CyberWire Daily - Ransomware, Bitcoin, underwriters, and the bandit economy. OTA provisioning could lead to subtle phishing. Alleged spammers indicted. ZAO flashes and flickers out, for now.
Episode Date: September 4, 2019A look at the ongoing ransomware epidemic, with some speculation about its connection to the criminal economy. Over-the-air provisioning might open Android users to sophisticated phishing approaches. ...Alleged spammers are indicted in California. And, ZAO, we hardly knew ye. Jonathan Katz from UMD on the evolution of Rowhammer attacks. Tamika Smith speaks with Troy Gill from AppRiver about cities being hit with ransomware. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/September/CyberWire_2019_09_04.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A look at the ongoing ransomware epidemic
with some speculation about its connection to the criminal economy.
Over-the-air provisioning might open Android users to sophisticated phishing approaches.
Alleged spammers are indicted in California.
And, zow, we hardly knew ye.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Wednesday, September 4th, 2019.
The continuing surge in ransomware attacks against U.S. local governments is drawing attention to a Russian criminal gang, StateScoop reports.
CrowdStrike calls the gang Wizard Spider, best known for its operation of TrickBot.
The group has a sub-gang, Grim Spider, which has been
associated with Ryuk Ransomware. The ransomware attacks continue, whether by the spiders or others,
and school districts remain attractive targets. Schools in Orange County, located in downstate
New York on the New Jersey line, have delayed the opening of school this week as they deal
with a ransomware infestation, CBS Local says.
It's not known who's behind the attack, but the kiddos get a couple of extra days of summer.
Not to worry, though, should any attendance Puritans or Truant officers be listening,
they'll probably have to make up the lost time in June, along with whatever snow days they accumulate over the winter.
The proliferation of ransomware seems to be shaping a complicated bandit economy.
Emsisoft thinks there's a good chance that extortionists' preference for payment in altcoin
has driven a rise in the value of Bitcoin.
It's a demand-side pressure.
Bitcoin is attractive to extortionists, Emsisoft speculates,
because it's accessible and easy to use, because it's verifiable, and because it's more or less anonymous.
ProPublica argued last week that insurance companies themselves contribute to this section of the criminal economy by pushing clients to pay ransom.
They frame the argument harshly, suggesting that the insurance companies profit from ransomware,
or as ProPublica puts it, quote, even when public agencies and companies hit by ransomware could
recover their files on their own, insurers prefer to pay the ransom. Why? The attacks are good for
business, end quote. Well, perhaps, or at least ransomware attacks are no better for the cyber
insurance business than car crashes are for the automobile insurance business.
Sure, hearing about ransomware might motivate a town to buy cyber insurance, just the way seeing a smash-up on the freeway might make rubbernecking drivers consider upping their collision coverage.
We mean, heaven forfend, you should find yourself in an accident, right?
ProPublica's article itself suggests as much.
It's not that insurers like ransomware or welcome such attacks on their customers.
Rather, the insurer is in the business of limiting losses,
and this is always a cost-benefit proposition.
The insurer wants to make the client whole as inexpensively as possible,
and paying ransom might be the cheaper for the underwriters
than covering unransomed losses and the associated costs of remediation.
But nefariously motivated or not, if you pay the ransom,
you inevitably encourage more extortion,
and you encourage the extortionists to increase their demands.
Various people have suggested, sometimes citing unnamed FBI sources,
that criminals are deliberately looking for victims who have insurance.
But as Bank Info Security points out, other experts remain skeptical that the criminals
actually look for insured targets to hit, but bandits do respond to their own market forces.
The publication quotes Bill Siegel, CEO of ransomware response shop Coveware.
He says, quote,
I don't think it's the way that this market works, and we very much view it as a market.
These guys go after the low-hanging fruit because it's cheap and the conversion rate is high,
and whether or not those victims end up having insurance is just a roll of the dice.
End quote.
We note that our local example of a
municipal ransomware incident, Baltimore, its very self, didn't have insurance against the
clobbering it took this past spring. The mayor recently said he had no idea why Charm City
wasn't insured. Us too, your honor. But if insurance isn't the common denominator in the
attacks on school systems, what is?
We think Siegel's observation about low-hanging fruit applies.
The apple is too easy to swipe from the desk.
The Cyber Wire's Tamika Smith reached out for insights from industry experts on ransomware.
