CyberWire Daily - Ransomware, nyet; wiper, da. Shipping, manufacturing, and Big Law may share some common risks. WikiLeaks and the ShadowBrokers are back again.
Episode Date: June 29, 2017In today's podcast we hear that the current Petya/Nyetya/NotPetya outbreak down deep doesn't look like ransomware, but a wiper, and a nasty one at that—probably a cyber warfare campaign. How are... these three things alike: shipping, manufacturing, and Big Law? The ShadowBrokers are back, and WikiLeaks' Vault7 disgorges what looks like a creepy stalking tool. Other non-Petya ransomware attacks. Rick Howard from Palo Alto Networks explains the importance of capture-the-flag competitions. And officialdom seems to cling bitterly to Windows XP. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
It's not ransomware, but a wiper, and a nasty one, too.
That's the current take on the Petya variant that's circulating around the world.
And how are these three things alike?
Shipping, manufacturing, and big law?
The shadow brokers are back, and WikiLeaks' Vault 7 disgorges what looks like a creepy stalking tool.
Other non-Petya ransomware attacks, and officialdom seems to cling bitterly to Windows XP.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, June 29, 2017.
The Petya pandemic continues, and its story at least has grown more complex.
It's picked up at least two new names, Ex-Piotr from Kaspersky and Nyetja from Cisco.
We'll stick with Petya for now, but researchers think that while the current outbreak used code strings from Petya, it's sufficiently different to warrant a new name.
Specifically, it now appears to most that what we've been calling Petya really isn't ransomware
at all, but rather a wiper masquerading as crypto ransomware. Those few who've paid the ransom seem
not to have recovered their files, and indeed there may be no way for them to do so.
Not only has the German email service the attackers used to host their payments account suspended that account,
they don't want to be party to crime at all,
but the victims who paid up got nothing for their Bitcoin.
So, as suspected, the goal here probably isn't really money,
but disruption and geopolitical throwing one's weight around.
These features lead many to conclude that Petya's current instantiation is an act of cyber warfare,
not cybercrime. Most observers think it originated with Russia, as bleeping computer puts it,
the obligatory part where we blame Russia. While the evidence is circumstantial, it's more than
reflexive finger-pointing. Russia is engaged in a serious hybrid war against Ukraine.
The incident has prompted NATO to announce plans to step up cyber defense cooperation with Ukraine.
Microsoft says a malicious update to tax accounting software MEDOC was the initial vector.
Since then, researchers at Kaspersky have also found a watering hole attack
in a website belonging to the Ukrainian city of Bakhmut. A watering hole, of course, is a maliciously crafted website that
infects visitors who graze over to it in bovine fashion. This kind of watering hole is a bad thing.
Think of the Badwater Alkaline Pool in Death Valley, not some sort of refreshing oasis for
camels or wildebeests. Stay away from Bakhmut, the website we mean.
The city itself we hear is perfectly nice and even has a big salt mine you can visit that
features what the Bakhmut boosters say is the world's largest underground room.
At any rate, the effects of the campaign have been particularly heavily felt by manufacturers,
logistics companies, and curiously, big law firms. Maersk, the Danish shipping giant, was hard hit.
The company has begun its recovery, but port operations continue to be affected.
Maersk runs major ports around the world, including facilities not only in Europe,
but in Asia and North America as well.
One of the North American facilities affected is San Pedro, the port of Los Angeles.
Among manufacturers, big pharma company
Merck has disclosed that its operations have been disrupted by the campaign. In big law, DLA Piper
is among the targets said to have been clobbered. American Lawyer magazine commends DLA Piper for
being forthcoming about its experience and says that Piper's not alone. Clients are restive.
its experience and says that Piper's not alone. Clients are restive. So what do logistics,
manufacturing, and lawyers have in common? The conjecture is unpatched Windows systems,
vulnerable to the eternal blue exploit this round of Petya Incorporated. Logistics and manufacturing enterprises use hard-to-patch instances of Windows in various ICS applications.
Law firms tend to be patching laggards,
perhaps because similar complexities present themselves in e-discovery.
There was also a little-noticed ransomware outbreak last week.
It hit Ukraine pretty exclusively,
and it's been completely overshadowed by the news of Petya,
but the little-known malware PS Crypt was aggressive and damaging.
It seems to have been designed to hit Ukrainian targets only, which is odd,
showing a national focus not usually seen in cybercrime.
This points, of course, to a Russian hand.
Either security services or some of those patriotic hackers Mr. Putin has recently praised.
So ransomware or wiperware, there are two prudent steps any enterprise should take.
First, patch.
Second, securely backup your data offline so you can restore operations should an attack get through.
Yesterday, two sources of leaks resurfaced.
Wikileaks offers a manual for ELSA from Vault 7.
