CyberWire Daily - Ransomware in Ukraine's Energy Ministry. Energetic Bear infrastructure. Anonymous Twitter accounts equal bots? Orangeworm in x-ray, MRI machines. Sanction notes. Election security.
Episode Date: April 24, 2018In today's podcast, we hear that Ukraine's Energy Ministry is under ransomware attack. Kaspersky finds infrastructure belonging to Energetic Bear. Lots of anonymous Twitter accounts pop up in East ...Asia. Orangeworm is after something in healthcare networks, but whether it's IP or PII is unclear. Disclosure and patch notes. Kaspersky may be the subject of US sanctions. A hacker in the Yahoo! breach case could get almost eight years. As US midterms approach, thoughts turn to election security. Joe Carrigan from JHU ISI on devices that unlock iPhones. Guest is Jerry Caponera from Nehemiah Security on quantifying cyber risk. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Ukraine's energy ministry is under ransomware attack.
Kaspersky finds infrastructure belonging to Energetic Bear.
Lots of anonymous Twitter
accounts pop up in East Asia. Orange Worm is after something in healthcare networks,
but whether it's IP or PII is unclear. We've got disclosure and patch notes. Kaspersky may
be the subject of U.S. sanctions. A hacker in the Yahoo breach case could get almost eight years.
And as midterms approach, thoughts turn to election
security. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Tuesday, April 24, 2018. A ransomware attack has hit Ukraine's energy ministry. A spokeswoman for the ministry told the BBC that the attack was isolated,
that no other agencies have been affected, and that indeed the ministry's email is up and running.
Still, the incident is a nuisance.
The ransom screens are written in English. It's not good English.
It looks very much like an actual non-native speaker's production
and not something in Shadow Broker's ease.
For example, it says,
Oops, your website have been encrypted and all files will be delete.
They're asking for just 0.1 Bitcoin, which comes to just under $1,000,
and they're not taking PayPal or any other substitutes.
The indications are that it's a simple criminal attack as opposed to misdirection by nation-state,
like, for example, NotPetya.
Ukrainian authorities have a criminal investigation in progress.
Moscow-based security firm Kaspersky Lab says that it's uncovered infrastructure
used by the Crouching Yeti threat group, also known as Energetic Bear, for attacks against industrial networks.
They've been tracking the group since about 2010.
They call it a notorious Russian-speaking group that has been active for many years
and is still successfully targeting industrial organizations through watering hole attacks.
The researchers note, somewhat darkly, that
the diversity of infected servers and scanned resources
suggests the group may operate in the interests of third parties.
A surge in anonymous Twitter accounts in Southeast and East Asia
has prompted speculation about the formation of bots
to influence public opinion through the social media platform.
Twitter doesn't believe it's yet seen anything out of order, because maybe it's just a bunch
of starstruck types following celebrities, but people are looking for signs of information
operations.
Symantec and others are tracking Orange Worm, a cyber espionage campaign that's hitting
healthcare organizations.
X-ray and MRI devices are most often affected.
Many researchers doubt that the group behind the campaign is a nation-state,
but the attackers' goals are obscure.
They seem to be after either personal information about patients
or intellectual property about the medical devices themselves.
Google's Project Zero has disclosed a vulnerability in Windows 10.
It's possible to bypass Windows' lockdown policy in a way that can result in arbitrary
code execution.
Microsoft missed Google's 90-day deadline for addressing reported vulnerabilities, so
Google has gone public with the unpatched issue.
Presumably a patch will be forthcoming,
but there's nothing available now.
The business-focused social network LinkedIn has issued a patch for its autocomplete API.
The function turned out to be leaky.
Quantifying cyber risk is an ongoing challenge
faced by many organizations.
Jerry Capanera is vice president of cyber risk
strategy at Nehemiah Security, and he maintains we need a methodology to quantify, justify,
and advance the risk management conversation among executives. Pretty much everybody I've
ever spoken to has said they want to be able to treat cybersecurity as a business,
but there's just a lot of churn on what that means, how to do it, and what they
should do. So definitely early, but with just a huge upside. I feel as though in the last year or
two, the conversation has certainly shifted at the board level where people are talking about risk
in terms of risk. Do you feel like there's still a ways to go?
