CyberWire Daily - Petya goes WannaCry one better. Westminster email hack. ISIS in Maryland and Ohio websites.
Episode Date: June 27, 2017In today's podcast we hear that another ransomware pandemic has broken out—this one looks more sophisticated and dangerous than WannaCry. Ukraine is again the center, but it's moving out fast. Notes... on the Parliament email hack in the UK. Accenture's Justin Harvey explains destructive malware. IBM's David Jarvis advocates an adoption of a "new collar" recruiting strategy. And ISIS isn't doing much cyber damage, but its hacktivist sympathizers are really tugging on Superman's cape. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Sophisticated and dangerous than WannaCry, Ukraine is again the center but it's moving out fast.
Notes on the Parliament email hack in the UK, and ISIS isn't doing much cyber damage,
but its hacktivist sympathizers are really tugging on Superman's cape.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, June 27, 2016.
If you're running unpatched or outdated software, you're at risk.
That's not exactly news, but a new ransomware pandemic that broke out today like wildfire is.
The campaign of uncertain origin, although the Ukrainians think they know who's behind it,
is hitting targets in Europe and elsewhere today.
Ukraine is particularly affected, again, with banks, including ATMs, many government offices
and electrical utility networks, including those engaged in monitoring radiation levels
at the former power plant in Chernobyl, suffering heavily.
The Russian oil firm Rosneft also reports being affected and has expressed its own suspicions
by expressing
the hope that the attack isn't connected to ongoing legal disputes with its domestic rival
Systema, a large firm controlled by billionaire oligarch Vladimir Petrich Yevtushenkov.
Moscow-based security company Group IB believes the attacks on Ukraine and Rosneft were
simultaneous and coordinated.
Other major infestations are reported by the Danish shipping concern AP Mollermersk,
pharmaceutical company Merck, this one in its U.S. operations,
Deutsche Post, its operations in Ukraine,
French manufacturing concern Saint-Gobain,
and the British advertising agency WPP.
More are sure to come.
The ransom note's text has appeared in English,
but Ukrainian authorities blame Russian hackers,
especially since the attack coincides with tomorrow's observance in Ukraine of Constitution Day.
On this interpretation, the attack's spread is due either to the inherently difficult-to-control nature of malware,
deliberate misdirection, or willingness to take such targets of opportunity as present themselves.
Researchers at security firms, including Kaspersky and Flashpoint,
think the ransomware is a variant of Petya, also known as Pyoterap.
We heard from Vectra Networks' Chris Morales, who notes two things about this iteration of the attack.
First, the attackers have apparently added a worm-like component to Petya that gives it a
transport mechanism that facilitates its rapid spread to new targets. You will recall that
WannaCry also spread as a worm. Second, Morales notes that this version is unusually destructive
because it encrypts infected machines' boot records, not just their files.
Morales said, quote,
By the time you find one infected machine, you can assume dozens more have been infected. End quote.
In addition to worm-like propagation, there's another similarity to WannaCry.
This variant of Petya is exploiting the Eternal Blue vulnerability, CVE-2017-0145, an alleged NSA exploit leaked
by the shadow brokers.
Petya is also said to be exploiting CVE-2017-0199, a code execution flaw in Microsoft Office
and WordPad.
Both, of course, are known flaws.
Jake Cones of the cyber company Risk-Based Security observed that one would have hoped,
unfortunately in vain, because this time around Petya's spreading very rapidly,
that the recent experience of WannaCry would have served as a big wake-up call
and inspired close attention to patching and mitigation.
Security researchers at AlienVault are tracking the infestation and response.
They tell us that the ransom note and the attack code match Petya,
and that their telemetry also confirms attacks spreading well outside Ukraine.
AlienVault's Chris Doman says the sample he's looked at
writes a message to the raw disk partition,
clears the Windows event log using WebUtil,
shuts down the machine,
leverages PSExec to spread, and encrypts files matching a list of file extensions.
AlienVault believes that by late morning today the attackers had received more than $3,000,
so like WannaCry they're basically getting chicken feed, and that AlienVault hasn't seen
confirmation that the attackers have actually restored the machines
of those victims who've ponied up the ransomware.
Interestingly, according to AlienVault, the samples one of the earlier Ukrainian victims shared
deployed Loki malware and didn't subsequently install Petya,
so there may be a couple of coincidental infections circulating simultaneously.
The same happened with WannaCry.
Jaff malware hit in an apparently unrelated campaign at about the same time. That Ukraine is at the center of this
outbreak is of course curious, and it does suggest that the motive of the attackers may be other than
the obvious one of criminal gain, but it's too early for attribution. We'll continue to follow this story as it develops.
We regularly remind you that there's a shortage of qualified cybersecurity professionals to fill
the ever-growing number of available positions. IBM is advocating a practical look at that problem
with the notion that in addition to blue-collar jobs and white-collar jobs, there are what they refer to as new-collar jobs.
David Jarvis is security and CIO lead at the IBM Institute for Business Value, and he explains.
What new-collar is, is it's kind of these emerging technical roles that require technical skill and aptitude,
but maybe don't require a full four-year traditional bachelor's degree.
I mean, obviously lots of jobs don't require that, but I think it's important that we kind of reopen the aperture on candidates.
And so looking at cybersecurity, I think this is kind of a perfect blend of the concept. So
we're really looking at new employee profiles, we're looking at new types of roles, and we're looking at developing
new partnerships to help address this gap. And so take me through some of the details of that.
