CyberWire Daily - Ransomware attacks in Mexico and Germany. Wipers in criminal service. Supervising Siri and Alexa. Mass shooters find inspiration and online expression.
Episode Date: August 5, 2019A Mexican publisher is hit with an extortion demand. Ransomware increasingly carries a destructive, wiper component: Germany is dealing with a virulent strain right now. Apple and Amazon, after the ba...d optics of reports that they’re farming out Siri and Alexa recordings to human contractors for quality control, are both modifying their approaches to training the assistants. And investigators sort through mass shooters’ digital trails. Joe Carrigan from JHU ISI on the VXWorks operating system vulnerabilities. Guest is Eli Sugarman from the Hewlett Foundation on their efforts to reimagine cybersecurity visuals. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A Mexican publisher is hit with an extortion demand.
Ransomware increasingly carries a destructive wiper component.
Apple and Amazon, after the bad optics of reports that they're farming out Siri and Alexa recordings to human contractors for quality control,
are both modifying their approaches to training the assistants.
And investigators sort through mass shooters' digital trails.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 5th, 2019.
Comparatech reports that a bookseller and publisher in Mexico, Libreria Perua, left a MongoDB instance publicly accessible. The bookseller was warned by researchers on July
15th that its database was accessible, but apparently did not take action to secure it in
time. Criminals claim to have copied the data, then wiped them. They've demanded 500 Bitcoin,
almost $6 million, to restore the data. It's unknown whether the company has attempted to
pay the ransom, let alone whether even if they did pay, their files would be recoverable.
The affected database contains 2.1 million customer records.
Customers would do well to be on the lookout for spear phishing attempts.
Another destructive attack, German Wiper, is destroying files in victim systems
and then demanding ransom for their restoration, computing reports.
In this case, in contrast, restoration seems impossible.
Bleeping Computer describes the attack.
The infection vector is a phishing email, and the phish bait is a polite inquiry about
a job opening from someone called Lena Kretschmer.
Frau Kretschmer is clearly a catfish and no genuine job seeker,
but at least the emails are formally courteous.
Once a system is infected, the ransom note tells the victim that their data have been encrypted,
but in fact they're gone, overwritten.
Germany's federal cert advises people not to pay. It's futile, and you'll just be out roughly $1,700 in Bitcoin the hoods are asking for.
If this is the criminal hit it seems to be,
the hoods must be in it for one or two quick payouts
before everyone is wise to their game and stops sending Bitcoin.
The mode of propagation isn't the same,
but there's at least this similarity to NotPetya.
That, too, was pseudo-ransomware.
Like Germany Wiper, it had a relatively low ransom demand, and you weren't getting your files back from it either.
There was an earlier case of destructive pseudo-ransomware deployed against German targets.
In 2017, HSD-FSD Crypt, also called Ordinipt, destroyed files in what was nominally, at least, a ransomware attack.
Destructive attacks seemed to be trending.
In the past, they had tended to be the work of states,
not Petya being Exhibit A, but this seems to be changing.
Over the past six months, IBM's X-Force has seen a 200% rise
in criminal ransomware attacks that have a wiper component.
Wipers have been integrated into such familiar ransomware strains
as Locker
Goga and Mega Cortex. The criminals seem to have adopted this approach as a way of ratcheting up
the pressure on their victims, increasing the consequences of holding out and making them more
likely to pay. After all, if it's conventional ransomware, someone might come up with a decryptor.
But if the files are gone, they're just gone.
You can't decrypt destruction.
There are several effective defensive measures an enterprise can take.
IBM list seven.
First, test your response plan under pressure.
Use threat intelligence to understand the threat to your organization.
Engage in effective defense in depth.
Implement multi-factor authentication throughout the environment,
have backups, test backups, and offline backups,
consider an action plan for a quick temporary business functionality,
and create a baseline for internal network activity and monitor for changes that could indicate lateral movement.
Let's do a quick little experiment together.
If I ask you to imagine an image in your mind of something related to cybersecurity What's the first thing you see?
Let's extend the experiment and imagine doing an online image search for the term cybersecurity
What do you expect you'd find?
It's the same old images over and over again to the point of most of them being cliches
Eli Sugarman is the Cyber Initiative Program Officer at the Hewlett Foundation,
and they've decided to take this image issue head on.