I do. So what's interesting is I think you're right. I think in the last year or two,
I've seen that shift as well, too. I think there's a couple of drivers for that shift,
personally. One is, obviously, we're seeing and hearing more about large financial losses
due to attacks. I think it was last fall, Merck was hit with a ransomware attack,
and they finally said they lost on it. The cost of on air about $350 million. About a third of
that was related to revenue and the rest with other costs. So that's kind of an eye-opening
number. You're starting to see, I think, one more high-profile attacks. The second thing I think that's driving much more awareness for companies at the board level is you're starting to see, I think, one more high profile attacks. The second thing I think that's
driving much more awareness for companies at the board level is you're starting to see some more
regulations. I'm actually a big fan of what the EU has done with GDPR because they're finally
starting to put teeth to some of the cyber regulations that exist. You know, having,
losing data on a European national and having to deal with potentially
a four percent of my revenue loss that's a big number potentially so you're starting to see more
numbers pop up which is good and the third thing is just recently we saw the sec release
a report that basically says companies need to start talking about what a material cyber security
risk is now the genetic the guidance was vague there but reading on you know reading that on the walls Sarbanes-Oxley compliance and where that's going, you can see that not only are companies starting to get aware, they're starting to have to become aware, which is, unfortunately, I don't believe full change for a company will take effect until they have to.
So how do you guide people along towards these conversations?
It kind of depends on who you're talking to. The reality is these conversations are still
amongst two different camps, right? Those I'll call them, I think you said in the security camp
and those on the business side of the camp. You have to drive them to the answer based on which
camp they're actually in. So we were just having a conversation about working on some material to
help educate security folks that what they really need to be doing is aligning with the key
strategic initiatives the organization is taking in the next 12 to 18 months, right? How do they
start to show that security is an enabler? And the only way to do that is to actually tie to
the business initiatives. If your goal as a company is to grow 400%, which means you have to increase your online
presence by 50%, you can generate more leads. What would a cyber attack potentially do that
could impact that? On the security side, how do I make sure that an attack doesn't happen? Because
if it does, it's going to inhibit my ability to basically make that number. I heard a gentleman
once say that the best way we can answer the question you
asked is to stop thinking of cyber professionals. When we announce ourselves saying we're cyber
people, we should be saying we're business people with a cybersecurity focus because it's that
closing of the gap between the cyber and the business that's going to make this a reality.
And you have to drive those conversations up from where security is and down from where the
business is.
And that simple example of, hey, I want to grow my online presence by 50% so I can generate more marketing leads because marketing is our number one driver for future revenue.
The question then becomes, well, how can cyber help the business reach that goal?
And if we can have that conversation, we're in the right track.
That's Jerry Capanera from Nehemiah Security.
As the U.S. government weighs sanctions against Russia, one of its targets may be Kaspersky.
Officials say they're considering banning all of the company's operations in the U.S., in addition to the already effective ban on U.S. federal agencies buying Kaspersky products.
Any such sanctions would be imposed after Kaspersky's suit, alleging it's the victim
of an unconstitutional bill of attainder, is resolved.
Kaspersky denies that it's improperly connected to Russian intelligence, but Western officials
say there's a problem in Russian laws that compel cooperation with security services.
laws that compel cooperation with security services.
Speaking of Russian security services, the hacker accused of exposing 3 billion or so Yahoo records on behalf of Russia's FSB is getting his day in court.
Karim Baratov, a Canadian citizen of Kazakh origins, was snaffled up by Canadian police
and extradited to the U.S. to face charges on his March 2017 indictment.
The U.S. prosecutors are asking that the spearfisher be awarded 94 months in club fed.
That's just shy of eight years.
It was a nice gig while it lasted.
Bartov was a hacker for hire who made it a point of not asking his employers too many questions,
and it paid for him. He's a car guy. He used his FSB paychecks to buy a Lamborghini,
a Porsche, an Aston Martin, a Mercedes, and a BMW. His defense team is pleading in mitigation that,
one, Mr. Bartoff is young, under 22 when he was most active, and two, after all, it's his first arrest.
As U.S. midterm elections approach, voting is more than six months away, but American election
cycles are famously long. At least 20 states have expressed a degree of uneasiness about the
security of their election systems. One solution a number of people are proposing is to call the
National Guard,
that reliable standby the states use to deal with emergencies of all kinds.
The Guard itself has cyber units of various kinds in some 38 states,
and room to grow, as officers say.
Such units could provide some useful incident response capability.
