CyberWire Daily - Spearphishing in industrial espionage. Ransomware gets more widespread, ruthless, and perfidious. The US Intelligence Community assures the Senate that the Russians hacked the DNC.
Episode Date: January 6, 2017In today's podcast, we hear about a worldwide spearphishing attack against industries in 50 countries. Ransomware is already proving as much of a problem as predicted: exposed data bases are hijacked ...in a turf-war among extortion gangs, and KillDisk has now appeared in ransomware kits. Investment analysts wonder if Verizon's bid for Yahoo!'s core assets will go through. Ben Yelin from the University of Maryland Center for Health and Homeland Security discusses the IRS demanding info on some bitcoin users. FireEye's Tony Cole reviews their latest report on what to expect in 2017. The US Intelligence Community tells the Senate that, yes indeed, the Russians were hacking during the election. A full report is promised for next week. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Reports say a worldwide spear phishing attack against industries in 50 countries is in progress.
Ransomware is already proving as much of a problem as predicted.
Exposed databases are hijacked in a turf war among extortion gangs.
And Killdisk has now appeared in ransomware kits.
The U.S. intelligence community tells the Senate that, yes, indeed,
the Russians were hacking during the election.
A full report is promised for next week.
I'm Dave Bittner in Baltimore with your Cyber Wire summary and week in review for Friday,
January 6, 2017. Kaspersky Lab reports a globally coordinated cyber attack against some 500 companies in 50 countries. The campaign began in August 2016, made extensive use of spearfishing,
and appears to have as its object industrial espionage. The targeted sectors are construction,
engineering, electrical power distribution, and basic metals, or in this last case,
smelting, as the report calls it. There's no attribution, at least not yet.
Any number of thoughtful predictions for 2017
from Recorded Future and Surfwatch Labs, for example, have warned that ransomware,
distributed denial-of-service attacks, and destructive attacks may be expected to worsen.
Bleeping Computer warns that more MongoDB attacks are on the way. Database administrators should
look to their configurations. A group called Harakiri has been
hijacking databases exposed on the internet without the elementary precaution of a password
protecting their admin accounts. The attackers encrypt the database and demand that two-tenths
of a bitcoin, about $200, be deposited in the criminal's bitcoin wallet. More than 8,500
victims have been hit since bleeping computers' first warning this Monday.
Two copycats have joined in,
according to researcher Victor Gevers,
who, according to BBC reports,
is working for the Netherlands government.
An actor calling itself owned
is thought to have hijacked more than 900 databases.
This crew is asking for half a Bitcoin, around $500. And another group calling
themselves 070434162ASDF is believed to have attacked more than 700 MongoDB servers. This
last gang asks for only 0.15 Bitcoin, or roughly $150, but they impose a 72-hour deadline and
subject their victims to a sanctimonious lecture about digital hygiene.
It seems that there's now a bit of cyber gangland turf war running over who gets to pwn MongoDB servers.
It's in the interest of all civilized people that all sides of the squabble should lose,
so admins, please do look to your configurations.
So ransomware seems to be growing riskier.
The MongoDB hijackings ask for relatively low ransoms,
but that's not the case with other extortion schemes being observed.
Killdisk, the destructive malware Black Energy packaged in the December 2015 attacks
on the power grid in western Ukraine, has been developed into a ransomware package.
According to researchers at the security firm ESET, this variant infects both Linux and
Windows systems, not only encrypting files but rendering infected machines unbootable.
The hoods behind the extortion are demanding 222 Bitcoin, between $210,000 and $250,000
depending on current rates, which by ransomware standards is very high.
It gets worse.
The crooks are sloppy and apparently not only won't,
but can't let their victims recover files even after the ransom is paid.
As the ESET post on their WeLive security blog puts it,
quote,
Encryption keys generated on the affected host are neither saved locally nor sent to a CNC server.
Let us emphasize that.
The cyber criminals behind this kill disk variant cannot supply their victims with the decryption keys to recover their files,
despite those victims paying the extremely large sum demanded by this ransomware.
End quote.
So by no means pay up if you become a victim. You'll be out a quarter of a million or so, and you won't get your files back either.
Please note that a Google search for Killdisc might lead you to believe that it's nothing more than a capable disc wiping tool.
Buyer beware, don't follow the links and stay away from Killdisc.
In the UK, there's an ongoing multi-stage ransomware campaign targeting schools.
