CyberWire Daily - Ransomware old and ransomware new, but can you distinguish it from a wiper? Influence operations hearings on Capitol Hill.
Episode Date: November 1, 2017In today's podcast, we hear about ONI ansomware in Japan that may prove to be a wiper. Ukraine blames NotPetya operators Black Energy for BadRabbit. Pyongyang feels London is picking on it. Fis...hing Facebook in Nordic nations. Security firms sell certificate authority business. Twitter won't sell any more ads to RT or Sputnik. Johannes Ullrich from SANS Technology Institute and the ISC Stormcast podcast on honeypots. Russell Jones from Deloitte with the results from a recent medical security poll.During hearings on influence operations, Senators wonder why Facebook wasn't suspicious when people paid for their advertising in rubles. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Ransomware in Japan may prove to be a wiper.
Ukraine blames NotPetya operators Black Energy for bad rabbit.
Pyongyang feels London is Picking on It.
Phishing Facebook in Nordic Nations.
Security Firms Sell Their Certificate Authority Business.
Twitter Won't Sell Anymore Ads to RT or Sputnik.
And during hearings on influence operations,
senators wonder why Facebook wasn't suspicious
when people paid for their advertising in rubles.
people paid for their advertising in rubles.
I'm Dave Bittner with your CyberWire summary for Wednesday, November 1st, 2017.
A new ransomware campaign, ONI, has been observed in operation against Japanese targets.
Like a number of other apparent ransomware efforts, WannaCry and NotPetya prominently among them,
ONI may blur the lines between ransom and simple disruption.
Cyber Reason, which has been tracking ONI, says the ransomware, or Wiper if that ultimately proves a more accurate description,
was deployed only to Active Directory servers, or to what Cyber Reason calls critical assets.
Ukrainian authorities speaking at a Reuters cybersecurity summit attribute bad rabbit ransomware to Black Energy, the threat group they also believe was behind NotPetya.
There's no surprise in this, as Russia has long been the principal suspect in these attacks.
Ukraine and many security experts believe Black Energy operates in the interest and under the direction of the Russian government.
Moscow denies this, as it denies carrying out cyberattacks against Ukraine.
A North Korean spokesman has denounced the UK's attribution of WannaCry ransomware to Pyongyang
as a wicked attempt to ratchet up sanctions against North Korea.
to Pyongyang as a wicked attempt to ratchet up sanctions against North Korea.
But global banks are not disposed to take the DPRK's protestations of innocence at anything approaching face value.
The financial sector is taking steps to secure itself
not only against the sort of swift exploitation that diverted millions
from Bangladesh banks' holdings through fraudulent wire transfers,
but also against the more destructive wiper malware the DPRK has deployed against other targets.
Security firm Webroot has just blogged its picks for the 10 worst ransomware infestations of 2017.
They are, counting down from number 10,
Jigsaw, which deletes one of the victim's files every hour,
Cryptomix, spread mostly through exploit kits,
Cerber, which has made its mark in the ransomware-as-a-service market,
Spora, thread through a bogus Chrome update that pops up from compromised legitimate websites,
Jaff, still appearing in new variants,
Nemucod, famous for its fake shipping invoice emails,
Crysis, this one's a nasty little piece of work that also removes automatically backed-up files,
and then, in order, the big three, Locky, WannaCry, and NotPetya.
Those are the worst of 2017 so far, but we still do have two months left to go.
Returning to the two Koreas, there's also some more traditional cyber espionage news.
A South Korean lawmaker has accused the North of stealing sensitive warship plans. Returning to the two Koreas, there's also some more traditional cyber espionage news.
A South Korean lawmaker has accused the North of stealing sensitive warship plans.
When it comes to cyber security, medical devices have the added complication of sometimes having people's lives on the line.
And a typical hospital can have hundreds or even thousands of devices with varying degrees of connectivity and vulnerability.
Deloitte recently conducted a survey of medical professionals to gauge their understanding of the risks of connected medical devices.
Russell Jones is national co-leader of medical device safety and security for Deloitte.
One of the questions was, what do you think is the biggest challenge
facing the medical device industry with regards to cybersecurity?
