CyberWire Daily - Patch by midnight, and reply by endorsement. Cerberus is howling; Rampant Kitten is yowling. TikTok and WeChat both get reprieves. German police want ransomware operators for homicide.
Episode Date: September 21, 2020CISA tells the Feds to patch Zerologon by midnight tonight. Cerberus surges after its source code is released. Rampant Kitten, an Iranian surveillance operation, is described. The US bans on WeChat an...d TikTok were both postponed. Justin Harvey from Accenture marks three years since wannacry with a look at ransomware. Our own Rick Howard on red and blue team operations. And police in Germany are looking for ransomware attackers on a homicide charge. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/183 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA tells the feds to patch zero logon by midnight tonight.
Cerberus surges after its source code is released.
Rampant kitten and Iranian surveillance operation is described.
The U.S. bans on WeChat and TikTok were both postponed.
Justin Harvey from Accenture marks three years since WannaCry with a look at ransomware.
Our own Rick Howard on red and blue team operations.
And police in Germany are looking for ransomware attackers on a homicide charge.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, September 21st, 2020.
Late Friday, the U.S. Cybersecurity and Infrastructure Security Agency directed all federal agencies to apply August's patch to Microsoft Windows Server.
Emergency Directive 20-04 requires that mitigations of the Zero Logon Privilege Elevation Vulnerability, CVE-2020-1472, which Microsoft addressed in August, be applied by midnight tonight, and that all agencies report completion by midnight Wednesday.
The directive applies only to federal agencies under CISA's oversight, which is most of them,
but with certain national security exclusions. As Forbes notes, if the matter is serious enough for CISA to take this action, then the private sector would be wise to do the same.
The release of Cerberus source code has, as predicted,
been followed by an increase in attacks using the banking trojan, Kaspersky reports.
Apparently, despairing of getting their reserve price in an online auction
that didn't work out to their satisfaction,
and faced with the difficulty of maintaining the malware as the gang broke up,
the managers of Cerberus last week released their source code online.
Kaspersky said,
The result has been an immediate rise in mobile application infections
and attempts to steal money from consumers in Russia and across Europe
as more and more cyber criminals acquire the malware for free.
Researchers are seeing the same sort of jump in functionality and usage they observed
when Anubis went similarly public last year.
Checkpoint describes what it's seen of Rampant Kitten,
an Iranian threat group that's been keeping tabs on that country's dissidents for six years.
Rampant Kitten has used four Windows infostealers,
an Android backdoor that
pulls two-factor authentication codes from SMS messages and records the infected device's audio
surroundings, and Telegram phishing pages. Rampant Kitten has prospected domestic opponents,
but it's taken an even closer interest in certain organized dissident groups in the Iranian diaspora.
U.S. bans on transactions involving TikTok and WeChat,
scheduled to take effect yesterday, didn't happen,
due to, first, 11th-hour agreements about control over TikTok,
and, second, to a temporary injunction a federal magistrate issued to keep WeChat running as it has.
injunction a federal magistrate issued to keep WeChat running as it has.
In outline, according to the Wall Street Journal, the agreement reached Saturday would give Oracle a 12.5% stake in the new company to be called TikTok Global, and Walmart would purchase 7.5%
of the venture. That would leave ByteDance with about 80% of TikTok global, but as it happens, ByteDance is 40% owned by American investors,
and the companies hope that this would constitute sufficient U.S. control to allay U.S. security fears.
Oracle also intends to provide the new company with secure cloud service for TikTok's data,
and Walmart would agree to provide e-commerce, fulfillment, payments, and other
services to TikTok Global. The agreement that would establish TikTok's American operations as
a standalone company with partial U.S. ownership remains under evaluation, and the Commerce
Department says the ban has therefore been postponed a week. The Wall Street Journal reports
that a U.S. federal magistrate has granted a
temporary injunction stopping the government's intention of similarly stopping transactions
involving WeChat. A group of the app's users filed an emergency motion seeking to block the
government's plans on First Amendment grounds. The government, they argue, has insufficient grounds
for blocking their access to the Chinese-made and operated app
and that this constitutes restraint of their freedom of speech.
The government has said that it intends to take no action against anyone using WeChat
to communicate either personal or business information,
but that the app's data collection practices represent a threat to national security.
Should one or both bans
eventually go through, the Chinese government has signaled that U.S. companies are in for some rough
treatment of their own. The Washington Post reports that Saturday, China's Commerce Ministry
announced plans for adding some companies to its unreliable entities list. While the ministry
didn't specify exactly who would make the list,
Chinese state media have for some time been calling for retaliatory bans on Apple and Google.
So, those two, probably, for starters at least.
The sad case last week of a woman who died when ransomware at a Dusseldorf University hospital
required that she be diverted
to a hospital some 30 kilometers away and too far to give her the prompt emergency treatment she
needed, has prompted prosecutors in Nordrhein-Westfalen to open a criminal inquiry into
negligent homicide against unknown persons. Reuters reports that the loss of data so interfered with hospital admissions that it was
unable to take patients arriving by ambulance. It's been widely reported that should charges
eventually be filed, it would be the first time a death had been linked to a cyber attack.
