CyberWire Daily - Steal first, encrypt later. Cobots at risk? Gangnam Industrial Style looks for industrial info. Rancor update. FISC takes FBI to the woodshed. Vlad the Updater.
Episode Date: December 18, 2019More ransomware steals first, encrypts later. Are cobots vulnerable to novel forms of ransomware? Gangnam Industrial Style--the espionage campaign, not the K-pop dance number. Rancor is a persistent, ...well-resourced, and creative APT, but without much success to its credit. The Foreign Intelligence Surveillance Court takes the FBI to the woodshed. And, hey, maybe he’s really Vlad the Updater? Tom Etheridge from CrowdStrike on incident response speed and the 1-10-60 concept. Guest is Eli Sugarman from the Hewlett Foundation with the results of their CyberVisuals contest. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/December/CyberWire_2019_12_18.html Support our show  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
More ransomware steals first and encrypts later.
Are cobots vulnerable to novel forms of ransomware?
Gangnam Industrial Style, the espionage campaign, not the K-pop dance number.
Rancor is a persistent, well-resourced, and creative APT, but without much success to its credit.
The Foreign Intelligence Surveillance Corps takes the FBI to the woodshed.
And hey, maybe he's really Vlad the Updater.
updater. From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Wednesday, December 18th, 2019. Ransomware attacks continue to exhibit the
criminal gang's recent propensity for stealing data before they take the information hostage
by encrypting it. A Canadian clinical laboratory firm, LifeLabs, was attacked back in October,
and data about some 15 million patients were exposed in the course of the attack.
The data the hackers gained access to included names, addresses, emails, logins, passwords,
dates of birth, and health card numbers.
A much smaller subset of patients than the 15 million total also had
their lab results exposed. That tally amounted to about 85,000, a relatively small fraction of those
affected, but considered in absolute terms still a troublingly large number. Data exposed was older,
dating to 2016 and earlier, but the breach is still a matter of concern. Most of the people whose PII were accessed are from British Columbia and Ontario.
May they be on their guard against identity theft.
LifeLab said that it engaged a security firm to help with forensics and recovery.
It also said that it paid the attackers ransom in order to recover access to their files.
But that, of course, doesn't restore the privacy of the data that the extortionists took.
Once the bad guys have seen the data, they're gone, baby gone.
There's also another front to worry about in the struggle against ransomware, industrial robots.
This one is a demonstration and not something that's been seen in the wild,
but the demonstration is instructive.
and not something that's been seen in the wild, but the demonstration is instructive.
Alias Robotics has published a paper describing a method of infecting cobots,
that is, collaborating robots used in manufacturing processes,
with ransomware that locks them down until the victims pay the attackers to unlock them. The proof of concept, which Alias calls Acrebelts, after a protective animal in Basque folklore,
would affect Universal Robots' UR3, a widely used cobot. Alias hasn't released the code since it
wishes to warn and not arm criminal gangs. Speaking of industrial cybersecurity, CyberX
researchers have described a cyber espionage campaign that's evidently designed to steal sensitive data,
especially design information, from manufacturers.
CyberX calls it Gangnam Industrial Style in homage to the K-pop dance sensation
and in recognition that South Korean manufacturers have been most heavily hit.
Some 60% of the victims have been located in the Republic of Korea.
Other countries affected include, in rough order of the attention they received from the APT, Thailand, China, Japan,
Indonesia, Turkey, Ecuador, Germany, and the United Kingdom. CyberX offers no attribution,
contenting itself with the good work of describing the attack techniques and tactics.
One might conjecture that the countries affected by Gangnam industrial style
should be ruled out, but of course there's not only the possibility of misdirection,
but of an attack slopping over to inflict domestic collateral damage.
The attack proceeds by spear phishing.
The emails are plausibly baited with files representing themselves
as, for example, requests for quotations, that's RFQs if
you're one of the unfortunates to have purchase authority, or simply as inquiries from buyers.
The most common hook is the malicious attachment's payload, normally SEPAR malware. SEPAR both
harvests credentials and searches for files of interest. The attackers may be after trade secrets
in a conventional industrial espionage
effort, or they may be looking for industrial system vulnerabilities that could be targeted
in subsequent attacks. Both objectives are disturbing, but the second one is positively
alarming. Consider the three payloads CyberX offers as examples of what they found.
An RFQ for designing a power plant in the Czech Republic, which appears to have been sent by an Quote, Or this one. Or this.
Or this.
