CyberWire Daily - OilRig hires the Russian cyber-mob. WannaCry updates. Other EternalBlue exploits surface in the wild. Pending legislation in the US Congress. NIST issues guidelines for Executive Order compliance.
Episode Date: May 18, 2017In today's podcast, we hear that Iran's OilRig cyberespionage campaign seems to employing Russian hoods, and BlackEnergy. WannaCry recovery continues, but there may be worse to come. Still talking fun...ny, the ShadowBrokers say you'll be able to subscribe to an Equation Group leak service next month. The US Senate considers putting the Vulnerability Equities Process on a legal foundation. NIST issues draft guidance on cyber Executive Order implementation. Level 3 Communications' Dale Drew predicts there's more ransomware in our futures. Mandeep Khera from Arxan Technologies outines vulnerabilities in mobile apps. And political parties in Western Europe still stink at email security, for all their worries about Fancy Bear. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. Thank you. And political parties in Western Europe still stink at email security for all their worries about Fancy Bear.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, May 18, 2017.
We begin with news about matters other than the WannaCry ransomware pandemic.
Oil rig, a cyber espionage campaign generally believed to be run by Iran
against regional rivals, especially Saudi Arabia, has resumed. This time, researchers at California-based
TrapX Security see evidence that Iran is using the services of Russian cybercriminals.
In particular, they're finding some use of black energy malware in the OilRig campaign.
Black energy, of course, was most famously used against Ukrainian power distribution infrastructure
back in late 2015.
Victims of WannaCry ransomware continue to treat their infestations.
Researchers are increasingly convinced the attack was a North Korean operation
that bears the fingerprints of the Lazarus Group,
but the evidence remains circumstantial,
the attribution preliminary and provisional. Other, better-crafted and arguably more dangerous
campaigns exploiting Eternal Blue vulnerabilities are underway, and they seem to be playing a longer,
more focused game. Proofpoint has described Adelkaz, a malicious cryptocurrency miner
that began quietly circulating in the wild
weeks before WannaCry appeared.
Its masters are using infected machines to accumulate coin.
This cryptocurrency mining scheme has been quietly in progress for some weeks before
WannaCry came to light.
Heimdall Security warns of the discovery of what they're calling Blue Doom, and this one
is disturbing.
It's more sophisticated in execution by far than WannaCry.
As Heimdall puts it on their blog,
Blue Doom is different from WannaCry because it shows a long-term intent to make use of vulnerabilities
stemming from virtually all Shadow Brokers leaks containing Windows exploits.
Blue Doom disguises itself as WannaCry, but it's a completely different type of worm that does not drop ransomware.
In fact, Blue Doom appears to aim at quietly establishing persistence in victim networks,
presumably with a view to activation later for future attack campaigns.
Where the shadow brokers got the Eternal Blue exploits remains unknown.
Unknown also are the identities of the brokers themselves.
Speculation tends to focus on either Russian intelligence services or a rogue American, a high-end hacktivist. Whoever
the shadow brokers are, they're sticking to their outrageously bogus broken English and promising
a subscription service for Equation Group Zero Days, coming to a black market near you in June.
As more of our time is spent on our mobile devices,
the security of the apps on those devices is a growing concern.
Mandeep Kara is from Arxan Technologies,
a company that specializes in app protection,
and he spoke with us about protecting your binaries in your mobile apps.
We find that over 90% of mobile apps out there
have not been protected from the binary code protection point of view.
And so hackers are coming in.
I mean, they find the weakest link and they go in and they're exploiting the heck out of these applications.
And so from a real world point of view, what are some typical ways that you see this affect people?
Yeah, so it depends on the industry, right? So for example, in the financial services, mobile banking, mobile payments, type of applications, that any of the large to
midsize banks release out to Apple, or Google Play Store. And what hackers do is they get in
into the binary code, which is available openly,
and they would use an off-the-shelf tool like Clutch, for example. They decompile the binary
code. They can reverse engineer, get to the source code. They can steal the cryptographic keys.
They can steal the credentials. And the end result is the number of things within that they can do.
And the end result is the number of things within that they can do.
For example, they can point the app to their own bank account.
So it could result in, you know, obviously financial losses for the consumer, then ultimately for the bank.
Obviously, they can create like a malicious app.
They can put malware in it. you look at other industries, like, for example, in gaming, the two big issues that come up on gaming side are IP protection issues, because hackers can steal, again, the actual game and
post it on Reddit and other places. So everyone can have access to that for free. Or they can
also have anti-cheat type of issues. So, for example, they can create some cheats by hacking
into the application, and then they can release it and sell it actually in the dark web. So what are you recommending for how companies can address
security when it comes to these mobile apps? I think the most important thing companies need
to realize is that binary code is the weakest link and it's exposed that hackers can get into.
