CyberWire Daily - Recovering from NotPetya. State-actor seen behind wiper attack. Ukraine mulls criminal negligence charges. Documents behind US Congressional wariness of Kaspersky.
Episode Date: July 5, 2017In today's podcast, we hear how affected enterprises are restoring services after last week's NotPetya pandemic. Maersk's experience prompts some introspection in the logistics sector. Ukraine pre...pares to charge ME Doc's maker with criminal negligence for allowing the infection to take hold. NotPetya tied to BlackEnergy and thence to a "state actor" (NATO's not saying it's Russia, but Ukraine is). Awais Rashid from Lancaster University looks at the anatomy of recent attacks. Haiyan Song from Splunk on a recent IDC report, “Investigation or Exasperation? The State of Security Operations.” FSB certificates allegedly express links between FSB and Kaspersky. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Affected enterprises are restoring services after last week's NotPetya pandemic.
Maersk's experience prompts some introspection in the logistics sector.
Ukraine prepares to charge EMI DoxMaker with criminal negligence Thanks for watching. links between FSB and Kaspersky. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, July 5th, 2017. Yesterday marked the passage of the first week in the NotPetya
disruptive malware pandemic. It's taken most affected enterprises from Maersk to DLA Piper
to Ukraine's banking systems
just about that amount of time to restore a tolerable level of service.
Maersk announced Monday that it was finally able to bring its major systems back online
after sustaining a hit to global operations from the NotPetya wiper attack.
Port services reopened Sunday, many of them using manual operations,
and other aspects of recovery continue.
The hit was substantial.
Maersk, which is by no means an inattentive or poorly resourced outfit,
is working through a six-day backlog.
Among the ports that returned to operation in substantially manual mode
are Gothenburg, Sweden, and the U.S. ports of Los Angeles, Mobile, and Port Elizabeth,
all big cargo handlers. The NotPetya attack and its effect on Maersk has led the shipping
and logistics industry to some security introspection. Self-examination leads to
uncomfortable insights. We heard from Lars Jensen of the maritime cybersecurity company CyberKiel,
who summarized some of those insights as follows.
Quote, a top 20 carrier allows shippers using their e-commerce platform to use X as their password.
A port terminal has a server running the access to their e-commerce tools,
which is so old that it can be readily taken over using tools one can download directly from the Internet.
A top five carrier claims that
the password 12345 is of medium strength. 10% of carriers and 20% of the sampled ports and
terminals have still not patched the vulnerabilities related to the poodle and heartbleed cyber threats
which emerged more than two and a half years ago, end quote. Jensen also notes that the apparent ease
with which the attack propagated laterally
across infected networks is a disturbing indicator that security levels are generally too low for
comfort. Returning to Ukraine where the infestation began, authorities are moving forward with their
investigation. Police have seized servers belonging to Intellect Service, the small family-owned software outfit whose ME-Doc tax accounting product appears to have been the initial source of NotPetya infestations.
A high-ranking official in Ukraine's police unit charged with investigating cybercrime says that Intellect Service should expect criminal charges.
should expect criminal charges.
Intellect Service, which says it's cooperating fully with the police,
denies having anything to do with the attack and says their code was clean when they released it.
It seems fair to say that NATO's statement on the attack
represents, at this point, consensus.
NATO thinks the attack was the work of a state actor,
but the Atlantic Alliance's Cooperative Cyber Defense Center of Excellence in Tallinn declines to say exactly which state that would be. The statement about the attack
mentions in passing that cyber attacks with physical consequences could trigger NATO's
Article 5, collective defense, but was silent on whether this would be one of those cases.
Almost certainly not, but the statements do suggest the rough area where NATO will draw
its Article 5 line, somewhere on the side of physical consequences.
The NotPetya attack on Ukraine, with either intentional or collateral damage throughout
most of the rest of the world, has been tied more closely to Russian services as researchers
at Kaspersky, ESET, and elsewhere find links to
the Black Energy APT group. That APT has long been suspected of being a Russian cat's paw.
In fairness to Kaspersky and ESET, neither draw that explicit conclusion, but Ukraine's government
certainly has. They're convinced the incident is another shot in Moscow's hybrid war aimed at re-engulfing Ukraine.
It's probably safe to say that one thing we all wish we had more of is time.
And when it comes to security investigations, time is of the essence.
The folks at Splunk recently sponsored an IDC info brief titled
Investigation or Exasperation? The State of Security Operations. Haiyan Song is
SVP and General Manager for Security Markets at Splunk. You know, we always talk about the ideal
situation, security needs to be proactive. Unfortunately, one of the things we've found is
the security investment in tools and technology, even operations operations 70% of the companies actually
do that after a series of breach it's still good to do it but I think will be
much better if we can take a proactive approach and since we're in the security
information event management and analytics space one of the interesting
things we find it's 72% of US companies are not fully taking advantage
of the capabilities. And in connection with, you know, the skill shortage, and the fact that we
have to deal with a lot of sophisticated attacks, and that's morphing all the time. We also sort of
surveyed around how people are using machine learning, like advanced
data science technology, like machine learning. Certainly, we're still in a very early stage.
81% of U.S. companies are not at all or not extensively really leveraging that. That's
interesting because a lot of the new sophisticated attacks, you really cannot use known patterns and rules.