So we took this on because we were about to publish a report on cybersecurity grant making,
on all of the work that our grantees and we had been doing,
and we realized that we didn't have a good image to put
on the cover of it that really captured the complexity and importance of these issues.
And so we searched, we did a Google image search, we looked around and realized that
everybody else was having the same problems that you look at think tank reports or websites or even
newspaper articles, and you get the same things. You get men in hoodies over keyboards,
you get matrix style ones and zeros, locks and swords and shields, and you get the same things. You get men in hoodies over keyboards, you get
matrix style ones and zeros, locks and swords and shields, and it doesn't actually tell you anything.
And so he said, aha, there is a problem here. It seems to me that we almost have a bit of a
feedback loop here, where we have a limited number of images that we use. So we use those images,
and people see that, and they decide those are the images we should use.
I think that's exactly right. And I think that if you do a Google image search,
you see clear clusters where everybody said, oh, you know what, I'm just going to tweak that image
of a lock to make it a little bit cooler. Or maybe it'll shoot lasers because to your point,
they're no pun intended, locked into a certain way of depicting this visually.
And you see companies using those images too, because they haven't invested in new creative
ways to show why you would want to buy something related to cybersecurity or why it matters to an individual consumer. So I
think you're right. I think that the really sad state of imagery just feeds off itself.
And so how are you coming at this?
We're coming at it from a creative perspective, if you will. That is that we know that we actually
don't know how to come up with a better image. If you were to ask me, what is the better image? I can give you general attributes, but if I knew what it was, I would
draw it myself, but I'm not an artist. So what we've done is we've partnered with a really top
tier creative firm, IDEO, which spun out of the Stanford Design School that really focuses on how
do you bring design thinking and a creative process to interesting challenges like this? And so
basically, we're working with them to launch a global contest saying, you know, we're going to
offer prize money. Here's some background information on the sad state of these visuals.
Here are some examples. You know, here's some examples of the kinds of things we think you
should try to do. Now give us your best ideas and we're going to have a formal contest and a jury
award prizes and really try to generate
some interest that way. And then what happens once you've selected a winner? Do those images
become available? Yeah, that's exactly right. The winner would, of course, receive the prize that he
or she is entitled to. And all of the submissions are licensed under Creative Commons, which means
they'll be made available to anybody who wants to use them to be credited to the artist, of course,
who should deserve credit for their work, but then can be used by think tanks, by universities,
by CyberWire itself to try to tell better stories and really explain these really important cyber
concepts. So the whole idea is to put out better quality visuals that people can then use.
Now, beyond the creation of the images themselves, are there any plans for any sort of promotional campaigns to
help get the word out there and influence people to try to move on and use some of these new images?
Right now, our campaign is starting to just raise awareness about this contest and the problem it's
trying to solve. I think once we see what we get out of it, because it's hard to predict how many
images will come out, how many will really be used and really galvanize the field. I think then we may come up with some ideas to then use them
and do secondary campaigns and pushes. What we're going to focus on is really making sure that
folks already doing public awareness, capacity building, education on cybersecurity know about
this contest, and then that we make sure that the images are shared
with them so that they can then put them into use in their important work, some of which we're
already funding. And so I think we'll wait and see whether another type of broad campaign is
indicated or whether just making that connection between this new resource and those who can make
use of it is strong. And so if someone wants to find out more information, what's the best way
to do that? We have a website. If you are interested in learning more about the contest and sign up for
updates and see the background reports and everything, there's a website to visit, which is
www.openideo.com slash sign up one word slash sign up again, hyphen Hewlett, H-E-W-L-E-T-T hyphen
cybersecurity one word. Another way to do it is to pay, just check the Hewlett Foundation website
where we'll be announcing this and sharing all the relevant links.
That's Eli Sugarman from the Hewlett Foundation.
Concerns over human-administered quality control checks of voice assistants
have driven changes at both Apple and Amazon.
As the Times of London reports,
following up on stories broken earlier by The Guardian,
Apple had been sending Siri recordings to contractors for review.
Siri was found to be pretty indiscriminate in what it recorded, too.
Amazon had been sending audio clips of people talking with an earshot of their home Alexa devices to contractors in Poland for analysis.
The intent wasn't to spy on people in their homes.
Amazon was clearly interested in improving the quality of Alexa's responses, but it amounted, in effect, to unwelcome eavesdropping.
in effect to unwelcome eavesdropping.