Or this, an email purporting to be from a buyer at a major European engineering company that designs gas processing and production plants.
Whoever's behind Gangnam Industrial Style is taking a close interest in energy infrastructure.
Earlier this year, we spoke with the Hewlett Foundation's Eli Sugarman about their Cyber Visuals Initiative,
an effort to bring fresh ideas to communicating concepts related to cybersecurity.
Since then, the call to artists went out, the submissions came in,
and the winners were selected.
Eli Sugarman is back to share the results.
We had never done a competition like this before,
and so we were a bit new to it and thankfully had OpenIDO to be our guides. And so we launched the competition, put out information, did information sessions, publicized it and got a lot of interest.
You know, we had over 100 artists submitted ideas.
And then there are sort of, you know, two phases of review once once the deadline was met. And so the first review was sort of taking the hundred
and change submissions and sort of portfolios, if you will, and reviewing them with a panel
of experts. And we had artists from all over the world, from the UK to the US to India
to South America. And then sort of round two was then letting those artists refine their
work and submit any final additions. And then we had a different jury sit down and judge those finalists to choose the five winners.
Yeah, it's also, I think, noteworthy that none of these fell into what I would consider to be the common sort of cliches and traps that we see with so much of the imagery having to do with cybersecurity.
I mean, there's not a hoodie in the bunch. And that was exactly our goal that we are like you fed up about, fed up by those tropes of
hoodies, matrix style ones and zeros, um, locks and shields and medieval defensive, you know,
I don't know, whatever. And that was moats. Castles and moats, yeah. And that was actually one of the core tenets here
was we just, so it's hard, right?
When you're like, I know I don't like what exists,
but I don't know what the better options are
because Eli Sugarman is not a visual designer.
And so it was really neat to see the creative juices flow
to see what folks came up with,
which is, as you pointed out,
radically different from the existing visual landscape. And we're very excited by that. Now, I know that one of your hopes is that this is
the beginning of a conversation. The awarding of these prizes is not the conclusion of something,
but that this is going to lead to other things. And where are you looking for this to go from here?
Well, what we hope to accomplish is just to show that it's possible that with some resources and guidance, there are talented visual designers who want to do better
and want to experiment and create a new visual language for cybersecurity. And so what we're
hoping to see is people both to use the images that were created to evolve them and build off
them because the Creative Commons license allows for that. You can take that image, you can then
change it, and then it becomes something different. So long as you attribute
the original image to the artist, you don't have to pay them anything. It's free, right? It's now
a public good. And so we're hoping those are a few ways folks can sort of like evolve it and
take the next step. Why is it important for you and your team there at the Hewlett Foundation
to support these types of initiatives? Our approach to cybersecurity grant making is building a field. And so we think that as digital
technology is spread across society, you need longer term rigorous thinking about how to maximize
the benefits and minimize the harms. And you need people with a mix of technical and non-technical
skills to really do that. Like there aren't technical panacea. It's not just a legal question,
right? And so, But that field of people,
those institutions, those universities, those think tanks, the policymakers they talk to,
the C-suite leaders are struggling to talk about these issues in a really in-depth, sophisticated
way. We don't even have the words right in the sense that we don't have agreed upon definitions.
But beyond that, to really get through to non-experts, you need to tell stories and show
things visually. And so we think that
this repository of images is just one small step towards building the ability to do that.
That's the Hewlett Foundation's Eli Sugarman. If you want to see the winning submissions,
just do a search for Hewlett Foundation cyber visuals. The U.S. Foreign Intelligence Surveillance
Court, in an unusual public order, has starchily directed the FBI to give an account of what it was doing when it requested FISA surveillance authority over Trump advisor Carter Page.
The New York Times has called the Justice Inspector General's report on Crossfire Hurricane damning.
The presiding judge, Rosemary M. Collier, wrote in the order, quote,
She gave the Bureau until January 10th to return a list
of positive steps it intends to take to ensure that it will henceforth, quote, provide complete
and accurate information in every filing, end quote. The FBI has said that it accepted the
Inspector General's findings in the investigation of Crossfire Hurricane and that the Bureau's
Director Wray has already ordered more than 40 corrective measures to tighten up its FISA procedures. A broader IG investigation
is in the offing, the Washington Post reports. And finally, we mentioned yesterday reports that
Russian President Putin is still running Windows XP in his office and in his residence, XP being
the last version of Windows the Russian
organs authorized, before moving in earnest toward software autarky. But wait! Forbes sees
wheels within wheels here, and points out that the pictures of Mr. Putin at work may well be
deceptive, an instance of what the Russians call Moskerovka. That sounds pretty scary,
but it's a common term in the Russian
military lexicon that covers what the Americans would call camouflage and deception. Camouflage
is doing something like putting leaves in your hat. Deception would be using phony radio traffic
to deceive the enemy about your order of battle. So consider, suppose you were being photographed
in your workplace and you realize to your horror that your much-treasured but still sort of embarrassing Nickelback fan poster was visible in the background.