That depends, of course, on how narrowly one construes the words linked to a cyber attack,
since there have certainly been deaths induced by swatting
or a phone call's origins were spoofed.
But it is an unfortunate reminder that for all the disinhibitions
cyberspace tends to produce in those who live and move and have their being there,
cyber attacks do have real consequences for real people.
Security firm Emsisoft, which has made a reputation
providing decryptors to ransomware
victims, thinks that the Dusseldorf case ought to put an end to the payment of ransom. One of the
objections to paying ransom, however much of a bargain it might be in any particular case for
any particular organization, is that doing so fuels a bandit economy and encourages future attacks.
The argument parallels one that's
long been made against negotiating with terrorists. If payment encourages ransomware gangs, and if
their attacks are growing in frequency and consequence, then it's time, Emsisoft thinks,
to stop feeding the beast. In the meantime, all we can do is offer condolences to the
victim's family and friends
and to wish the German police good hunting.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And I'm joined again by Rick Howard. He is the CyberWire's Chief Security Officer and also
our Chief Analyst. But more importantly than either of those things, he is the CyberWire's Chief Security Officer and also our Chief Analyst. But more importantly
than either of those things, he is the host of CSO Perspectives over on CyberWire Pro.
Rick, it's always great to have you back.
Thanks for the plug, sir. I appreciate that.
Of course, of course. You know, last week, you and I were discussing the history of pen
tests. We were talking about red team and blue team ops and purple teams and all that stuff. This week, you continue that. You take it to the next level. You brought in
some experts to your hash table, and you discuss how practitioners handle this stuff in the real
world. So what kind of stuff did you find out? Yeah, you're right. So if you recall from last
week's show, back in the early 70s, the good guy hackers, these are white hats, are ethical hackers.
You know, we started to use our own skills against our own systems, and eventually those exercises became known as penetration tests.
These were separate teams. You know, they would attempt to poke holes in the technology deployed to protect the enterprise, right? Now, these weren't trying to emulate any adversaries, okay?
They were just trying to find, you know, the unknown open windows and doors.
And I was surprised that, you know, when I did the research that it went back as far as the 70s.
What I discovered, though, when I was talking to the hash table experts is
security experts have different ideas on how to use these teams.
And it's on the spectrum of activity.
On one end, it's sitting the team somewhere on the internet
and telling them to find a way in any way they can
to on the completely opposite side of the spectrum,
giving the team extremely specific parameters
about what they're supposed to do
and from where they're supposed to do it.
Now, this kind of stuff's been going on for a long time.
And for my part, I never thought that former part, you know,
kind of willy-nilly, do whichever you want, was that valuable, right?
Because, you know, can a pen test find their way in?
Of course they can, okay?
That's what they get paid to do.
Right, right.
So I was talking to Rick Doughton about this.
He is the CISO for Carolina Complete Health.
And before he was a CISO, he ran a commercial pen testing.
And his clients would ask him to see if the pen test team could get into the client's network.
And so this is what they would tell him.
So when I was a consultant, I would often have customers who would call and say,
hey, I'd like a penetration test just to see if you can get in.
And I would always tell them, save your money. Yes, we can. There's no question about it.
It's like if you have a specific reason that you want something to focus on, or you just updated
a system, or even you're monitoring, or you want to test the way that these controls are acting,
that would be something. But if it's just a general, can you get in? Yes, we can always get in. I think his point
is that pen tester activity should not be free-for-alls, okay? They should be highly tailored
to test something specific like, you know, a newly deployed S3 bucket or a change in firewall settings
or maybe even newly deployed server farm or something like that. You know, it kind of reminds
me of, like, I don't know, if I were
testing the security of my home, if I were to go to a pro, if I were to go to a locksmith and say,
could you get into my house? Well, of course a locksmith's going to be able to get into my house,
right? But I suppose that's different than saying, hey, I want to bring someone in to make sure my
alarm system is functioning the way I expect it is. Or, yeah, that I am turning it on the correct
way, okay, when I go to bed at night, you, that I am turning it on the correct way, okay,
when I go to bed at night, you know, those kinds of things.
Right, right, right.
That's really interesting.
Well, last week we ended on a bit of a cliffhanger,
and it was a little bit up in the air
if red team and blue team ops were considered an essential function.
Has there been any clarity in the meantime?
Have you made up your mind?
I think I finally have.
You know, I was on the fence.
And I don't think that red team, blue team operations are essential.
They're kind of expensive to do.
And I definitely would not pull that lever first.
If I was beginning to set up a new InfoSec program, that's not the first go-to move.
But if I am mature and I put in these other strategies, and we've talked about them on this
show, right? It's resilience and zero trust and intrusion kill chains and being able to assess
risk in your organization. If you can get all that stuff going and it's relatively mature,
then the next lever you might pull is red team, blue team operations. And so they're not essential
to your InfoSec program. I will say,
though, that the training opportunity by doing those are pretty decent. You know, you put a
brand new SOC analyst hunting down a red team in real time. There's some real life training going
on there. So there may be some benefit there. But again, maybe not essential to any InfoSec program.