And so they need to protect that by doing things like encryption,
obfuscation, and also making sure that there are checks in there so they can see when the attack
is happening. And they can take an action if an attack is happening, those types of things.
But beyond that, they also need to protect their cryptographic keys, which if they're exposed,
hackers can steal those, get back to the source code,
and steal, you know, basically reverse engineer the whole code.
And one of the biggest issues right now that we find,
and at least in talking to hundreds of CSOs that I've found,
there's again a misconception that, hey, I'm storing everything on the server side.
I don't have as much on the mobile app endpoint side, so I'm secure.
And that is absolutely not true.
And I think, you know, again, once cryptographic keys are exposed, hackers can come back and get to the source code on the server side.
So it's just they need to understand it much better in terms of what the exposure is here and how to fix it.
That's Mandeep Kara from Arxan Technologies.
The U.S. Senate is considering legislation that would take the vulnerability equities process
out of the hands of the intelligence community and formalize it as a matter of law.
The pending bill, the PATCH Act, the Protecting Our Ability to Counter Hacking Act of 2017,
to unpack the forced acronym for you,
defines vulnerability and establishes a mechanism by which disclosures would be made.
The bill places responsibility for overseeing disclosure of vulnerabilities
in a Vulnerability Equities Review Board to be chaired by the Secretary of Homeland Security.
The board would set disclosure policy, and the draft bill expresses an expectation
that the default position would be public disclosure,
with the very large and flexible exception
of vulnerabilities deemed to affect national security.
NIST has supplemented U.S. President Trump's
cybersecurity executive order with guidance
on how agencies should implement that order.
Public comment on the document will be accepted until June 30th of this year.
It's good that NIST has done so, since its cybersecurity framework,
formerly known as the Framework for Improving Critical Infrastructure Cybersecurity,
is the armature around which the President's order is constructed.
Finally, for all the concerns about election hacking in the West,
security company Agari studied the state of email security in German, Norwegian, and British political parties.
Some scored better than others, with Britain's Liberal Democrats and Greens doing best.
But in general, they're all deficient in email authentication,
with poorly implemented DMARC policies,
that's Domain Based Message Authentication Reporting and Conformance.
Perhaps someone should remind the leaders of the various parties
worried about Russian influence operations
that email was, at least in part,
the downfall of the U.S. Democratic National Committee.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have
continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet
fiercest part of herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and
wickedly humorous film from Searchlight Pictures. Stream Nightbitch January 24 only on Disney+.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
My guest today for our partner segment is Dale Drew from Level 3 Communications.
We're talking about ransomware, and just as a listener note,
we recorded this segment a few days before WannaCry was released.
It's interesting to hear Dale's predictions about how bad ransomware was going to be in 2017. That came true. Dale, we are well into 2017,
and certainly one of the big threats this year. People predicted it, and it's come true. That's
ransomware. Oh, yeah. I mean, I'd say ransomware, we think ransomware is going to be the biggest
threat for 2017.
Not only does it use all the traditional sort of deployment mechanisms, you know, phishing attacks to be able to get an employee to click on a link, malware droppers to be able to deploy the ransomware. But it also provides sort of direct pay benefit for the bad guy.
direct pay benefit for the bad guy. And some really depressing studies have come out that show that about 40% of people are paying ransomware. And so the motivation for them to be repeat
victims is definitely up there. They said that the average ransomware payout is between $100
to $500 per victim. And are they getting their data back when they pay?
No, see, that's the thing, is that in most cases,
now in some cases we've seen some ransomware operators
who actually provide the key.
Our typical experience is we see a victim pay,
pay an escalation, and then the bad guy just disappears
and does not provide the key to be able to unlock all their files.
That was a remarkable finding about consumers and awareness of ransomware.
Yeah. So this study from Trustlook was showing that about 45 percent of consumers have not even heard of ransomware as of yet.
And the problem with that is that's the single largest concern that we have with regards to consumer-based security issues, especially ransomware, is that the step is to be able to protect yourself.
Even if you are a victim, it's really easy if you were just to make a backup copy of your critical files before you become a victim.
Once you become a victim, then it's – all your files are already gone.
then it's you know all your files are already gone and so it's just like id theft you know having protective mechanisms to protect your identity up front like locking your credit
history those things you can take proactively to to prevent yourself from becoming a victim
or better protect yourself once you are a victim it really concerns me that 45 percent of consumers
have not even heard of it and are just waiting to be victimized up front.
Yeah, it's a tough thing to learn about the hard way.
Yeah, the other concern is they said that ransomware has jumped about 23% in 2016.
And so far, I mean, we're in May.
That's already at another increase of 25% in 2017.
So that trend in ransomware growth is going to grow fairly significantly,
I think, in 2017. And of course, grow it did, thanks to WannaCry being released not long
after we recorded this segment. Dale Drew from Level 3 Communications.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. AI, and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.