CyberWire Daily - Refined Kitten paws at ICS. Debunking BlueKeep rumors. FBI warns Detroit of cyber threats. The UN’s long deliberation over cybercrime. Cryptowars. 5G security and a 5G czar. Ransomware updates.
Episode Date: November 21, 2019Refined Kitten seems to be up to something, perhaps in the control system world. Microsoft debunks claims about Teams, BlueKeep, and Doppelpaymer ransomware. The FBI warns the auto industry that it’...s attracting attackers’ attention. A new attack technique, RIPlace, is described. Phineas Fisher’s bouty, considered. The UN, the AG, and the course of the cryptowars. Does America need a 5G czar? And ransomware from Baton Rouge to Rouen. Michael Sechrist from BAH on third party malware risks. Guest is Bill Connor from SonicWall with results from their Q3 Threat Data Report. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/November/CyberWire_2019_11_21.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Refined Kitten seems to be up to something, perhaps in the control system world.
Microsoft debunks claims about Teams, Bluekeep, and Doppelpamer ransomware.
The FBI warns the auto industry that it's attracting attackers' attention.
A new attack technique, Rip Place, is described. Phineas Fisher's bounty considered. The UN,
the AG, and the course of the crypto wars. Does America need a 5G czar?
And ransomware all over Louisiana.
Czar and ransomware all over Louisiana.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, November 21st, 2019.
Microsoft describes how Iran's APT-33, also known as Elfin or Refined Kitten, is engaged in attacks against industrial control systems, Wired says.
Microsoft is presenting their findings today at the Cyberwarcon event in Arlington, Virginia.
Essentially, Redmond believes it sees activity that suggests preliminary reconnaissance and battle space preparation by Refined Kitten.
Iran has mounted destructive attacks in the past, but the present activity suggests that, unlike Shamoon, which Iran turned loose on Saudi Aramco networks in 2012,
this one may be directed against industrial controls as opposed to IT systems.
Microsoft also rebutted claims that Microsoft Teams served as the vector for the Doppelpamer
ransomware infestation
suffered earlier this month by some Spanish companies, ZDNet reports.
Redmond has also quashed rumors that the ransomware is being spread
via the Bluekeep vulnerability.
CNN has obtained a warning the FBI has quietly circulated within the auto industry,
warning that the U.S. automobile sector is at
heightened risk of cyberattack. The Bureau's warning didn't say who the bad actors were,
and it painted the threat with a fairly broad brush, noting that there was the possibility
of data breaches, persistence on company networks, and of course, ransomware.
May Detroit look to its defenses.
Niotron today published the results of research into ransomware
that covers a newly discovered Windows file system attack technique
that allows attackers to encrypt files in a way that escapes detection
by most anti-ransomware products.
They call the technique REPLACE,
but spelled so that the first three letters in capitals are R-I-P.
And they've also released a free tool that allows users to check their Windows systems
for susceptibility to the attack.
BugCrowd's CTO makes a glum prediction about Phineas Fisher's $100,000 offer
for anti-corporate hacktivist work.
He believes it will have some takers.
The purse is certainly large enough and some will be motivated to go for
it. That it was funded by stealing from bank accounts won't bother the bounty hunters much.
Firewall and security firm SonicWall recently published their third quarter threat data report
outlining some of the information they're gathering from their own sensors around the world.
Bill Connor is president and CEO at SonicWall.
I think the first observation is malware's down overall, but it's really gotten more nefarious,
as I said. It's more targeted. And let's just pick one of the big categories is ransomware.
Ransomware itself worldwide went down 5% through the first nine months of this year.
Even in the U.S., it went down 24%.
Germany, almost 80%.
U.K., it went up over 200%.
Now, it's interesting because while it's down over 20% in the U.S.,
as you can tell, it's gotten more targeted going after banks and
municipalities, hospitals. So what's happening is you see a lot of country states and you see a lot
of actors that are now taking ransomware. And when ransomware started maybe five years ago,
it was a couple of thousand dollars or $10,000 that they were looking to get.
years ago, it was a couple of thousand dollars or $10,000 that they were looking to get.
Now it's hundreds of thousands of dollars, if not millions. And that is the nature of what's changed. They're going after higher, more focused targets with bigger liabilities associated with
it. Do you suspect that the attackers are growing more sophisticated? Is there an increase in their level of professionalism?