You've got to really go look for anomalies, look for the baselining to start with, and using threat modeling to bring out some of the unknowns.
That's really the biggest challenge for a lot of security operations.
There's still a lot of time that the security analysts have to invest to even just take care
of or address one security incidence or alert. Some of them will turn out to be real. You know,
it's still days and hours. That's the granularity we're looking at. But for security, you know,
in the computer world, minutes, it's long, let alone hours or days. 39% is still sort of report
that it takes average two to four hours to resolve an incident. And we need to get them to minutes.
And so investigation, forensics, and automation becomes really key in improving that stack.
That's Haiyan Song from Splunk.
The report is called Investigation or Exasperation? The State of Security Operations.
You can find it on the Splunk website.
Two cryptocurrency services have come under attack, the BitThumb exchange and client-side Ethereum wallet ClassicEther.
BitThumb users lost both Bitcoin and Ethereum. ClassicEther wallet's website was hijacked.
Researchers at Sucuri have found an SQL injection flaw in a widely used WordPress plug-in, WordPress Statistics.
Look to your blogs, bloggers.
Kaspersky, which has responded to U.S. congressional suspicions
of its connections to Moscow by offering to show the U.S. its source code,
remains under scrutiny.
McClatchy is reporting on certificates Russia's FSB issued to the company
that appear to associate it with an intelligence program.
While connections among security companies and intelligence services are far from unusual,
experts consulted by McClatchy think that the certificates appear, at the very least,
to be odd ones and worth further scrutiny.
The bear suspected of consorting with Kaspersky, by the way, would be Cozy Bear, not her sister
Fancy.
Russian authorities aren't happy with the suspicions and tell the U.S. to expect blowback.
Maybe the communications minister suggests Russia will stop using Microsoft and Cisco products.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with BlackCloak.
Learn more at blackcloak.io.
Joining me once again is Professor Awais Rashid. He heads the Academic Center of Excellence in
Cybersecurity Research at Lancaster University. Professor, welcome back. You know, with this
recent high-profile ransomware attack,
of course, WannaCry and the disruption it did to the NHS in England, you wanted to talk some about
the anatomy of attacks and sort of getting back to the basics. Thank you very much for having me
again. Indeed, I think the ransomware attack that disrupted many different systems across the world, but most notably the
National Health Service in the UK, just simply demonstrates what is effectively a fairly simple
type of attack in the sense that it's an attack that locks out your files and access to your disk,
can disrupt one of the largest organizations in the world.
And to look at the causes of this disruption, we need to really look back at the anatomy of an
attack. And normally what would happen is that an attacker breaches the system, for example,
through a weaponized document or a payload, which could come via a phishing attack or any other
means to deliver it into the network.
And then their goal tends to be is to get some kind of a command and control infrastructure set up
and also do lateral movement and move across the network.
And what we can see in this case is that that has happened with relative ease
in the sense that, yes, we don't fully know what was the initial point of breach.
But once the initial point of breach had been reached by the attacker, the attack moved very
quickly, not only within a particular part of the organization, but across many, many National
Health Service trusts across the country. That leads to the very fundamental question as to how
basic security practices can
actually disrupt different types of attacks. And what we know in this case is that some of the
systems were based on Windows XP, which is an outdated system and is not supported currently
by Microsoft, but also that the particular vulnerability has been known since March,
and patches were available, but they weren't applied. And that leads to the particular
question about security investment, good security practices and good security hygiene. But also
another really fundamental thing, which I often teach my students on a regular basis, is that it's
not only what you do to keep an attacker out. And in this case, clearly things could have been done
by patching
systems to at least make it harder for the attackers to breach the system. But also what
happens once a breach has occurred, what kind of recovery plans are in place. And for a
complex and highly critical organization such as the National Health Service, for it to
be disrupted on a large scale for such a long period of time is a big, big problem.
And one of the questions we have to ask is what kind of recovery plans were in place,
what kind of backup systems were in place, and why did it take so long for the system
to come back online?
But equally, why was it so easy in terms of what kind of network isolation was put in
place or not that made it possible for
the attack to move laterally across the organization very, very quickly.
One of the things I've heard about these sorts of attacks, particularly when it comes to health
care, and I'm not sure this was the case with NHS, that sometimes restoring from backup can
take more time than simply paying the ransomware and having the files unlocked.
Yes, but that might be the case.
But first of all, one would never condone paying the ransom for ransomware because ultimately the attacker's motives are economic.
And that simply plays into the attacker's motivation.
But equally, in this case, a lot of these systems are not always set up with, for example, local files and so on.
They're often delivered from a server.
And we just do not know in this case what was the scale of the infection.
For example, did the ransomware also lock sort of key servers within the organization that were delivering those files to the terminals?
If you think about it, the ransomware is a fairly simple attack.
Whatever vulnerability may have been exploited here,ware is a fairly simple attack. Whatever vulnerability
may have been exploited here, it is a fairly simple attack that it simply encrypts your disk.
And if you have effective backups and you can restore them quickly, then the attacker's purpose
is defeated because their purpose is to get money to unlock your data. But if you can restore your
data fairly quickly, then their purpose is defeated. So I do think that an effective recovery plan in such cases is actually very, very important.
All right. Good information. Professor Awais Rashid, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you.