The first stage is a cold call to a school, in which the caller pretends to be from the Department of Education
and asks for the headteacher's email addresses so the headteachers can receive a confidential form.
They then send emails to those teachers with malicious documents attached.
Once infected, files are locked and the criminals demand an 8,000-pound ransom.
The ransomware threat is affecting the security market. Markets and Markets predicts a 16.3%
compound annual growth rate in the market for ransomware defense, rising from $8.16 billion
in 2016 to $17.36 billion in 2021. You may have heard something about the Americans saying that
the Russians were hacking away at political targets during the last election cycle. We're
pretty sure we've heard something to that effect. Come on, we know you've heard about it. We've been
talking about this since late spring. Anyway, the U.S. Senate held hearings yesterday on Russian
election hacking. U.S. intelligence community leaders reaffirmed their conclusions that Russian services successfully targeted
the Democratic National Committee. Eyebrows are being raised in the media over the FBI's
apparent reliance on CrowdStrike's forensics in its investigation of the DNC hack,
but such reliance is not really surprising. DNI Clapper promises a full report next week.
Rumor has it the report will detail how WikiLeaks got DNC emails.
Rumor also has it that the tips came through cutouts,
so WikiLeaks may in fact have sincere or at least plausible deniability
of knowing that it was being fed by Fancy Bear.
President Obama is said to have been briefed yesterday.
President-elect Trump
has been scheduled for a briefing today. The story is, as they say, developing. What they call in the
news business highly placed officials who spoke on condition of anonymity are saying that the U.S.
intelligence community knows exactly which Russian tipped off WikiLeaks. We hope those are good leaks,
not like the one about the Vermont power grid being
hacked. Oh, and why are the
high officials speaking on condition of
anonymity? Because they're leaking
highly classified information,
says they.
We don't know. We don't deal with that stuff because
we're a family show. But it does
seem to us a good thing NISPOM
applies to contractors
or else those leakers would be in big trouble. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep
your company safe and compliant. Joining me once again is Ben Yellen. He's a senior law and policy analyst from the University of Maryland Center for Health and Homeland Security.
Ben, I saw an article come by in Ars Technica.
The title of the article was IRS to Coinbase.
Please identify active U.S. traders between 2013 and 2015.
Coinbase is a popular Bitcoin wallet service.
Help us understand what's going on here.
So the IRS actually generally has the right to request data through administrative requests.
That's under the United States Code, Section 7602.
The reason that this case is unique is that the IRS would not be requesting information on any individual or any individual that holds virtual currency.
information on any individual or any individual that holds virtual currency. They're requesting information from every single user of this virtual wallet, this Coinbase system. So while the request
itself isn't unusual, it's the breadth of the request that I think is going to cause a lot of
concern among people who are protective of personal information and people who are civil liberties advocates. The IRS hasn't spoken publicly about this request. Coinbase, while they say that they
comply with all law enforcement administrative requests, have concerns about revealing the
personal data of every single one of their users between 2013 and 2015. Granted, the IRS's requests seem to indicate that there was at least
reasonable suspicion enough to get this sort of judicial order that people have been trying to
hide income, hide virtual currency as income, even though that income counts as property for
tax purposes. So I think it's the breadth of this search that has opened some eyes.
It will be interesting to see whether the IRS is able to have this request granted by a court.
What in general is the IRS's relationship with these kinds of virtual currencies?
So the IRS has issued a ruling on virtual currencies that took place in 2014.
It held that virtual currencies count as income property for tax purposes.
So they don't get any sort of special designation.
Now, property for tax purposes is slightly different than pure monetary income.
It's more akin to holding or obtaining something of significant monetary value than actually
gaining the money itself.
But again, that IRS ruling, this administrative ruling, is relatively new.
So we've only had one full tax year under this holding.
And I think a lot of the way that the IRS treats virtual currency will become more evident in the coming years.
Ben Yellen, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
My guest today is Tony Cole from FireEye, where he's Vice President and Global Government Chief
Technology Officer. FireEye recently released a report titled Questions and Answers,
the 2017 Security Landscape. Obviously, something at the top of mind for a lot of people is the new
administration coming to Washington. I think it's fair to say there's a certain amount of
uncertainty coming along with that. What's the report's take on that situation?
Well, it's very interesting. One thing we've seen a lot in the past, inside cyber and more outside than not,
and that's the determination of many different adversaries at the nation state level and other places to actually go in and test, you know, the new administration's resolve in a number of different areas.
different areas. Based on what's happened leading up to this election, we think that that's certainly a good possibility in 2017 as well, that we could see some nation states test the resolve
of the U.S. administration in cyber and other areas. What are we expecting from Russia and China?