A RAND study in 2017 concluded that there were more than 100,000 personnel in the Army Reserve and Army Reserve National Guard.
That latter name is the official name of what we civilians just call the National Guard.
How such expertise might be used is untested.
We heard one useful suggestion at RSA in conversation with the Chertoff Group's Adam Isles.
Find people with IT skills in the Guard and give them the ability to build up their security chops.
Then they can take those skills and lessons learned back with them to their jobs.
A lot of the 100,000-plus Rand saw in the Guard with some relevant skills are people who work in IT jobs.
That's not security directly, but it's a good start.
So have at it,
weekend warriors. Of course, there are plenty of people in the private sector willing to help, too.
We heard from Tom Kempt, CEO of security firm Centrify, who's got an offer for state election boards. If they want to ameliorate the risk posed by stolen or compromised credentials,
the kind of thing that could gum up the polls on Election Day.
Imagine the election judges turning you away with a
Sorry, sir, we regret it, ma'am, but your address is a digit off.
They can get Centrify's zero-trust platform at no charge.
So that's another offer on the table.
And for those of you keeping track of these things,
GDPR is just one month away.
Thought we'd mention that. Innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Thank you. executives, and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
Joe, welcome back.
Thanks, Dave.
So interesting research released from the folks at Malwarebytes Labs. They were talking about a device called a GrayKey,
which is an iPhone unlocker, and they're saying there's some serious concerns here. What do you
take, what do you suspect is going on here? I'm not entirely sure. These people have developed a
small piece of hardware that does something to an iPhone
that then causes that iPhone to display its passcode to unlock the phone.
Yeah.
So what is going on there?
Just in the article, they're speculating that there is something where they root the phone
or jailbreak the phone, and then I guess they have to install some kind of app that goes through and guesses the passwords that runs in the background and displays a message on the screen.
Going through some sort of brute force process.
I'm almost guaranteeing that it's a brute force process because one of the key indicators is that it takes longer to pass or to come up with a six-digit passcode than it does a four-digit passcode.
And that, to me, just says brute force.
So there's no magic in how they're breaking the phone open.
They're just trying all the different combinations.
The magic comes in how they stop the phone from erasing itself
after so many failed attempts.
And that's probably why they're jailbreaking it.
They're probably intercepting the system calls that would go back
and erase the memory chips.
And one of the concerns here is that these sorts of devices have been available in the past with
previous versions of iOS. Celebrite was a manufacturer of a different one. And these,
while they're intended for law enforcement, but as with these sorts of things, they can sort of slip out and make their way out into the wild.
Yeah, there was one, the article talks about one called the IP Box 2, which unlocked older, or still unlocks older iPhones.
In fact, you can still get them on Amazon, the article says.
So, yeah, these things have been released into the wild in the past.
released into the wild in the past.
The gray key box, however,
looks like they're being very tight with their control of it
over making sure that only law enforcement get it.
That being said,
the road to hell is paved with good intentions.
So I'm sure it's only a matter of time
before one of these things disappears
from some law enforcement site.
There are models that can be used anywhere.
They have a key, but the key is small.
That can also be swiped out with the device, no problem.
I don't know how concerned I am about this.
It's definitely an edge case.
Yeah.
Well, it strikes me that if you're someone
for whom this sort of security is a concern,
you're going to know that,
and you're going to be using more than a four-digit numeric password.
Right, right.
And even if you're using a longer password,
I guess this thing will eventually break it,
but you'll be using other ways of communicating
that don't necessarily rely on the security of an Apple device.
Yeah, concentric circles of security.
Unlocking the phone is one thing, the security of an Apple device. Yeah, concentric circles of security. Right.
You know, unlocking the phone is one thing,
but then maybe another layer, encryption, you know,
point-to-point, all that sort of stuff.
Yes.
You know, plausible deniability apps that delete chat histories.
Right, right.
All right, well, it's an interesting cat and mouse.
It is.
And it's, you know, it's...
What's interesting about this is I'd like to know if, you know, what Apple's doing to try to address this. I'll bet that they're aware of this.
For sure.
Because Apple generally tends to have a pretty good security stance. I like to pick on Apple, but one of the things I don't generally pick on them about is their security.
All right, Joe. It's interesting stuff as always. Thanks for joining us.
My pleasure, Dave.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant. out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who
want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you
time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is
proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building
the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow. But also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.