Yeah, that's 100% accurate, David. What's happening is because it's a bigger target
with more money at stake, they've gotten more sophisticated tools. And now you can go on the
dark web and have ransomware as a service, literally 24 by seven,
they, you go buy it for, you know, under a hundred bucks
and you can then target that however you would like
and at whom you would ever like.
And so it's really gotten more dangerous in terms of that.
And that's why the overall numbers
are a little bit misleading in terms of it.
Was there anything in this round of the report that you found particularly unexpected or
surprising? Well, I think there's several things that we've not talked about. One that I think
your listeners need to pay attention to is IoT. Everybody this holiday season thinking of
Thanksgiving and Christmas coming up,
a lot of gift gadgets going into homes, new phones, be it listening devices, you know,
the series and all the other different listening devices people are putting in their home.
And the problem with that and cameras and all those pieces, you need to be security and privacy aware. I think next year you'll see in 2020 increasingly those vehicles targeted.
So if you put it on your network, make sure you enable the security of that capability,
either with your home firewall or the encryption, or protect it so others just can't come in and work on your Wi-Fi and have access to your devices.
It goes with TVs as well.
Really take this season because, as we say in the report,
IoT is up 33% just in Q3 of this year.
And it is one of the fastest growing areas.
And the attack service is incredibly large.
Don't think of it as just now ILT in the office with your thermometers
and office systems. Think of it now as a home target relative to that. For many of us, our
families kind of rely on us to help recommend those high-tech products for the home. And maybe
it's also incumbent on us to help provide or ensure that when those things are purchased and installed, they're secure.
I think that's the key leave behind, Dave.
You know, when you had kids, I don't know if you've got kids,
but when they were younger, you used to get the toys, and the big thing was remembering to get the batteries, right?
Now the big thing is, hey, when you turn it on, when you plug it in,
when you put the app in, let's make sure the right security and privacy settings are set up.
And just go back and double check your router and your Wi-Fi in your home to make sure
you've got that encrypted so others just can't drive by and jump in there.
That's Bill Connor from SonicWall. They recently launched their third
quarter threat data report. The United Nations General Assembly will take its final vote on the
Russian-led proposal to establish a working group to develop international norms that would aid in
the suppression of cybercrime, computing reports. 36 human rights groups signed a letter opposing
the measure. The U.S. and most EU member states also object,
seeing nothing in the proposed norms that would do much to reduce cybercrime,
a great deal of which, some sourly observe, originates in Russia,
but that would do a lot to justify national control of Internet traffic.
But such throttling of civil society is probably,
from the point of view occupied by Russia and its co-sponsors,
which include China, North Korea, Cuba, Nicaragua, Venezuela, and Syria, a feature and not a bug.
In the light of this push in the UN and of calls for a balance between privacy and security,
end-to-end encryption seems likely to be the next bullseye on the back of big tech,
End-to-end encryption seems likely to be the next bullseye on the back of big tech,
who may find themselves cast in the unlikely or at least recently unfamiliar role of paladins of civil liberties,
according to the New York Times.
Have encryption, we'll travel.
Many of the recent moves in the ongoing crypto wars, particularly in the West,
have been cast as moves designed to protect children from exploitation.
So, U.S. Attorney General Barr has called for technical means that would enable law enforcement
to find, track, and bag child abusers. And who could be opposed to that? Only child abusers,
right? Well, sure, but the objection is that undermining encryption weakens not only privacy,
but security itself. And so those on the other side of the crypto wars,
like the American Enterprise Institute, aren't buying it.
Not entirely, as much as they'd like to hold predators accountable, too.
Even the kids benefit from strong encryption.
Five U.S. senators have written Amazon to request an explanation
of the data handling and security practices of its smart doorbell subsidiary Ring.
There are privacy dimensions to their inquiry,
but the letter's focus is on national security.
The senators are particularly interested in Ring's potential
for exploitation by foreign intelligence services,
and they express particular interest in the access to Ring data
Amazon may have given the Ukrainian development teams it employs.
Some U.S. senators are arguing that 5G is a matter of such vital national importance
that there ought to be a federal 5G czar, The Washington Post reports. It's presented as a
kind of anticipatory Sputnik moment. You don't want the Chinese to get ahead of you here,
do you, Washington?
Absent such federal direction, the several states will no doubt continue to evolve their own regulatory regimes.
Among the first to do so is California.
The Golden State's Internet of Things security law was signed in September and goes into effect in January.
It's unclear how the law will be interpreted in the courts. Much will turn on how they unpack the requirement that connected devices have reasonable security,
HelpNet Security points out.