So you ask the friendly photojournalist to Photoshop something else over the top of it.
To your relief, she agrees, and your picture appears with, say, the Prussian Academy version of the collected works of Immanuel Kant in the background.
In this case, Forbes darkly speculates, something similar may be afoot.
Maybe the Russians just want everybody to think they're still running Windows XP on the President's machines,
when in fact they're really quite up to date with the latest homegrown OS.
It's a riddle, wrapped in a mystery, inside an enigma.
Still, Santa, consider sending Mr. Putin that best buy card.
And our hats off to Forbes for referring to the Russian president as Vlad the Updater.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Tom Etheridge. He's the VP of Services at CrowdStrike.
Tom, it's always great to have you back. We wanted to touch today on this notion of need for speed breakout time and something that you all refer to as the 11060 concept.
Can you take us through what are we talking about here today?
Excellent, Dave. Thanks again for having me. It's great to be here.
The concept of 11060 really is a benchmark metric for understanding the effectiveness of an organization and being able to detect, investigate, and remediate an attack from
happening in their environment.
And this 11060 rule really is defined, as we see it,
as the ability to detect in a minute, investigate in 10 minutes or less, and be able to remediate
the attack in less than an hour. And why is this important? This is important because
another metric that we measure, breakout time, is the amount of time it takes an attacker from their initial entry point into a customer's network or environment until the time that they're able to move to a target or move laterally in a customer's environment.
And what we see in the metrics that we track is that well-funded, advanced nation state and e-crime threat actors typically move
quickly. On average, it's about an hour and 58 minutes, which is a really tight window
for organizations to be able to detect, triage, and remediate that issue from becoming a bigger
issue. And that's the importance of 11060. We've reported in our global threat report last year, some of the metrics around advanced nation state adversaries like Russian nation state actors or bears, as we refer to them, can move in some cases in less than 20 minutes, 18 minutes and 49 seconds to be factual.
minutes and 49 seconds to be factual. Nation states that we call Kalimas, they're the next fastest threat actor group that we're tracking. Their movements typically from breakout time is
around two hours, 20 minutes and 13 seconds. So the ability to be able to detect, triage and
understand what's going on with a threat that's in your environment and to be able
to remediate it before the threat actor has the opportunity to move to parts of the environment,
hide or deploy additional tools that provide access or exfiltration capabilities is really
important for customers to understand and try to strive to meet that metric.
Can you give me some insights here? Because I
would say my first reaction to the notion of 11060, particularly that one of, you know, being
able to respond within a minute. I mean, how much of this by necessity happens through automation
and how much is actual humans who have eyes on the situation?
The one thing, Dave, that's getting better with organizations is the advancement of the tooling. Endpoint technologies such as CrowdStrike, Falcon provide for advanced EDR capabilities where we're able to leverage artificial intelligence, data at scale.
That gives us crisper visibility quicker into what's really
going on in a customer's environment. So prevention with some of these new tools is getting better.
The real shortcoming is around the ability to understand that a threat is actually occurring
in the environment. What type of threat is it? Who might the threat actor be? What are their
motivations? What information are they trying be? What are their motivations?
What information are they trying to glean from their access? Are they trying to monetize their access or simply exfiltrate data from a customer's environment?
So being able to triage that very quickly, having great intelligence capabilities, good,
strong analysts that understand what these threat actors are motivated by. And really,
I should say, understanding your own environment and what would motivate an attacker to actually
access your environment. And then the last piece of this, which is the remediation capabilities.
This is an area that is certainly lacking for many organizations, understanding what's going on,
but being able to stop it.
Really, those are some of the key elements of the 11060 rule and some of the services that we offer.
And certainly our technology is being built and designed to provide better controls and
better ability to respond to and remediate these breaches from happening in a client
environment.
Tom Etheridge, thanks for joining us.
Thank you. Very welcome.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up for Cyber Wire Pro. It'll save you time and keep you
informed. Listen for us on your Alexa smart speaker too. The Cyber Wire podcast is proudly
produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.