CyberWire Daily - Ransomware and cryptojacking are all the rage. Iran seeks IP, North Korea seeks a quick buck. More on EU content moderation. Alleged Russian hacking of WADA, Spiez Laboratory. Propaganda overreach?
Episode Date: September 17, 2018In today's podcast, we hear about the ransomware that's clogged systems at a UK airport. New variants of ransomware are out and about in the wild. EternalBlue continues to be used to install cryptoja...ckers in vulnerable systems—the campaign is being called WannaMine. EU considers short deadlines and sharp penalties for failure to remove "extremist content" from the Internet. Russia suspected in WADA and Spiez Lab hacking. Did Moscow overreach with its latest Novichok disinformation effort? Malek Ben Salem from Accenture on encryption techniques that make use of DNA. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/September/CyberWire_2018_09_17.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ransomware clogs systems at a UK airport.
New variants of ransomware are out and about in the wild.
EternalBlue continues to be
used to install cryptojackers in vulnerable systems. The campaign is being called WannaMine.
The EU considers short deadlines and sharp penalties for failure to remove extremist
content from the internet. Russia is suspected in WADA and Shpits lab hacking.
And did Moscow overreach with its latest Novichok disinformation effort?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Monday, September 17th, 2018.
A ransomware attack took departure board screens offline for two days at Bristol Airport in the UK.
Airport authorities are hedging it, calling it an attack similar to ransomware.
The screens were disenabled as part of a general response to detection of the attack.
The airport believes the attack was speculative rather than specifically targeted.
believes the attack was speculative rather than specifically targeted. Thus, the airport believes it was simply a target of opportunity caught up as the attackers swept for systems they could reach.
The affected systems appear to have been business systems. As the airport recovered,
flight information was manually written on whiteboards placed around the terminal.
The airport is being cautious, which is why they were quick to disconnect where they could and why remediation has been deliberate.
Work is returning to normal now.
The incident began to affect operations Friday.
A number of evolved ransomware strains are circulating in the wild.
A new variant of Dharma is out, for one.
It's being called Dharma Burr, not because it's particularly chilly or chilling,
but because it appends a.brrr extension to the files it encrypts. According to reports in
Bleeping Computer, DharmaBUR is manually installed by hacking into remote desktop services that are
directly connected to the internet. The hackers scan for systems running remote desktop protocol,
typically on TCP port 3389,
and once they've found such systems, brute force the password and have at it.
Dharma Burr encrypts mapped network devices,
unmapped network shares, and shared virtual machine host drives.
It's therefore a good idea to check permissions, restrict access
to network shares to users who actually need it. It's also a good idea to put computers running
remote desktop services behind VPNs. There's a related development in the criminal underworld.
Flashpoint reported today that they're seeing a brisk trade in remote desktop protocol access being done in dark web markets.
The markets are mostly Russian-speaking, with various Russian cyber gangs doing much of the buying and the selling.
And elsewhere, Rayak ransomware is not only encrypting files but disabling endpoint protection on infected devices.
but disabling endpoint protection on infected devices.
The ransomware strain, which has been in active use since the middle of last month,
is said by Sentinel-1 in a Security Boulevard piece to show signs of linkage to North Korea's Lazarus Group
and some evidence of dissent from the Hermes ransomware.
It had pulled in more than $640,000 by this past weekend.
The attackers take a high-minded approach in their ransom note.
It goes something like this, quote,
Your business is at serious risk.
There is a significant hole in the security system of your company.
We've easily penetrated your network.
You should thank the Lord for being hacked by serious people,
not some stupid schoolboys or dangerous punks.
End quote.
That last line may seem like a non-sequitur,
but what the attackers appear to mean is that they're not vandals,
like the schoolboys and punks,
but rather conscientious criminals who will take care of your data
and deliver it back to you whole if you cough up the ransom.
Researchers at security company Kaspersky Lab
are following SYNAC ransomware,
not to be confused with the legitimate security company
with a similar name.
SYNAC evades detection with process doppelganging.
And to round out the ransomware roundup,
malware hunter team reports
that Kraken decryptor is out in a new form.
It masquerades as the legitimate security tool Super Anti-Spyware. The best advice against all these forms of ransomware is familiar, regular secure backup,
and since most of these malicious
payloads are delivered by some form of phishing, suspicion of emailed links and attachments,
as well as a little bit of close reading of preferred file names, can also help keep users
a bit safer.
Several universities in the UK, Cambridge and Oxford among them, sustained cyber espionage
incidents in which sensitive technical material
Was taken on behalf of Iran
This is another in a long series
Of attempts at IP theft by Iran
As the country labors under
Partially reimposed international sanctions
Levied in response to its
Nuclear research and development programs
North Korea is turning in a different
Direction as it too seeks to evade economic sanctions.
In this case, the efforts are directed at shorter-term cash flow.
Pyongyang has worked up false identities that use online services to provide commodity-level IT services.
They're using, according to reports in the Wall Street Journal, such familiar channels as Upwork, Freelancer, GitHub, Slack, LinkedIn, PayPal, and Facebook
to facilitate sale of services and products, including mobile games, apps, bots, and other things.
Much of the North Korean activity is based in the Chinese city of Chenyang,
and they've succeeded in selling to Western outfits interested in saving money by buying code services from East Asia.
The customers don't know the people they're dealing with are from the DPRK,
and the Wall Street Journal notes,
the North Korean operations have become notorious for stiffing their subcontractors.