30.1% of the respondents said that identifying and mitigating the risk of fielded legacy devices
is probably the biggest challenge they're facing around medical device cybersecurity.
Is that a matter of sort of the unknown unknowns out there in their facilities,
that there are devices that are connected that they don't
really know what the vulnerabilities might be? The big problem, I think, in the industry,
both with healthcare delivery organizations and with device manufacturers, is asset management,
right? So for the healthcare providers, if you go talk to a head of clinical engineering or
biomed engineering, they can tell you the overall
population of medical devices throughout the hospital or throughout the health system,
but it's a little bit harder to get their arms around what is their subset that are connected
medical devices. And then even if they've got a handle on that subset of the devices that are
connectable, right, either connected
to the network or could be connected, then having the ability to kind of do security
risk assessments for those devices, understanding what the actual true risks are, impacting
patient safety or confidentiality of patient information, and then being able to actually
do something about it in terms of putting controls in place and the like,
that's the struggle right now in the U.S. health care system.
Is there any sense that the situation is getting better or worse, or is it sort of staying at an even level?
I would say at this point there is acknowledgement and recognition and a lot of coverage in the media about the issue.
But I think many organizations are still struggling with really being able to get a handle around the issue, particularly health care providers, because of things like not having the funding necessary to go and deal with the problem or having the capacity or the expertise to be able to go deal with the problem. You know, there are some health care
organizations that have a pretty good approach to dealing with the problem and they're actually
working the problem. But when I look at the overall U.S. health care system, over 6,000 plus
hospitals, the vast majority are struggling, you know, dealing with the issue today.
And I see in your report, Deloitte has some recommendations.
Can you take us through those?
I would say one of the most important things to do is to conduct security risk assessments,
whether you're a healthcare delivery organization or device manufacturer,
to really understand what the actual cyber risks
are to your, you know, medical devices, and then be able to really prioritize what your response
is going to be to go to address those risks, try to mitigate them through controls, security
controls, whether they're technical, whether they're, you know, organizational, administrative,
to really kind of get your arms around what kind of resources you're going to need to go and address, you know, the risk.
What kind of funding you're going to need.
You know, what kind of, you know, leadership are you going to need?
What kind of support are you going to need from the device manufacturers if you're a hospital, you know,
going to conduct that kind of risk assessment?
Or if you're a device manufacturer, you know, security risk assessments of your own, you know, fielded devices that kind
of really understand what those risks are and be in a better position to kind of help your customers,
you know, the healthcare providers. Another thing we talk about is having a document hierarchy.
This is more of a recommendation for medical device manufacturers.
By that, we mean having better documentation in place around the whole cyber risk, you know, security risk management of devices.
Whether they're fielded, whether they are in the pipeline, in the process of going through the product development lifecycle, you know,
having good documentation in place around how you do security risk management for your devices, how you do,
you know, incident response, you know, having all the supporting kind of like policy procedures,
standards, and guidance in place in a way that's more formal, right, to manage that,
you know, risk around the devices
through the whole development lifecycle. That's Russell Jones from Deloitte.
A phishing campaign underway in the wild is seeking to obtain Facebook or YouTube credentials.
Security firm F-Secure has been tracking the crooks for two weeks as they've advanced slowly
from Sweden to Finland to Germany. If you recall entering your credentials in response to a dodgy pop-up prompt,
you'd do well to change them.
Cyber companies continue to sell their Certificate Authority business.
DigiCert has closed its purchase of Symantec's Certificate Authority unit.
Komodo has also joined the trend, setting up a separate new company, Komodo CA, which
will be owned by Francisco Partners, a private equity firm.
There have been no further charges announced from U.S. Special Counsel Mueller's investigation
of Russian influence operations beyond those released Monday morning.
But more indictments are expected, the reach of the investigation appears to be spreading,
and the various political operators who had to do with Fusion GPS, and there's no shortage of them,
are feeling the discomfort of special counsel heat.
Congress is making pious rumblings about shoring up laws regulating lobbying firms that represent foreign clients.