When you talk about new partnerships, what kinds of things are you talking about?
There are about 1,200, I think, community colleges in the U.S., roughly, you know,
give or take a couple hundred. And I think about 300 to four hundred of them have some sort of cybersecurity
degree program or a certificate or classes or courses. And, you know, there are a lot of people
that are coming out of these programs that are very, very qualified, that have the technical
skills and aptitudes that are needed, but may be dissuaded by the job market because it says
things like you need a four-year degree to even apply for a particular job. So I think as part of a new-collar approach, you know,
looking at these cybersecurity programs at community colleges, you know, looking at maybe
some federal, state, and government programs, looking at veterans programs, you know, trying
to tap that source of talent as well, trying to cultivate these new and different relationships. Don't just
recruit at the same 20 or 30 universities you've always recruited at. If we're really going to
solve the cybersecurity skills crisis, I think we're going to have to think a little bit differently,
expand our aperture, and build some new bridges. I'm thinking about the folks in HR or recruiting
who certainly are facing these
challenges of trying to get qualified people. And I can imagine, you know, they're used to doing
things a certain way. They're used to having checkboxes of how many years you went to college
or what certifications you have. I could see there being some resistance, even from the point of
them being able to measure these sorts of things. Yeah, certainly, certainly. And I think what needs
to be done there is, you know, having a stronger partnership, I think, between the security needs
of the organization, between the security personnel, you know, no matter how many people
are part of it, and the HR team having that conversation. And really thinking about, you know, not looking at maybe degrees and
certifications and those kinds of checkbox, but really sitting down and thinking more about skills
and what skills are essential today for the security function and what's going to be
important in the future, right? And get those down on paper, document them, you know, look at different career and outline these clear career
paths and skill progressions, as opposed to just a list of checkboxes. That's David Jarvis from IBM.
Observers of last week's hack of Parliament's emails in the UK note poor password discipline
and point out the cognitive dissidence implicit in Her Majesty's government's emails in the UK, note poor password discipline, and point out the cognitive
dissidence implicit in Her Majesty's government's push for back doors when Westminster's email
system was so easily pwned. The prime suspects continue to be the Russian security services.
That attribution is of course tentative and circumstantial, evidence being cited against
that conclusion, evidence that weighs in favor of a
criminal or a hacktivist, or even the proverbial teenager in the basement, is mostly the crude and
obvious approach the attackers took. That, of course, is not dispositive. Cozy Bear was quiet,
and, well, cozy, in the networks of the U.S. Democratic Party, but Cozy's sister Fancy Bear
was loud, expansive, and noisy, not apparently
giving a hoot who knew she was ransacking Mr. Podesta's correspondence. So subtle and
insinuating ways aren't always the hallmarks of intelligence services.
ISIS defacements of government webpages in Ohio are joined by similar vandalism in Maryland's
Howard County. That, we note,
is right in the backyard of a local U.S. intelligence service. That intelligence
service wasn't itself affected, but if you go after Howard County, you're really tugging on
Superman's cape. We've said it before, and we'll say it again. Joint Task Force Ares,
tally-ho, and good hunting.
Joint Task Force Ares, T with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, welcome back.
We have seen reports about a new type of malware that's recently come along. I'm thinking of things like BrickerBot.
These are the malware that are going out and actually causing harm to IoT devices.
What's your take on this?
Well, I think this speaks to the greater danger of Internet of Things devices. What's your take on this? Well, I think this speaks to the greater danger of
Internet of Things devices. They're catching on like wildfire. More and more vendors and companies
are starting to Internetize, if that's a word, their devices in order to get some home automation
or automation through mobile devices and computers.
The issue here is that in an environment such as a person's home
that is not very well equipped to deal with adversaries,
meaning we all have our internet firewalls,
which some of them have a bit of internet detection or internet prevention system built in.
We've all got AV.
These IoT devices typically are running an embedded operating system. Many times it's some
form of Raspberry Pi Linux or a cut down version of Linux. But there's no real impetus for many of
these vendors to spend the extra time and money to put in and harden
these systems.
I think that when they were first developed, maybe the companies were thinking, we have
to get to market quick.
We have to speed up our time to market and our development cycles.
Security is always a secondary thought or the last thought that vendors have.
a secondary thought or the last thought that vendors have. And you couple that with a governance structure or laws that don't really put the level of responsibility back to vendors or even
consumers. That's kind of where this is all led today. And we've seen stories where there's
actually been people who are claiming to be gray hats or maybe even consider themselves white hats,
where they're going out and looking for IoT devices that haven't yet been turned over to botnets.
And they're sort of preemptively bricking them, saying, and their point is that, well, if you're not going to protect this device,
we're going to disable it so at least it won't be, it'll be neutral, although broken, rather than being used for bad.
I think that that is a really bad idea. I think it's a bad idea for a couple of reasons. First is
you are, you're harming a device or you're making an assumption that that particular device
is not performing a critical function. You never know when your code could go haywire,
when you're operating off of the wrong information
and you are affecting a mission-critical device,
perhaps in a hospital, perhaps in an airport.
You never know.
So without knowing that asset information, you're taking a risk. And the second point here is that it is a form of computer fraud, at least in the United States.
So, you are breaking the law, even though you have great intentions.
It's just, it falls into the same category, I guess, as offensive security operations.
Well, they hacked me, so I'm going to hack them back. And it all comes back to, you never really know what or who is on the other end of the connection.
Right. Better safe than sorry. All right. Yeah. Justin Harvey, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.