She files this report.
A new report from AppRiver Global Security looks at a variety of cybersecurity concerns
this year from cities under siege to business email fraud.
Joining the conversation to shed more light on the report is Troy Gill.
He's a manager of security research at AppRiver where he evaluates security controls and identifies
potential risk.
Hi, Troy.
Thanks for joining the program.
Hey, Tamika.
Thanks for having me. So this year year cities across the country have been hit with
ransomware attacks. Your report breaks down attacks in Florida, Baltimore, North
Carolina. Can you talk a little bit about the damages and what stood out to me
really is that the amount of money that these five cities have to put out in
damages. Yeah certainly. You know this is something that we had kind of predicted in our 2018 end of the year report. We saw the, you know, great potential for
a big uptick in this type of activity. You know, we've seen that play out in the first half of 2019.
Very popular now are local government municipalities targeted with ransomware.
You know, it wasn't that long ago that we saw the city of Atlanta crippled by ransomware.
They even had issues with 911 calls for a while.
Of course, very disruptive, very damaging.
And like any ransomware attack, the attackers have encrypted the files and they want a ransom
paid to release them.
So in Atlanta's case, they took the approach, and I applaud them for doing this, and I applaud
their resolve of not paying the ransom, which is great.
But, you know, on the flip side of that, their cost of remediation and recovery time was much, much greater had they had they just paid the ransom.
Right. So I believe that the costs were in at least the tens of millions of dollars, maybe around 30.
tens of millions of dollars, maybe around 30, but, you know, a huge expense. Whereas I believe the ransom demands were in the hundreds of thousand range.
In the case of paying the ransom, do they actually get their information back
or do the cyber criminals just take off?
Yeah, it's a very high rate of, I forget the percentage, I believe it was high 90s of
you actually do receive the decryption keys.
You know, so their business model is based on encrypting your files.
They don't really take your files. Typically, they just they're still sitting right there.
They're just useless to you because there's, you know, no chance of you, in most cases, decrypting them without the key.
without the key. So their business model is based on believing that you are going to get access to your files if you pay the ransom. Otherwise, you know, kind of the word's going
to get out that, you know, paying the ransom is pointless and less people are going to do it.
How would you advise local governments across the country to start preparing for this? Because
it doesn't seem like it's going anywhere anytime soon. Making the budgeting decision to maybe spend some money up front on hiring the right people and
getting them in the right places to start remediating these type of risks is certainly
the right approach. I mean, it's the long-term approach versus taking the short-term approach of,
you know, maybe if we just bury our head in the sand and hope for the best,
you know, maybe we can get by a little while longer without this happening to us, right? So
that's certainly the correct long term approach. And then, you know, in the case of ransomware,
once those people are in place, you know, I think there are budgeting concerns, but having the right
backup strategy, making sure these files that are getting locked are actually backed up somewhere
is just a huge night and day difference for how much leverage the attacker has over you in one
of these attacks. If you're able to recover your files on your own, you know, it really empowers
the target here to be less vulnerable to these type of attacks. I would say, you know, don't try
to do it yourself. You know, there are resources to go to, to find,
you know, best practices and those sorts of things. And that's great. And you can try to do
that with your existing staffing and technology. But I think, you know, probably hiring the right
consultant would probably be the best first step, right? So get the consultant in there,
kind of let them get a lay of the land, where are your assets,
you know, what is the most important data, where is it all located, and then from there,
they can help you develop a plan on hardening your defenses against attacks, right? What happens in step one is going to determine where your step two and three end up going. That's our own Tamika
Smith speaking with Troy Gill from AppRiver.
Security firm Checkpoint warns that Android devices could be hit by an advanced phishing technique that exploits the over-the-air provisioning carriers use to bring new phones
on board. The weekly authenticated SMS messages are readily spoofed. Checkpoint notes that the
industry standard for over-the-air provisioning, Open Mobile Alliance Client Provisioning, offers limited authentication methods that can make it difficult for someone setting up their service to determine whether the settings a message suggests come from the legitimate network provider or from some imposter.
For now, it's a Check Point proof of concept, but it offers mobile users something to think about.
of concept, but it offers mobile users something to think about.
The U.S. Attorney for the Southern District of California has filed charges against four employees of an email advertising company.
Krebs on Security says that the four accused, employed by Adconian Direct, allegedly hijacked
IP addresses for use in email advertising campaigns.