Apple is changing the way it trains Siri, ThreatPost reports,
and TechCrunch describes how Amazon is making similar changes with Alexa.
Apple told TechCrunch it was suspending grading Siri's responses by having contractors review them.
Users will in the near future be given the choice of opting in or out of such grading.
Bloomberg reports that Amazon has also given users the option
of declining human review of their interactions with Alexa. Investigators are working through
the digital exhaust of the El Paso and Dayton shooters and are finding the sadly familiar
disinhibition and self-absorbed nihilism so often seen among those who've made the delusional ascent into a life lived online.
May the victims and survivors find such peace as they can receive.
Our thoughts are with them.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and
their families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
also my co-host on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave.
We had a story last week about some vulnerabilities that were discovered in a popular real-time operating system.
Yeah.
Bring us up to date here.
It's from Armis Labs has found these vulnerabilities, and they call the operating system the most
popular operating system you've never heard of, right?
And it's an operating system called VXWorks, which is what's called a real-time operating system.
Right.
Meaning that they have time constraints on how fast the operating system can process the data that is given.
And this is used in what kinds of devices typically?
It is used in a lot of different devices, industrial control and SCADA systems, medical devices.
But it's also the vulnerable part is used in some firewalls
from SonicWall firewalls.
The vulnerabilities are in the TCPIP stack, right, which is software that runs on devices
to make sure that they're connected to a network.
Okay.
And nothing else needs to be running on these devices in order for them to be vulnerable
because the vulnerabilities are in that part of the software.
Okay.
to be vulnerable because the vulnerabilities are in that part of the software.
Okay.
And these vulnerabilities are exploitable with broadcast packets. So if you can get a packet to one of these vulnerable devices, you can exploit the vulnerability.
Armist Labs hasn't released any exploits.
They're calling the vulnerabilities urgent 11 because there are actually 11 urgent vulnerabilities in there.
Six of them can lead to remote code execution, and the other five can perform denial of service attacks,
essentially stopping something from working.
The issue here is going to be updating it.
So Armis has disclosed these vulnerabilities to Wind River, who makes VXWorks.
Right.
And SonicWall has already issued a patch for their firewalls,
and they're telling everybody to patch now.
The industrial control systems, they're all going to have to be patched. But the problem with these things is they're all
attached to working industrial systems that they're controlling. Yeah. I mean, that's the
thing with these. I mean, it's sort of when you're dealing with these real-time operating systems,
a lot of times they're in embedded devices. Right. These are specifically for embedded
devices, right? So they're not going to get updated. I mean, lots of them are going to be out there sitting somewhere deep inside of something.
Quietly running away, right?
You might not even know that it's there, right?
Right. Exactly. You might have a configuration management issue.
In order to update these devices, you're probably going to have to shut down a manufacturing line somewhere or a device.
Now, in some situations, you might be able to do that.
So it's not going to be as easy as patching all your Windows devices, right?
Yeah.
And that's where the long tail of this is going to be is what they're calling it.
But there is good news.
Armis has done a great thing.
They've released a series of snort rules so that you can spot these things
and potentially stop them before they get to where they need to go.
Head them off at the pass.
Head them off at the pass.
So you can mitigate this.
Yeah.
And anybody that can mitigate it and needs to mitigate it absolutely should mitigate it.
And when it comes time to patch those devices or maintain those devices, do the patch.
Replace those devices.
I don't know that you need to replace them.
I think you just need to update them.
I'm just thinking, you know, there's a lot of these embedded devices.
They run until they stop running.
Right.
And then they get replaced.
Yeah.
You know, they're so deep in there.
They run for a decade or more.
Yeah.
And these things really don't break because they don't have moving parts.
You know, they're sitting there doing the computation and they're very good at it.
And the operating system is efficient.
The hardware is efficient.
Yeah.
And it just works.
It's the mixed blessing, I guess.
Yeah, it is.
It is.
When something like this pops up, it's difficult to address because these systems are so deep within the operations of organizations.
Absolutely.
Good perspective as always.
Joe Kerrigan, thanks for joining us.
My pleasure, Dave.
Thank you. is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer
Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back
here tomorrow. Thank you. platform comes in. With Domo, you can channel AI and data into innovative uses that deliver
measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.