CyberWire Daily - Ransom DDoS is now a widespread problem. Phishing campaign stages malicious payloads in legitimate file-sharing services. Back to school? Back with a new cyber risk.
Episode Date: September 4, 2020Ransom DDoS: it’s been around for awhile, but now it’s become a much bigger thing. Phishing campaigns are putting malicious payloads into legitimate file-sharing services. Malek Ben Salem from Acc...enture on proactive "alpha innovator" organizations. Our guest is Joseph Marks from The Washington Post on his recent coverage of election security. And it’s time to go back to school, at least virtually, with all the attendant cyber risk. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/173 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ransom DDoS.
It's been around for a while, but now it's become a much bigger thing.
Phishing campaigns are putting malicious payloads into legitimate file-sharing services.
Malek Ben Salem from Accenture on proactive alpha innovator organizations.
Our guest is Joseph Marks from the Washington Post on his recent coverage of election security.
And it's time to go back to school, at least virtually,
with all the attendance cyber risk.
From the Cyber Wire studios at Data Tribe,
I'm Elliot Peltzman, filling in for Dave Bittner,
with your Cyber Wire summary for Friday, September 4th, 2020.
Leaping Computer says that the U.S. FBI has issued an alert concerning what's being called
RDDOS, Ransom Distributed Denial of Service. That is, it's a form of criminal extortion that threatens not doxing, not encryption,
and not data destruction, but simply making victims' networks unavailable.
This kind of extortion is particularly serious to organizations that depend upon very high,
reliable availability to conduct their business.
R-D-D-O-S has now become a widespread problem, and the U.S.
isn't the country that's been primarily affected. New Zealand's NZX stock exchange is still
continuing its week-long struggle to disentangle its systems from the distributed denial-of-service
attacks that have plagued it. Authorities in New Zealand haven't yet been able to identify who's
responsible, beyond concluding that the attacks originate offshore, but the goal seems likely to be criminal extortion.
A similar problem has surfaced in Europe, where a number of internet service providers have seen their DNS infrastructure under attack.
ZDNet reports that ISPs in Belgium, France, and the Netherlands were all targeted with DNS amplification and LDAP-type DDoS attacks that took their services down.
Some attacks lasted more than four hours and achieved volumes of 300 gigabits per second. Belgium's EDP, France's Bouillège-Telecom, FDN, KNET, SFR, and the Netherlands' Kaiway,
Delta, FreedomNet, Online.nl, Cignet, and Tweak.nl. ZDNet points out, while disclaiming any proof of
a connection, that the DDoS attacks began after an earlier wave of similar attacks against European financial services targets subsided.
The Netherlands cybersecurity authorities confirmed that the attacks against Dutch ISPs
at least were part of an extortion campaign that seemed likely to be true in the case of the other incidents as well.
The attackers demanded a large but publicly unspecified sum in Bitcoin to call off the dogs, or rather, the bots.
The attacks represent a trend in criminal extortion.
To return to the FBI's warning, whatever criminal group is behind the attacks,
and it does seem to be a straightforward criminal effort, not the work of state operators,
is taking advantage of the notoriety of well-known threat actors by posing as Fancy Bear,
Cozy Bear, the Lazarus Group, or the Armada Collective. Radware and Akamai have also warned
of this trend, with Radware saying that they've seen it used against victims in North America,
Europe, Asia and the Pacific, the Middle East, and Africa. The ransom demanded seems to range from 10 Bitcoin, which comes out to about 113,000
USD at current rates, and 20 BTC, or roughly 226,000 USD. Akamai offers a couple of samples
of the ransom notes they've seen used since this past November, when the trend was in an earlier, more aspirational stage.
Like this one. Quote, if you report this to the media and try and get some free publicity by using
our name instead of pain, attack will start permanently and will last for a long time.
