call it the hush money. And we'll say the ransom is what you pay to decrypt your data
and the hush money is what you pay to keep your data from being released.
I'm already dealing with people who have already encrypted and stolen my data.
Although they have a little bit of your trust if they've given it back.
Right, right.
I understand.
But paying them the hush money is no guarantee
that they're going to not turn around and sell that data a third time for another profit.
Sure.
Right?
I understand what John is saying here, and I absolutely think he's right that people will try it.
I don't think it will have any benefit.
I don't think people will pay that as much.
People will pay ransoms to get their data back, but people are not going to pay hush money to prevent their data from being leaked, I think.
But people are not going to pay hush money to prevent their data from being leaked, I think.
So is the lesson here that your data should be encrypted at rest?
So even if these bad guys exfiltrate the data, it's encrypted with your encryption that you have the key to.
That's correct.
And it's worthless to them.
It is worthless to them.
That's a great point. So if you use encryption when your data is at rest, and that encryption is in place when somebody without authorization to look at the data is
looking at it. But if I'm using whole drive encryption on like a Windows machine, somebody
has remote access to that Windows machine, that data is there and unencrypted and accessible.
So even though it's encrypted at rest, now if I'm talking about encrypted data maybe
on a network drive that's always encrypted until somebody looks at it, then yes, that's
right.
Yeah.
Of course, if somebody encrypts it a second time, that still makes it inaccessible to
me, right?
So I still have to make the decision of whether or not I'm going to pay the ransom.
Yeah.
And you know, another thing that I think doesn't get discussed very much is that there's the
possibility that when the data is restored, let's say you pay the ransom and the data is restored.
Right.
How do you know that that data hasn't been altered?
Yeah, that's a real issue.
Avi Rubin, who is a professor at Hopkins, has said that that is what he predicts is going to be the next wave of ransomware, is that somebody is going to go into some organization and change the data, not make it invalid, but change it.
And then they're going to say, I've changed your data and you have to pay me a ransom or or I won't change it back, but I can change it back.
And I think that's a much more insidious and probably dangerous method of infection.
Yeah. You can see the dangerous method of infection. Yeah.
You can see the ramifications of that.
Think about it in a medical environment.
Absolutely.
Changing patient data information.
Changing test results, for example.
Or medicine dosing and things like that.
Yeah.
All kinds of issues that could come up.
All right.
Well, it's an interesting report.
It's a McAfee Labs 2020 Threats Predictions Report.
Worth a look.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving
field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your
Alexa smart speaker too. The CyberWire podcast is proudly produced in Maryland out of the startup
studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.