The bill does prohibit private parties from suing under the law.
That would be reserved to the California Attorney General,
key attorneys, county councils, and district attorneys.
The state of Louisiana continues to recover
from the ransomware attack it sustained Monday.
Officials had hoped to have the Office of Motor Vehicles,
in particular, back online by noon yesterday,
but the recovery is proving more protracted
than they believed it would be.
OMV's website is back up, but not yet accepting transactions.
The state hopes to have the OMV offices up and
running sometime today. The Louisiana Office of Technology Services appears to be following a
deliberate plan as it brings state agencies back online. Criticality determines priority. Thus,
emergency services and payroll have been addressed first, with other functional areas to follow.
Ransomware, of course, is not just a Louisiana problem.
Their cousins across the Atlantic have recently taken a big ransomware hit.
Le Monde reports that the Rouen University Hospital Charles Nicole was attacked with ransomware on November 18th
and is still working toward recovery.
One of the largest medical centers in northern France, Rouen CHU, has 2,500 beds and employs some 10,000 personnel.
About 6,000 of the hospital's computers are infested and offline.
The attack is serious and particularly dangerous.
Recent studies in the U.S. by Vanderbilt University and others suggest that there's a significant correlation between attacks on hospital networks and patient mortality rates, particularly deaths due to cardiac problems. May the patients in Rouen be safe,
and may the authorities collar those responsible for the attack.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting. Thank you. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Michael Sechrist.
He's chief technologist at Booz Allen Hamilton. He leads their managed threat services intelligence team. Michael, it's always great to have you back. I wanted to touch today on third party malware risks and some of the ways that you recommend to we're seeing is how to prevent against third party or critical suppliers that might provide access or have some sort of capability back into a command and control function or malware. There's plenty to do in order to protect and defend against that type of attack or that type of risk overall for an enterprise.
that type of attack or that type of risk overall for an enterprise. A couple ideas and ways that we do that here is to focus the enterprise on profiling the connections that go back to the
vendors so that we have sort of an idea of what baseline and what good and normal look like,
and then able to profile against that as to what anomalous activity would be something you'd want to investigate further.
We do this also by evaluating network traffic on our managed threat service side through
full packet captures and other sort of passive out-of-band monitoring systems.
But in order to get a handle on what good looks like and what bad looks like, we need
to work closely with the enterprises and have that understanding with their vendors to know if this third party
is communicating in a potentially malicious or suspicious way.
I suppose part of this is the communication beyond the networked communication that you
have.
In other words, if you all detect something going on a couple links down the chain,
you need to be able to share that concern to everyone along that chain.
That's correct. Yeah, it's very important to kind of get at root cause analysis whenever you're
dealing in a potential incident and to know kind of how that potentially malicious event or incident
is, you know, they're kind of the chain of
communications is occurring that just reliant on a potentially an infected third party, or is it,
you know, leveraging some other potentially infected website or device that's reliant
somewhere else, you know, it's very important to get at root cause. It's very difficult to do that
when you're dealing with third parties, because again, it's potentially dealing with an event that came and is infecting another potential company.
So you're reliant on that information sharing capability.
And having that kind of that free flow set up, not just something that's potentially a one-off communication, but some back and forth with your critical suppliers or your third parties that you leverage is very important to establish up front.
Yeah, I suppose it's important that this whole process be collaborative and so that it doesn't fall into some mode of being adversarial.
Yeah, very important to not create a fear or a threatening, you know, base model for information sharing, but as something that's
proactive, that can also be transparent to other parties so that they can investigate and kind of
validate findings. That's very important to establishing sort of veracity in what you're
saying to not only those that might be internal at your company, but to others that know that
there was an incident and want to
best protect themselves from that happening to them.
How do you balance sharing the information that needs to be shared with these sorts of
things versus protecting your company's interests, your secrets, your methods, and so forth?
A good way to do that is one, I think, is to establish an intelligence program
that understands when to sanitize or scrub information that is potentially sensitive to
a company and to have those processes worked out prior to an event so that you're not scrambling
to figure out what to release in times of a crisis, but that you have
sort of a standard operating procedure in place to just do that, you know, routinely. So you got
to work out that kind of muscle memory early on. And that usually jumps from the form of not only
an intelligence program, but, you know, working through cyber exercises internally or with your
partners in a group format and kind of building out best practices from what you derive from those exercises.
All right. Well, Michael Sechrist, thanks for joining us.
Thanks so much.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's
why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your