End quote. The Hoods signed this one, Armada Collective. The Armada Collective is a criminal organization that's
long engaged in denial-of-service attacks. Akamai described them at length as far back as 2015,
so they might fairly be regarded as early adopters of the R-DDOS tactic.
Or consider this example. Quote, your websites and other connected services will be unavailable for
everyone. Please also note that this will severely damage your reputation among your customers.
We will completely destroy your reputation and make sure your services will remain offline
until you pay, end quote. Signed, Fancy Bear. But no, the bears have better riders unless they're
deliberately sandbagging, and
these extortion attempts seem to be the work of criminal opportunists looking for the added FUD
names like Fancy Bear bring with them. The FBI has four recommendations to make. First,
don't pay the ransom. It only encourages the crooks, funds their next operation,
it only encourages the crooks, funds their next operation, and stokes a bandit economy.
Second, report attacks of this kind to your local FBI field office or their counterparts in other civilized countries. Third, use DDoS mitigation services that could identify and block
such attacks. And finally, work with your ISP to monitor network traffic and block it when the signs of DDoS present themselves.
Researchers at Cisco's Talos unit describe a series of phishing campaigns that use legitimate file-sharing services to store the malicious documents they linked in their emails.
The malware payloads include, among others, Gozi ISFB, Zloader, Smokeloader, and Ave Maria.
So it's back to school, right?
We assume all of you have a clean pair of sneakers and a nice new pencil box.
All of us do.
But of course, this isn't an ordinary school year, as schools pretty much everywhere figure out how to operate during a pandemic.
school year, as schools pretty much everywhere figure out how to operate during a pandemic.
Much of the adjustment has involved moving to distance learning, with all the inevitable attendant vulnerability that produces. Some of that vulnerability has been exploited through
DDoS, although the motive for this has generally been truancy as opposed to extortion. Such has
apparently been the case in the DDoS attack on the Miami-Dade
school district this week, as a 16-year-old high school junior admitted, when arrested,
that he'd done it. It's not solely a US problem either. The UK's Department for Education has
told schools to be on the key weave for cyberattacks in the young academic year.
And it's also not solely a school problem.
The student who learns from home exposes the home to whatever badness is going on in the school's
networks. KNX News Radio in Los Angeles points out breathlessly that, quote, hackers attacking
school districts could end up in your living room via remote learning." OK, we know, we know.
So get it out of your system and crack wise
that you're good to go, because you never use electronics
in the living room, that all of your devices
are reserved for the rec room, the nursery, the man cave,
the she shed, the downstairs toilet, et cetera.
It's a metaphor.
Living room equals home.
And KNX is right.
Threats can propagate into your home network.
So look to your home security.
What goes on in school doesn't stay in school.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a
thousand dollars off. And now a message from Black Cloak. Did you know the easiest way for cyber
criminals to bypass your company's
defenses is by targeting
your executives and their families
at home? Black Cloak's
award-winning digital executive protection
platform secures their personal
devices, home networks, and
connected lives. Because when
executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
We'll hear now from Dave's conversation with Joseph Marks from The Washington Post
on his recent coverage of election security.
You know, we spent a couple of years after 2016 preparing for one kind of threat,
which was Russian interference or interference from other nations in the 2020 election.
And then, you know, obviously, as of March, we've been dealing with this whole different Russian interference or interference from other nations in the 2020 election.
And then, you know, obviously, as of March, we've been dealing with this whole different kind of threat, which is how do you run an election during a pandemic and try to both
keep people safe and get the votes in and counted in a secure and reliable fashion.
And while we're dealing with that second, that the first one hasn't gone away.
So there's been a lot of movement in a lot of states on both of those things, but there are also a bunch of concerns
in a number of cases on both levels. In terms of how we're going to vote, probably about two-thirds
to three-quarters of the states now have really made a significant transition to allowing voting
by mail in a much broader sense
and preparing for in a broader sense even if it was basically allowed for everyone before
whether they have the capacity to process all of that stuff in an expedient way is still a little
bit unclear in terms of being secure against interference by foreign nations were a lot better on the technical side.
