CyberWire Daily - Patcher ransomware. Locky, Cryptowall, and Cerber are still active; so is old-fashioned blackmail. NSA keeps the VEP. Reactions to New York State's cyber regs for banks. Observations of BugDrop, and thoughts on cyber war and attribution.
Episode Date: February 23, 2017In today's podcast, we hear about how Patcher ransomware is infesting Macs. Locky, Cryptowall, and Cerber are also still out and about in the wild. NSA seems likely to continue its Vulnerabilities Equ...ities Process. Industry reactions to New York State's coming cybersecurity regulations for financial institutions. A look back at RSA discussions of cyber warfare. Further developments in the study of BugDrop malware. Terbium Labs' Emily Wilson examines the way novel exploits becomes part of the standard tool kit. And TruSTAR looks at Grizzly Steppe and has some thoughts on the difficulties of attribution. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Patcher ransomware goes after Macs, and fair warning, it does so in a dangerously incompetent way.
Locky, Cryptowall, and Cerber are also still out and about in the wild.
NSA seems likely to continue its vulnerabilities equities process.
Industry reactions to New York State's coming cybersecurity regulations for financial institutions.
A look back at RSA discussions of cyber warfare.
Further developments in the study of bug drop malware.
And Truestar looks at Grizzly Step and has some thoughts on the difficulties of attribution.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, February 23, 2017.
The Bratislava-based security company ESET reports that there's a new and unusually virulent strain of ransomware affecting Macs.
It's called Patcher, and it's spread by torrent files offering license crackers.
It's dangerous, according to ESET, in part because it's incompetently coded.
The authors left the victims with no way of recovering their files, even upon payment of ransom.
They also put up an implausibly blank installation wizard, so buyer beware. Authors left the victims with no way of recovering their files, even upon payment of ransom.
They also put up an implausibly blank installation wizard.
So buyer beware. Be especially wary of the torrent.
It seems not unlikely that whoever's behind Patcher will soon fall into the hands of the authorities.
He or she is almost charmingly naive and obvious in his or her payment instructions.
Other more established forms of ransomware continue to circulate.
Locky, Cryptowall, and Cerber account for 90% of current infestations, according to Checkpoint.
Crypto ransomware isn't the only form of cyber extortion out there either.
A Bitdefender study concludes that fear of reputational damage is likely to motivate
a significant fraction of IT executives to pay up.
Some 14% of those surveyed said they'd be willing to pony up half a million bucks if
it would keep their breaches or other security issues off the front page.
In the U.S., NSA appears likely to continue its vulnerabilities equities process essentially
unchanged.
The program governs the agency's
disclosure of zero days to industry. Reaction to New York State's cybersecurity regulations
for banks continues. The new regulations take effect on Wednesday, March 1st. Vasco's John Gunn
told us by email that he sees the regulations as likely to drive enterprises toward biometric and risk-based
authentication. His Vasco colleague, David Vergara, likes the importance the new rules
place on assessing third-party risk. Christian Lees of InfoArmor thinks, quote,
this is an example of progressive regulation, end quote, and that there's a good chance they'll
shape emerging industry standards. Cypher Cloud's Willie Leichter agrees.
Quote, a state the size of New York can effectively create nationwide requirements.
End quote.
The new rules remind him of the effect California had on the industry 15 years ago
when it created a legal requirement for public notification of data breaches.
New Data Security's Robert Capps isn't so sure Governor Cuomo's regulations will propagate nationally,
but he does think they'll be a bellwether.
Quote,
New York may be the first state to introduce such measures, but they most certainly won't be the last.
End quote.
But he also points out that some of the regulations seem redundant with respect to existing federal laws and regulations,
and he notes that New York State, while influential,
lacks jurisdiction over federally chartered institutions.
We continue our look back at the RSA conference with some thoughts on cyber warfare,
a matter of concern and policy that loomed large in San Francisco last week.
There were many warnings about the coming increase in conflict in cyberspace. The term hybrid warfare is mostly associated with Russia, especially in its incursions into Ukraine.
Hybrid warfare is an amalgam of conventional combat, special warfare, deniable insurgencies,
and cyber operations involving hacking, interference, and information operations.
And it's expected by many to become the normal form of warfare in this century.
Microsoft made a plea for the neutralization of the tech industry at RSA,
neutralization in the sense that it should become a kind of virtual Switzerland,
aligned with no one and taking part in nobody else's wars.
Redmond also urged the adoption of a digital Geneva Convention that
would protect non-combatants, like, for example, Microsoft, and for the creation of confidence-building
international institutions along the lines of the International Atomic Energy Agency.
Many applauded the sentiments, but few policy experts thought them likely to have much effect.
In what may amount to an update on an ongoing instance of hybrid warfare,
security company CyberX offers further descriptions of BugDrop,
a complex and sophisticated cyber espionage campaign in progress
against a diverse array of Ukrainian targets.
The malware in use is spread by phishing.
The specific vector is the familiar one of malicious macros and attached documents.
Once installed, the suite of attack tools takes control of infected devices' microphones
and collects ambient audio.