They claim ELSA is a CIA tool for tracking users of Wi-Fi-enabled devices using extended
service set data from nearby Wi-Fi networks. This strikes many observers as creepy and
vaguely stalkerish, a little like that sleazy Girls Around Me app we heard people talking
about a few years ago. And the shadowbrokers still speaking their odd and unnatural dialect,
which we think we're going to start calling umrashish, since the lingo needs a name,
and flacking their Exploit of the Month Club promise they're about to name and shame an equation group operator,
they're calling him Dr. Person, who's tweeted rudely about them.
After taking a bow for Petya, Nyetya, and Ex-Poter,
enabled by their eternal blue dump, the brokers get down to business,
and their omrushish is always worth quoting in full.
The Shadow Brokers is having special invitation message for Dr. Person. The Shadow Brokers is
meeting on Twitter. Dr. Person is writing ugly tweets to the Shadow Brokers. Not unusual,
but Dr. Person is living in Hawaii and is sounding knowledgeable about the equation group.
Then Dr. Person is deleting ugly tweets. maybe too much drinking and tweeting is very strange.
So the Shadow Brokers is doing some digging.
The Shadow Brokers is thinking Dr. Person is former Equation Group developer
who built many tools and hacked organization in China.
This promises to be a Twitter flame war.
The operator in question may have taken up their challenge.
In any case, someone has claimed the at Dr. Wolf Twitter handle
and says he'll be doxing himself sometime soon.
Finally, a few quick notes on things not connected to Petya.
South Korean banks are continuing to fight off extortionists,
threatening distributed denial of service attacks.
Nice availability you got there.
Shame if something happened to it. Officials of Her Majesty's government are blaming the
Westminster email hack of last week on sloppy and inattentive password practices, so get serious,
London. And speaking of London, Computing Magazine reports that 18,000 Metropolitan
Police computers are still running Windows XP.
Well, you might say, surely some of them have been upgraded.
And so they have.
Eight.
Count them, eight of the Bobby's machines are now running Windows 10.
That's 1, 2, 3, 4, 5, 6, 7, 8.
That's it.
Eight.
By the Great Hornspoon.
Eight. Eight.
By the Great Hornspoon.
Eight. solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Rick Howard.
He's the Chief Security Officer at Palo Alto Networks. And he also heads up Unit 42, which is their threat intel team.
Rick, we've talked before about capture the flag competitions,
and they're really a great way to test people's skills
and get them involved with cybersecurity.
Yeah, and they've actually turned into kind of an intramural league
for cybersecurity nerds.
So instead of going out and playing baseball, we can run these contests, have a little friendly competition,
and then have some crowing rights if you do well in these things.
And there's an upcoming competition that you wanted to highlight.
Yeah, we like Capture the Flag for lots of reasons.
And you and I have talked before about the well-documented cybersecurity shortage of qualified personnel.
And lately, I've come to believe that you don't really need a full-fledged computer science or electrical engineering or some other technical degree to get a start in this field.
the entry level, it is enough that you have a basic understanding of networks and computers,
a bit of skill in scripting language of your choice, maybe a cursory understanding of the adversary attack lifecycle, and maybe finally a certificate from a vendor saying you're qualified
to maintain one of their boxes, like, you know, a firewall or a SIM or something like that,
right? But, and I will tell you, though, that's a good way to get into the system, right? And
the one question I ask everybody, okay, when when it comes interviewing with me for a job is what are you running at your house?
Because if the applicant is not running a Linux machine that she built herself and she's not smart enough or curious enough for me to work for me. I mean, you know, at this point, we're looking for people who are not afraid to get their hands dirty, to learn on their own and to solve problems, you know, without a lot,
without a lot of guidance from the leadership team. And so that's what Capture the Flag helps
us do. We can hone our skills with it. It's a place they can go and try out those things. We've,
we just finished our own internal Capture the Flag contest last month for our own internal
security teams and intelligence teams.
It was a big hit. We also sponsored a contest at the University of Alabama at Birmingham this past
February designed to encourage women and minority Alabama high school students to consider
cybersecurity as a potential field of study as they matriculate to college. But what we're doing
right now is hosting a worldwide online capture
the flag contest for anybody that thinks they might like to dip their toes into the cybersecurity
space or even for the seasoned veterans who want to test their skills. Now, this thing is called
Labyrinth, and it's running continuously until 23 July at 4 p.m. And the best news is that we're
offering several cash prizes totaling some $32,000. So participants will
attempt to solve cyber puzzles designed for newbies and
seasoned practitioners. So I think it is one of the great ways that
we can enhance our education in the field and kind of bring
everybody together and talk about cybersecurity.
These challenges bring amazing learning opportunities together across all levels.
And our goal here is to drive threat intelligence education by sharing challenges based on the
daily life of the Palo Alto Network's engineers.
So that's what we're trying to do.
So tell everybody, David, we're having the big content that's online right now.
We want to see how well you do.
All right.
Check it out.
It's called the Labyrinth Capture the Flag Challenge.
Check it out at Palo Alto Networks.
All right, Rick. Thanks so much for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com. That's ai.domo.com.