You know, going into 2016, probably about 30 percent, maybe a little bit more of all voting
machines in the country didn't have a paper trail so that if someone monkeyed with it,
you'd really have nothing to audit and no evidence of what went wrong. That's down now to
probably about 8%. And as Chris Krebs, the director of the Homeland Security Department
Cybersecurity Division said last week, if there's one tiny little bright line in all this pandemic,
it's that because a lot of places have shifted to mail voting. Well, mail is a paper trail. It might be a little more
complicated for states that aren't used to it, but there's a paper trail there. So in places like
New Jersey and a few other districts elsewhere in the country that didn't really make the transition
to paper trail voting machines they should have after 2016, things will be a little bit better
than they might otherwise be in terms of having an auditable record so that we know definitely who won and can tally up the results.
What about the whole notion of uncertainty itself? We're seeing these stories, some accusations that
perhaps the administration is making use of the Postal Service to potentially slow things down.
What's your insights on that in terms of the actual seriousness of those types of accusations?
The danger of uncertainty is probably one of the most dangerous things we face. Now,
certainly there has been, there is a new Trump appointee at the Postal Service. It is documented.
The one thing they're trying to do in order to get mail going and transiting effectively with limited resources is to slow delivery of some things that could affect ballots in some cases. mail is actually going slower. The post office has done some decent work at contacting particular
states and saying, hey, your deadlines for ballots to come in don't match with what we're capable of
doing. We need to work that out somehow. Now, that's good or that's bad. I mean, a lot of states
are of the opinion that mail voting ought to be like voting in person. You ought to be able to
cast your ballot anytime on election day or before,
and it ought to be counted as long as it's postmarked. If the Postal Service is saying,
okay, do that, but we can't get those votes in until six, seven, eight days later, that's going
to be a real problem in terms of what those states consider to be the franchise. But this
broader issue of uncertainty, you know, that's really what Russia was after in 2016. And as far as we know, it's what they're after this time as well. You know, you don't have to actually change any votes in order for a lot of Americans to feel as if they as if they don't trust the results of the election.
Since 2016, the thing that we've done the least well at is trying to effectively combat disinformation.
There have been some decent efforts at shutting down large Russian and Chinese and Iranian networks on social media.
But in terms of educating the American public, getting them to take this stuff with a grain of salt,
and creating the kind of unified nation where it, sort of like we had in 2000 after the Supreme Court stopped the recount in Florida, where, you know, Democrats didn't go to the hills with their guns
and try to get Al Gore in office, you know, some sort of broad American understanding that we
accept the results of the election, even if our guy didn't win. You know, we're not doing great
on that as a nation right now. And that's probably the most dangerous thing we face.
Yeah, I mean, that's really an interesting insight. And I suppose sort of chilling in a way
that it's hard to imagine that we're at this place where there are people having serious
conversations about, you know, what if the sitting president,
through his own channels, through his own megaphone, you know, says that we're not going
to accept the results of this election. I mean, that would be unprecedented. And yet, we have
folks having serious conversations about those possibilities. And a lot of things have become
unprecedented in the last four years and
arguably longer. But, you know, the real concern is, you know, we've sort of reached a place as
a nation that that stuff is effective. You know, it's you could do we've arguably made a huge
amount of progress in terms of securing the actual ballot since 2016. That's great. You know, for those of us who, you know, are born by the
facts, you know, I feel a lot more comfortable about my vote being counted in 2020 than I,
in retrospect, would in 2016. But if the public doesn't buy it, then that's the ballgame.
That's Joseph Marks from The Washington Post. If you'd like to hear an
extended version of this interview, head on over to thecyberwire.com and check out Cyber Wire Pro.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant. And joining me once again is Malek Ben-Salem.
She is the America's security R&D lead at Accenture Labs.