All right. Well, check out CSO Perspectives.
That is over on CyberWire Pro on our website, thecyberwire.com.
Do check it out.
Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second, Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, it's always great to have you back. We recently passed the third anniversary of WannaCry.
I wanted to check in with you on some of the things that you've been tracking
when it comes to ransomware and how it's evolved over the past three years.
Sure.
Well, the third anniversary of WannaCry was just last month.
And I've got to say, WannaCry was a pivotal moment in cybersecurity history,
not because of some of the damage that it created.
We've seen damage for 10, 15, 20 years. What really was surprising was that WannaCry was
going to be the first of many type of destructive attacks. Now, in my experience, I define ransomware
as destructive malware because there's really no difference.
With destructive malware,
you don't have a means to get your data.
And with ransomware, you may have a means
if you're willing to take that risk.
And so with WannaCry creating so much damage three years ago,
it really started a cascading of events
and ramping up ransomware.
I believe that adversaries saw this as an opening
for them to exploit victims and get a big payday.
And we've seen, I mean, since then,
ransomware has sort of expanded their scope of operations
to include exfiltrating data
to kind of turn up the heat on the folks that they're ransoming.
That's exactly right.
We at Accenture
are seeing a lot of cases. And in fact, since the pandemic started in early March, we have seen
over a 50% increase in ransomware cases. And many of them are following the same incident life
cycle. It's the adversaries that are doing a quick fish to get in get a landing
spot quickly escalate privileges and they're installing a persistence mechanism like cobalt
strike now cobalt strike is an interesting tool because it is a commercially available tool out
there primarily it's it is intended for use by red teams and friendly offensive security teams. But Cobalt
Strike has been adopted by many adversaries out there, even nation states, as a remote access
Trojan. So these adversaries are getting in, they are installing Cobalt Strike, and then they're
just kind of listening for a while. They're mapping the environment. They're understanding who's who and where the goods are. And then, of course, once they find the goods, they are installing Cobalt Strike, and then they're just kind of listening for a while. They're mapping the environment. They're understanding who's who and where the goods are. And then,
of course, once they find the goods, they are encrypting them in place as well as stealing
credentials and other data. So they've kind of got a bird in the hand. And the bird in the hand is
they're stealing the data first, and then they're extorting. So if they don't get their extortion
money, boom, they can already probably monetize the first set of data that they've exfiltrated.
And in the time since WannaCry, how has your playbook grown more sophisticated? When you're
called out to help an organization who's dealing with ransomware,
have things changed over the past couple of years? Yes, we have moved from being primarily an investigation team that's heavily focused on understanding the who, the what, the why, and then moving toward expulsion and then transformation.
We've moved from that model to quickly triage and help recover an environment. Because before, the cases that we were running, both
cyber criminal and nation state, it was really a bug hunt. You have an adversary, they are hidden
in the environment, and they are mostly passively stealing intellectual property and exfiltrating
in. And what we're seeing now is something different.
We're seeing an adversary get in, be quiet,
exfiltrate that first set of data.
Then, of course, they're doing the extortion.
But through this extortion,
they're also taking out the entire enterprise.
They're taking down Active Directory.
They're taking out applications and databases and things that are necessary to create revenue or to fulfill the obligation of the enterprise. So for us,
we are seeing more and more of that. And it's less about, well, who done it and how do we get
them out of the environment to how fast can we restore services? It's interesting to me that,
you know, I remember it felt like we might see a shift away from ransomware toward crypto mining for a little while.
But that really didn't play out.
The crypto mining kind of ran out of steam.
Yeah, I think that with these crypto miner adversaries, I think they were primarily looking to make a quick buck off of the new types of cryptocurrencies out there. But I think that they're having a hard time
monetizing these quasi-unofficial currencies out there.
So it's very difficult for them to make money.
And if you're already in an environment,
you already have administrative access,
why not just put in ransomware
rather than do a mining expedition?
Now, clearly, mining is less destructive,
but it can also take down an environment,
as we've seen with a few of our clients over the last two to three years.
Yeah.
All right.
Well, Justin Harvey, thanks for joining us.
Thank you. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time, keep you informed,
and it'll pick you up when you're feeling down.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment called Security Ha.
I join Jason and Brian on their show
for a lively discussion
of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts
are listed. And check out the Recorded Future podcast, which I also host. The subject there
is security intelligence. Every week, we talk to interesting people about timely cybersecurity
topics. That's at recordedfuture.com slash podcast.
The Cyber Wire podcast is proudly produced
in Maryland
out of the startup studios
of Data Tribe
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing Cyber Wire team
is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Harold Terrio,
Ben Yellen,
Nick Valecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard,
Peter Kilby, and I'm Dave Bittner.
Thanks for listening.
See you back here tomorrow. Thank you. through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.