The prosecutors maintain that the four accused conned an internet hosting firm, HostWins,
into routing the IP addresses on their behalf.
Krebs also says that the government appears to have had Adkonian's email practices
under investigation since 2015 at least,
and that the charges just filed may be the opening round in a wider prosecution.
And finally, InfoSec Magazine reports that ZOW, the widely popular but at the same time
vaguely repellent app that lets you put your face onto that of your favorite actor in your
favorite TV show so you can imagine yourself as being, say, Barney Fife, has been kicked
out of WeChat.
ZOW blazed and flamed out like a meteor.
has been kicked out of WeChat.
Zao blazed and flamed out like a meteor.
It was launched only Friday, blew up overnight,
and now has everyone worried about privacy, deep fakes,
and giving someone the right to your likeness in perpetuity.
But hey, if you can imagine yourself as Gilligan or Kojak or Lovey Howell, what's the big deal about rights and perpetuity? customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical
for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Learn more at blackcloak.io. Gooden. And this was about researchers using a Rowhammer bit flips to steal 2048-bit crypto keys.
There's a lot to unpack here. What can you do to explain what's going on?
Well, let's step back a little bit and talk about Rowhammer in general. Rowhammer is an attack that's been out for a little while now. And the basic idea with that sort of attack
is that you have regions
of memory that are stored physically very close to each other. And this is really just a consequence
of the fact that memory size is always shrinking. And so parts of memory, pieces of memory,
locations in memory are always getting physically closer and closer together. And we think abstractly
about these different regions of memory as not really interfering with each other.
But in fact, if you look physically at what's going on, and this is what the Rowhammer attack exploits,
changes in one portion of memory can actually have a very subtle effect on nearby portions of memory.
So basically, at a high level, what this allows an attacker to do is if they have control over one portion of memory, say memory location A, but they don't have control over memory location B,
they can nevertheless, by making a bunch of changes to memory location A, effect changes
in memory location B. And of course, you can see that that's going to be quite dangerous
if memory location B is going to be holding some cryptographic information.
Hmm. And that's how they go about stealing the keys then?
Right. So what's new in this attack is that previous RoHammer-based exploits
just violated integrity.
So basically they allowed the attacker to modify the key
and thereby mess things up for some cryptographic computation that was being performed.
And what the researchers have now shown is that they can use that information to actually now learn the key itself. And this is quite complex,
actually. But the idea here seems to be that these changes that the attacker can induce
in portions of memory that they don't control are really quite subtle. And so, for example,
I'm simplifying things a little bit, but the researchers show that if you have the attacker making changes to some memory location B, and you have, let's say, a 1-0 versus a 1-1, the changes that the attacker will induce are going to be different.
probe whether or not you have a 1-1 there or a 1-0, and gradually over time they can learn certain bits of information about that portion of memory which may contain a key, and then they can
further use existing algorithms to then bootstrap from the little bit of information they can learn
to eventually recover the entire key. Now on the hardware side of things, there are different types of DRAM chips, and some of them are ECC RAM,
which is error-correcting code RAM. Does that offer an advantage here?
So you would think that it would, and you would think that if you had an error-correcting code
being applied to the memory, then any changes that the attacker would induce in the memory
would be caught by the error-correcting code and then automatically corrected in the background,
resulting in no net gain for the attacker.
And one of the interesting things in this piece of research is that the researchers
showed actually how they were able to circumvent that and they were able to learn information
even in the presence of these error correcting codes.
And the basic idea there was that they relied on certain timing information.
You could imagine, for example, that if the code is finding no error, then when it uses that piece of information, it'll do so faster than if it has to correct an error before using the information.
And so using that subtle bit of difference in timing, they're able to figure out whether an error occurred or not and then keep going and exploit it and eventually extract the entire key. It's quite an involved process. And to be honest, I'm not sure if it represents an attack that would be easier than other modes of attack that adversaries are trying.
But nevertheless, it's really very amazing at a fundamental level to just kind of get at,
you know, the raw physical memory and exploit that for such an attack.
Yeah. All right. Well, Jonathan Katz, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for
CyberWire Pro. It'll save you time
and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is
proudly produced in Maryland out of the startup
studios of DataTribe, where they're co-building
the next generation of cybersecurity
teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Thanks for listening.
We'll see you back here tomorrow. but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.