The U.S. Congress is also continuing its own inquiry into influence
operations, concentrating this week on the way in which Russian services used social media
interactions to do whatever it was they were up to. The best-informed opinion seems to hold that
Moscow wanted to do what it's done for nearly a century, erode the credibility of Western
institutions generally, and American ways in particular.
Twitter, embarrassed by ways in which its platform served as a megaphone for various Russian trolls and media outlets,
has announced that it will no longer accept advertising from either RT, formerly Russia Today, or Sputnik News.
Both media outlets will still be able to tweet, just not buy ads.
Both media outlets will still be able to tweet, just not buy ads.
We heard from the media trust's Chris Olson,
who sees this as a step toward Twitter's establishment of more controls over its service.
Olson said, They have identified two parties whose activity is not clear,
with behavior possibly violating company ethos, if not direct policies, and block them.
As the situation continues to unfold,
there will be more buying entities blocked from more digital platforms.
Facebook has been front and center on the Capitol Hill hot seat this week.
The company revised its estimates upward about how many people saw Russian ads
targeted at the 2016 U.S. presidential election.
They now believe about 126 million users saw the ads. The media trust's
Olson commented on Facebook's testimony as well. He said, quote, one thing is clear from the ongoing
Senate Judiciary and Intelligence Committee hearings. Congressional leaders are very concerned
that buyers of political ads on digital platforms are not subject to the same disclosure rules as
traditional broadcast media, end quote. And by that, he means such familiar tropes as,
I'm Senator Foghorn and I approve this message.
Congress is considering a proposed Honest Ads Act to bring comparable transparency to online advertising.
Olson continued,
This means any consumer-facing website or mobile app operator should know their buyers and buyer activities.
They should not only enforce digital policies, but also continuously monitor compliance and terminate relationships with offenders, end quote.
One of the pieces of testimony that gave senators an opportunity to roll their eyes was this.
to roll their eyes was this.
Not only did Russian ad buys come from the Internet Research Agency St. Petersburg troll farm,
but said trolls even paid for the ads in rubles.
That's rubles, not even Voppercoin.
Still less Yankee greenbacks,
as the senators might have put it.
Slava? Putino?
Mr. Zuckerberg, didn't that raise any eyebrows
at One Hacker Way, Menlo Park?
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices, home networks,
and connected lives. Because when executives are compromised at home, your company is at risk.
In fact, over one third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich.
He's from the SANS Technology Institute.
He's also the host of the ISC Stormcast podcast.
Johannes, welcome back. You wanted to share some information about some honeypots. What do we need to know?
Yeah, really one technique that is gaining more and more steam sort of on the defensive side is the idea of deception. Now, deception itself isn't new. You mentioned honeypots.
Honeypots have been used historically, mostly by researchers, but not so much in the enterprise
in order to defend your networks. However, hunt teams have found it more recently to be
really, really useful to have some bait left in the network in order to identify attackers. In particular,
when it comes to identifying malicious insiders, this technique has been shown to be quite useful.
And so what's the technique? How do you implement it?
So one thing, for example, this technique is implemented is by leaving documents on workstations
that include a little web bug.
Now, you're probably familiar with web bugs because that is little images that are being
downloaded from a web server in order to track whether or not someone opened a document. Now,
in this case, they're being used to trigger an alarm whenever one of these documents is being
opened. So, for example, you would leave documents
on your network that have enticing names like business proposals or passwords and the like,
and then you're setting up a web server that will send you an alarm whenever that web bug inside
this document is being triggered. So the web bug is just a little image that's, I guess, remotely hosted.
And so whenever that file gets called for, that's what triggers the alarm?
Correct.
That's what's happening.
And that gives you a good indication that this particular workstation has been compromised.
So this is not a technique that requires any specific malware techniques.
It's really trying to detect an attacker that is already
in your network, which of course is why you typically set up these hunt teams in order to
identify attacks that already succeed to some extent and penetrate your network somewhat.
The big advantage here is that you really shrink down the time it takes you to detect these attacks.
You probably have seen these reports from Verizon
and others that it takes months for companies to detect attacks like this with techniques like this.
This can often be shrunk down to days. I see. All right. Interesting information as always.
Johannes Ulrich, thanks for joining us.
Thank you. a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.