Malek, it's always great to have you back.
You and I recently spoke about Accenture's security vision paper that you all put out,
and we wanted to dig into some more of the details this time.
What sort of things do you have to share with us today?
Yeah, so our security vision this year focused on adopting new or emerging technologies and adopting them securely.
emerging technologies and adopting them securely. So how can organizations innovate at speed and scale with implicit security?
And we performed a survey.
We surveyed about 500 companies across the world.
You know, these are big companies that have revenues of $5 billion or more and who are already adopting emerging technologies such as AI, XR, 5G and quantum computing. doing or how are the successful companies or what are the successful companies doing when it comes
to adopting these technologies securely and how are the followers doing. So we wanted to identify
the behaviors that organizations can emulate in order to innovate at speed and at scale with
implicit security.
So we've identified a number of companies that we call the alpha innovators.
These are the companies that are investing in three or more of these emerging technologies.
And again, the technologies are AI, XR, 5G, and quantum.
And we looked at what they're doing well,
and we compared them with what we call the followers who are investing in just one or two of these technologies.
So one of the behaviors we've identified
is this collaboration between security executives from day one
with the business leads or other executives.
And so when we did this survey,
we wanted to understand also
how CISOs viewed this collaboration
versus how the other executives
viewed this collaboration.
So we wanted to look at this from both perspectives.
What did you discover?
So we found basically, or we've identified five power plays, if you will, that these
alpha innovators are doing right.
that these alpha innovators are doing right. Number one is this multi-pronged strategy where they're investing at scale across a number of emerging technologies, so three or more,
but they're investing at scale. So they're investing at least $500 million in these emerging technologies.
That was true for more than 50% of the alpha innovators.
The followers invested less.
Only 29% of them invested $500 million or more.
The second power play, if you will,
second power play, if you will, is this risk mindset that allows these alpha innovators to fully assess security risks early in the adoption cycle. You know, we've talked in our previous
discussion that generally, you know, a lot of these executives are not aware of the risks associated with these technologies and that they
tend to be more aware of the risks associated with
technologies where they're further along in their
adoption journey. But when we dig deeper and we
look at this awareness
comparing alpha innovators versus the follower group,
we can definitely see that the alpha innovators are much more aware of the security risks
associated with these technologies. For AI, which is further along the adoption journey for both groups the numbers do not the numbers are
very similar so 76 percent in the alpha innovator group are aware of the security risks associated
with ai but when it comes to the other technologies there is a big discrepancy between these numbers
so we see for 5g 69 percent are aware aware versus 56%, 69% are aware among the alpha innovator
group versus only 56% within the follower group. For quantum, it's 75% versus 53%. So again, it seems that this first group,
these alpha innovators,
are adopting this risk mindset,
have a better awareness of the security risks
of these emerging technologies,
wherever they are in the adoption cycle.
Do you suppose, I mean, is this as straightforward
as that some organizations are more proactive versus
being reactive? Exactly. I think those
are the kinds of insights that we wanted to
analyze and explore and understand.
What are these behaviors that are making these bigger companies
or these alpha innovators sorry not necessarily bigger companies be be able to adopt one
many technologies at the same time and do so you, at scale and with security in mind. What are those behaviors? And
it's being proactive is definitely one of them. And that's The Cyber Wire.
A happy Labor Day to everyone, and especially to those of you in the U.S. who, like us, will take Monday off.
We'll be back as usual on Tuesday.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Don't forget to check out Research Saturday here in this same feed tomorrow.
Dave sat down with Chet Wisniewski and Dan Schiappa from Sophos
on ransomware package TK,
and the five science organizations are about to be attacked by ransomware.
That's Research Saturday. Don't miss it.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technology.
Our amazing CyberWire team is
And I'm Elliot Peltzman, filling in for Dave Bittner. Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby,
and I'm Elliot Peltzman filling in for Dave Bittner.
Thanks for listening.
Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.