It also steals files and exfiltrates them to Dropbox.
The malware is relatively quiet and unobtrusive.
Its purpose appears to be reconnaissance only.
There's no evidence of any
destructive functionality. Beyond saying that the responsible threat actor appears to have
considerable field experience and a great deal of money, CyberX declines to offer any attribution
and refuses the opportunity to jump to the obvious conclusion that the Russians did it.
Their reticence is probably commendable because attribution is indeed a messy, uncertain business.
The threat intelligence company Truestar called us today
to tell us about the results of their own adventures in attribution.
They took a look at Grizzly Step,
the report describing the Russian threat actors
who made an uninvited and unwelcome appearance
in the Democratic National Committee email servers last year.
Those actors are generally believed to be Cozy Bear and Fancy Bear, a.k.a. the FSB and the GRU.
But when Truestar ran it through their own analytics,
they came up with some very significant overlap in infrastructure with the criminal gang Karbanak.
That's not to say, as Truestar CEO Paul Kurtz pointed out,
that the Russian intelligence organs were uninvolved. There are many good grounds for agreeing with the consensus view
that they were. But it does remind us, as Kurtz put it, that, quote, attribution is a muddled
mess when these guys start using the same infrastructure, end quote. Cozy and fancy are
quite capable of using criminal gangs. Criminal gangs are quite capable of using criminal gangs.
Criminal gangs are quite capable of using code or infrastructure established by states. And there's also the possibility of moonlighting or even false flags.
So when you're among the bears, don't be too soft or too hard.
Be just right.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me once again is Emily Wilson.
She's the Director of Analysis at Terbium Labs.
You know, Emily, we see a lot of these tools, these exploits.
we see a lot of these tools, these exploits, they go through sort of an experimental phase,
but then they become kind of a normalized, I don't want to say part of doing business, but they become part of the toolkit. They do. And, you know, I think, you know,
one of the things that we've seen over time is the way in which kind of I'm going to hack into
something and kind of leak the data or do something nefarious has kind of gone from being a tool of vandalism to kind of opportunistic or even targeted fraud and
kind of financial gain to, you know, now we're seeing these same things play out kind of at a
state level or kind of an international level, right? We're moving from surprise that it's
happened at all to surprise at who was targeted
next or surprise in how it's manifesting. And so we've accepted that this is part of the toolbox,
that if you want to sell these kinds of exploits, if you want to expose the personal information of
a government agency or an intelligence agency or some sort of international body, we are no longer thinking of that as
something that's outlandish or surprising. We're just surprised at who it is or surprised that
it's happened to, you know, this person next. So even from an enterprise point of view,
no longer are people saying, why would anyone be interested in my CEO?
Right. I think that's true. And I think, you know, this idea that some attacks are opportunistic,
you know, sometimes you are some attacks are opportunistic.
You know, sometimes you are the low hanging fruit. Sometimes you are the house in the neighborhood who left your door unlocked.
And sometimes it's targeted. Sometimes it's strategic. And you're always going to fall somewhere in that range of opportunistic targets.
But I think that people take for granted where they fall in the range of strategic targets as well,
right? And this is governments, but it's also enterprise businesses or even medium to small size businesses, right? If you have customers or if you have sensitive or proprietary information,
you will be a target at some point. I might not be the big target, but I may do business with
someone who is a big target. And so I may be the
conduit into that big target. That's true. Or you may use the same vendor or the same third-party
service that everyone else in your industry uses, and they're a target. Your exposure isn't limited
just to your own systems. That's definitely an issue. But there are all of these other ways in
or other places your information is being exposed or is
vulnerable, and you have to think beyond yourself, right? There's this popular notion, and you hear
particularly when people are marketing their services, that it's not a matter of if, it's a
matter of when. And some people say, oh, that's just marketing, and they roll their eyes.
But other people say, no, it's actually not a matter of if, it's a matter of when. We're at the stage now where there are so many reasons why people may
be interested in the data you have that you can't assume that you're an uninteresting target.
That's true. That's absolutely true. And even if you have best practices, if you are
early adopter of every great new thing, at some point,
the defenses won't be enough, right? Not to break out another analogy here, but you think about the
fact that your house is, you know, secure against, you know, against kind of a rainstorm, if you will,
right? But every so often, there's going to be a hurricane. And maybe it won't be a hurricane for
you. Maybe where you live, it's a tornado. Maybe where you live, it's an earthquake, right? Maybe someone isn't going to leak your client
list, but maybe there's a certain type of malware that's going to just make its way through your
industry, right? One of the things we saw that was really interesting at the end of 2016, actually,
is there's an actor called the Dark Overlord who had previously been primarily working in
healthcare and basically said,
I'm bored. I'm switching to government contractors. They have good sensitive information.
And things like that happen, right? You may not think you are a target because you're not the thing that's popular right now or you're not the large enough company that you think you're
going to be targeted. But somebody somewhere at some point probably will make an effort.
All right. Emily Wilson, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers. I'm Dave Bittner. Thanks
for listening. Your business needs AI solutions that are not only ambitious, but also practical
and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses
that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.