CyberWire Daily - Shamoon is back, now with credentials for virtual desktops. Ukraine believes it was hacked again. Ransomware updates. Elections, investigations, and influence operations. The Pokemon threat?
Episode Date: January 11, 2017In today's podcast we learn that Shamoon is back, and still a nasty piece of work. Ukraine's grid was hacked again last month, probably by the same people who did it at the end of 2015. A new strain o...f ransomware offers a tiered extortion model (and unfortunately pretty solid encryption). France and Britain prepare for Russian election hacking. Awais Rashid from Lancaster University outlines the human factors in cyber security. Limor Kessem from IBM Security discusses their recently released ransomware study.The debate over influence operations flares again in the US. And China still finds Pokemon threatening. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Shamoon is back and still a nasty piece of work.
Ukraine's grid was hacked again last month,
probably by the same people who did it at the end of 2015.
A new strain of ransomware offers a tiered extortion model and unfortunately pretty solid encryption.
France and Britain prepare for Russian election hacking and go figure, China's government still feels threatened by Pokemon.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, January 11, 2017.
Shamoon is back.
The destructive malware famous for having wiped some 30,000 Saudi Aramco computers in 2012
has been discovered circulating in a new variant.
Researchers at security company Palo Alto Networks say the targets this time around,
that is targets of attacks observed since November 2016, are again in Saudi Arabia,
but that this version of Shamoon appears to come equipped with stolen credentials for accessing virtual systems.
Notably, they've observed default credentials for Hayway's Fusion Cloud desktop virtualization solution.
for Hayway's Fusion Cloud desktop virtualization solution.
They speculate that the accumulation of credentials is intended to lend greater destructive impact to the malware once it's employed.
The goal appears to be, as it was in 2012, the destruction of data and systems.
How Shamoon's controllers got the credentials remains under study.
Observers generally concluded that Shamoon, at least in the first go-round,
was an Iranian cyber weapon, unleashed perhaps in retaliation for Stuxnet.
The suspected attack on Ukraine's power grid around Kyiv last month has gained some confirmation
this week.
The outage on December 17, 2016, appears to have been part of a larger campaign against
high-value targets in a variety of sectors,
including Ukraine's Ministry of Finance and the nation's railway.
The larger campaign seems to have begun on December 6.
Sources close to the investigation say the attack looks like the work of the same actors
who took down electrical service in December 2015.
Ukraine's government attributed that attack to Russian intelligence services.
The motivation this time is thought to be sabotage,
but sabotage possibly conducted as a rehearsal for some larger campaign.
The security firm Emsisoft, which has a long record of successful work against ransomware,
reports on a new variety they're calling Spora. Emsisoft calls Spora highly professional in both implementation and presentation,
and indeed the screenshots they provide show a nice, clean design.
Spora's developers are apparently Russian criminals,
as the ransom demand is composed in Russian,
but it's only fair to note that such evidence is circumstantial.
The extortion demand is relatively low, but it's
interesting in that you can buy tiers of service. You, were you a victim, could purchase restoration
of your files for just $30. They'll restore two files for free as a loss leader, but that won't
remove the ransomware. If you want that done, it will cost you another $20. And if you'd like
immunity from reinfection, that will run you $50.
You can buy all of these things as a package for the low, low price of $75.
They also offer a chat feature as a customer service,
and Emsisoft says that the hoods seem to reply fairly promptly.
Spora encrypts using a mix of RSA and AES.
Unfortunately, as Emsisoft observes, the developers managed to get their encryption right on the first try.
There's no known way of retrieving affected files without access to Spora's author's private key.
Emsisoft reiterates the tried-and-true advice that your best security is regular secure backup.
They also offer a behavioral blocking solution that can alert you
to the presence of ransomware before it encrypts. IBM Security recently released the results of a
study on ransomware. Lamore Kessum is an executive security advisor at IBM. What we ended up finding
out during the survey was actually pretty startling. All across the board, we found out
there's definitely not enough awareness when it comes to ransomware. All across the board, we found out there's definitely not enough awareness
when it comes to ransomware. On the business side, there was only two out of three executives
who knew about ransomware, where you would think it would be a lot more people who would be aware
of such a threat that's been so rampant in these past few years. Also very interesting was that
one in two businesses were affected by ransomware. So a lot of businesses
have been seeing all kinds of damage from ransomware. And 70% of those hit with ransomware
actually paid the criminal. 50% of the people who paid, paid more than $10,000. And 20% of those
who paid, paid more than $40,000. So businesses have been paying a lot of money to criminals for pretty much nothing
for attacking them and having to recover from that attack eventually.
I found that statistic striking.
I mean, we hear quite often people say,
don't pay the ransomware people, that the best defense against this is good backups.
But that's not what the survey found.
Correct. So what we were wondering is how come businesses have been paying?
I mean, you would expect any business to have proper backup systems and, you know, they have a routine and they have business continuity and all that kind of stuff in place.
So it turns out that a lot of times, even if they did have backup data, there could be a few things that would happen.