More of the same from Russia. So they've been very, very clear, you know, with some of the
attacks they've done over the last couple of years. We know they have a great capability. They're going to continue to actually test us, I think,
across the board and many of our allies as well. On the Chinese side, I think we're going to
continue to see a shrinking public facing attack on the nation state side. So in more stealthy
attacks taking place, you know, that
are going to be hard to attribute directly back to the Chinese government.
You mentioned in the overview of the report, one of the topics was what's next for less
security mature regions. I'm intrigued by that. What do you mean by less mature regions?
Yes, certainly. I spent a lot of time around the globe talking to governments and a lot of corporate organizations as well.
And it's very clear to see that many of them don't even realize they're a target today.
So as those countries continue to grow and industrialize in this modern global economy, they become more and more of a target for nation states and organized crime to go after,
while many of them today aren't mature enough in their security thought process to even realize
that somebody is actually out there with these capabilities to go after them. So they don't
think they have a problem yet. You know, obviously, that becomes very clear very quickly to them once
they're shown that they're compromised. And I emphasize the point shown that they're compromised,
because most of the time, they won't find it themselves. People often ask me, you know, who's the best out
there today? And that's a very difficult question to answer because there's pockets of pretty decent.
There's no pockets typically of excellence. And there's a lot of folks actually in the very,
very lower tier, you know, not doing what they need to do. So it's kind of hard to define that
one as you look across the globe. I mean, I heard a good analogy many years ago, and you can be the
fastest soccer player on your team. That doesn't mean your team's any good. As you were putting
the report together, were there any things that stood out that were surprising? Yeah, I think a
few. You know, one of the ones that did surprise me, the lack of awareness of
many of the ICS system assets by security personnel tasked with protecting them. That's a big
challenge. We need to work on the awareness piece for ICS as well as the user awareness, but that's
a big challenge where they don't realize that they're a target and there are vulnerabilities
in those systems. And the fact that many of those systems are put in place for decades before they're a target and there are vulnerabilities in those systems. And the fact that many of those systems are put in place for decades, you know, before they're depreciated out of the environment
is a challenge as well, because many of those vulnerabilities will likely never get fixed.
I guess the other piece probably was, you know, the very large uptick, you know, in ransomware
attacks. And I think regardless of the efforts that law enforcement is working on globally in that area, that's going to be another area where it's going to continue to accelerate
for 2017. Something that's a major concern in regions that aren't very mature in their security
thinking and processes and tools yet. We have a continuing issue with not having enough personnel
to fill the jobs, the cybersecurity jobs, certainly here in the United States.
And we hear that around the world as well.
Do you think that situation is going to change for the better or for the worse coming into the new year?
I think it's going to be worse.
And that's not because there aren't great efforts underway.
You know, the efforts here in the U.S. with the Information Assurance Schools of Excellence that NSA and now DHS as a partnership have created, many efforts like that in other nations around the globe now.
However, the fact that there were so many different verticals around the globe that simply weren't aware of the security issue that hadn't done anything in this space.
I think that the requirement for security expertise
is going to far outstrip what we can generate.
And I think that's going to drive further use of automation
and machine learning inside security environments
for security mature organizations to solve some of these challenges.
Because today, it's a continuous poaching game for the experts that are out there. So one organization steals them from another. So I think it's going to be really
interesting. I would say one point that I think is going to be, I won't say fun because it's not
fun, but interesting to watch is, you know, if you look at the attacks that happened, the Russian
focused attacks against the DNC here in the U.S., you know, with upcoming elections in Europe,
specifically in Germany, very soon. It's going to be interesting to see if Russia tries the
same thing over there. I think the interesting part is everyone is aware of this now, you know,
immature countries out there around the globe. So it's going to be very interesting to watch to see
if they still attempt to actually manipulate the election,
knowing that the Germans and other countries as well with elections coming up are watching very closely their systems to see if they attempt it.
So I think that's going to be fun to watch in 2017.
It'll at least be interesting,
and hopefully we'll push the Russians back on their heels a little bit in this space.
That's Tony Cole from FireEye. And that's the Cyber Wire. We are proudly
produced in Maryland by our talented team of editors and producers. I'm Dave Bittner.
Thanks for listening. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.