So, buyer beware.
The Eternal Blue exploits, widely believed to have been stolen from the US NSA,
continue to turn up in infestations around the world.
A great many of the infections involve cryptojacking.
Security firm Cyber Reason has been tracking the ransomware version that's being called
Wanamine.
It propagates rapidly across vulnerable networks, thereby yielding a higher return than the
customary pittance more conventional cryptocurrency miners now return to their controllers.
The scale makes the difference, and a lot of servers remain vulnerable to exploitation
through EternalBlue. A Shodan search suggests that EternalBlue can still have its way on almost
a million servers worldwide. This is a vulnerability that can be and should
be patched. The fix is available, it's just a matter of applying it. The EU advances consideration
of its next major internet regulation. Hosts will, if the measure passes, have one hour to remove
extremist content from their services. The clock begins when authorities notify providers.
Fines would be in the GDPR range.
Prosecutors in Switzerland are investigating a possible attempt
to hack not only the World Anti-Doping Agency,
but also the Spitz Laboratory,
which has done work for the Organization for Prohibition of Chemical Weapons,
an international body that's
looking into the Salisbury Novichok attacks. On Friday, the Swiss government summoned the
Russian ambassador and requested an explanation. The Washington Post reports that Russian
disinformation over the Novichok attack seems to be backfiring. While ridicule and dismissive
irony seem to have some initial small effect on public opinion, putting the two GRU hoods on TV really hasn't worked out right.
We should say, for the sake of propriety, alleged GRU hoods, since Russia claims they're just a couple of regular tourists who wanted to take a quick holiday in Salisbury.
One comment, the post quotes from the comments on RT's YouTube Russian version of the
interviews is evocative. Quote, until today I perceived this Skripal story as Britain's
provocation, wrote the viewer. Once I saw these two idiots, my view has been shaken. Shaken indeed.
Thank you. with purpose and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time
visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io. And joining me once again is Malek Ben-Salem.
She's a senior R&D manager for security at Accenture Labs.
She's also a New America cybersecurity fellow.
Malek, welcome back.
We wanted to talk today about encryption, but specifically about encryption using DNA.
What can you share with us?
Yeah, so as you know, Dave, we're dealing with increasing
volumes of digital data. It's growing at unprecedented rates, and storage is taking
a lot of space. The classical method of using tape to store that data can no longer keep up
with the amounts of data that we are producing every year. In fact, global data is expected to reach the size of 45 zettabytes by 2020.
If the audience is wondering what a zettabyte is, that's 10 to the power of 21 bytes.
So we need to come up with new paradigms for data storage, for data retrieval, and for
data processing.
And one of those possible solutions, perhaps the most promising as of today,
is DNA. And that's for several reasons. Number one is the density of DNA storage.
As a matter of comparison, if we use tape to store data, eight terabytes of data is equivalent to eight million books, which can be
stored in 57 miles of bookshelves. In comparison to that, if you store data in DNA, you're able to
store 2.2 petabytes in one gram of DNA. And that's the equivalent of 200 times the printed material in the Library of Congress. So already you can see that the classical methods cannot compare with DNA-based storage.
And so what gives DNA that data density? Is it because it's non-binary? What's the trick there?
It's non-binary. What's the trick there?
It's non-binary. Obviously, that's one reason.
The other reason is the way it folds.
So it takes less space.
So there are inherent properties in the way it can encrypt data. Remember, there are four types of DNA components.
So that provides more capability to encrypt more information. But also the way it folds in space also provides additional
capability to reduce the amount of space it uses. Now, is this something that's practical
for use today, or are we still talking about something that's in the lab?
So it's certainly still in the lab. It's practical for storing data. It's not as practical for
retrieving data and processing it, because it takes more time to basically decrypt the data or turn it back from DNA format into our known digital format.
So that's less practical.
But taking data from binary format, the way we store it in bits today, and turning it
into DNA, that's very practical today, which basically limits the use cases for the use of DNA for encrypting data.
But it's certainly very useful for archiving data. And that's one of the things we're looking
into in Accenture, in our labs, is what are the best use cases for DNA-based encryption? And one of those is obviously data archiving.
But also, you know, if you think about tracing certain components, and in particular, I'm
thinking about chips that are manufactured and that take so many steps to come to the final
format. And we know that we have issues with counterfeit hardware,
with counterfeit chips that carry Trojans perhaps into them. It's been hard to detect those types
of counterfeit chips. So if we can use DNA to trace basically all the steps that a wafer or a chip goes through as they get manufactured
and store that data into a piece of DNA that gets attached to the chip, then that could provide a
way of verifying the origin of that chip and all the information of the manufacturing process
for that chip. And it's attached to it it so it goes with it regardless where it goes.
So that could be another use case for the use of storing data into DNA.
Now, how about resilience?
Does it hold up in storage?
Is it sensitive to temperature or magnetic fields, all those sorts of things? Yeah, that's another great property of DNA, namely its lifetime.
We know that wild type and disk-based data storage degrades over time
and can become obsolete, requiring rewriting every so much time. We know, for instance, that cloud infrastructure requires
or uses a lot of energy because of the amount of electricity that's required to prevent the
data from degrading. DNA or readable DNA was extracted from the remains of a horse that's about 600,000 years old.
So it basically survives for a very, very long time
without requiring the amount of energy that's required for storing data into a binary format.
All right. Well, it's certainly interesting research.
Malek Ben-Salem, as always, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.