One is that the criminals would actually find the backup data, even the backup server,
and over time, in a more targeted attack fashion, encrypt the data and make them pay for, let's say,
a business got encrypted for six months' worth of data. They really are in trouble, and they would
probably have to negotiate with the criminal. In other cases, the backups didn't work. So they had
backups, but for some reason, they weren't able to restore from them,
or maybe they weren't as up-to-date as they needed them to be.
In many cases, businesses didn't have an actual response plan in place.
So when they were caught off guard with such an attack,
they started having to speak to the criminals because they weren't sure how to act from there and what to do.
speak to the criminals because they weren't sure how to act from there and what to do.
Having an incident response in place would be super important for businesses to be able to recover, to have, of course, within that response plan, to have the backups properly done,
to have them disconnected from the live network, have them done frequently enough,
but not connected directly to the live network for criminals not to be able to reach those backups or backup to you know a cloud service or other ways for them
to make sure that their backups are going to be present and also test them to make sure yes you
can recover from an attack if ever that was to happen and i think that there are success stories
out there you just don't hear about them that much. But businesses that do have a proper response in place,
they can recover from a ransomware attack without having to pay the criminals.
That's Lamar Kessum from IBM Security.
Louis Pasteur said it and will say it again.
Fortune favors the prepared mind.
If you're planning to be down around Norfolk, Virginia this Groundhog Day,
take a look at our event sponsor RSAM's Lunch and Learn session on security incident response.
SANS instructor Alyssa Torres and RSAM CISO Brian Timmerman will help you prepare your mind.
See the event tracker at thecyberwire.com for information.
Yesterday, Microsoft patched Edge, Office, and Windows in what was a relatively light patch Tuesday.
Light or not, patching is always important, so look to your systems.
European governments, especially France, Germany, and the UK, are looking to shore up election security.
In the face of hacking and influence operations, Russia mounted against voting in other countries, especially, of course, the U.S.
Foreign policy types have been observing that fiddling with elections is nothing new,
and those foreign policy types, old enough to have made their bones during the Cold War,
point out that both sides in that long struggle worked hard on all kinds of propaganda and influence.
Consideration of influence operations attracts new interest as The Guardian,
sourced largely by BuzzFeed, which in turn appears to have been largely sourced by 4chan,
reports rumors of compromise and collusion with Russia in President-elect Trump's campaign.
The media treat the rumors with cautious but interested skepticism. The President-elect
tweets that it's all fake news. The story is developing, but more slowly over the course of the day than it had last night.
And finally, those foreign policy types we mentioned before are commenting that lots of embassies are tweeting away to beat the band,
and they wonder what's up with that, since proper diplomacy used to be conducted in person, preferably in French.
Russian embassies appear to be particularly enthusiastic tweeters.
For some reason, their tweets are often marked by the unedifying image of Pepe the Frog.
Pepe is not, as one might think, a harmless, if poorly rendered and somewhat dissolute water Pokemon,
but rather forms part of various extremist memes we're happy to say we haven't had to come into close acquaintance with.
Speaking of Pokemon, Chinese authorities have reiterated their decision.
Pokemon Go is a threat to state security.
Ash Ketchum, think twice before boarding that plane to Shanghai.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me once again is Professor Avas Rashid.
He heads the Academic Center of Excellence in Cybersecurity Research at Lancaster University.
Professor Rashid, you know, we talk a lot about automation.
We talk about the things
that the computers are doing, but I think it's pretty easy for us to overlook that the human
factor in all of this is really a critical part of it. Indeed, and one of the things that we often
overlook is as to the, it is the humans who actually write the software that sits underneath
all this infrastructure. So, for instance,
if you use mobile apps or you have Internet of Things devices, such as smart watches,
on your person in your home or your workplace, did you actually think about who developed the
software that drives these apps and devices? What was their understanding of cybersecurity?
How did they make decisions that impact the cybersecurity of the software that is within these systems, and how did they make those design choices?
Or, on the other hand, you might be someone who develops this software, and do you actually think
about how do you make decisions about security within this software? What drives your design
choices? And at the moment, we really have very little understanding of this fundamental issue
as to how security decisions are made within the software development process and the developers
who are actually working on this software that is used by millions around the world.
How do they come to those decisions? What are the factors that affect them? For example,
the cost, the pressure to market, the features that customers
or the users might want. And this is something that needs to be explored in detail and something
that we will be doing within a research project that we will be starting within the next few
months. Yeah, you know, I hear a lot of people talking about how rather than sort of bolting on
security, that we need to design it in from the outset. Absolutely, we need to design it in from the outset?
Absolutely. We need to design it in from the outset. But the problem is more complex than that. If you are a programmer, what would you rather do? Let's say you are an app programmer and you
are wanting to push your app out to millions of people around the world. You're going to focus
on the functionality that will attract those people. And often, security can take a bit of a backseat because it is seen at times,
you know, rightly or wrongly to get in the way. And one of the key things is we need to
understand the drivers that influence developers in their choices about security. In many ways,
influence developers in their choices about security. In many ways, we need to give them the right tools that don't mean that security, in not so many words, gets in the way. We need
to make sure that the way we want people to do secure programming works with them rather than
against them in the objectives they want to achieve from the software that they're developing.
Professor Avas Rashid, thanks for joining us. And now a message from Black Cloak. Did you know the easiest way for cyber criminals
to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland
by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act
with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.