CyberWire Daily - Utility hack update. Surveillance tool proliferation. Exploit black market. Novel ransomware, old distro channel. Notes from the Global Cyber Innovation Summit.
Episode Date: May 3, 2019That cyber incident that affected electrical utilities in the western United States seems to have been a denial-of-service attack. Concerns arise over potential proliferation of Chinese security servi...ce tools. Exploit blackmarketeer Volodya and some customers. The Retefe banking Trojan is back. Some new ransomware thinks it’s the moving finger that writes, and, having written, moves on. And some cause for measured optimism at the Global Cyber Innovation Summit. Emily Wilson from Terbium Labs on the Dynamic Connections conference, hosted by General Dynamics. Guest is Joseph Carson from Thycotic on lessons he’s learned (the hard way) on communications with the board. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_03.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
That cyber incident that affected electrical utilities in the western United States
seems to have been a denial of service attack.
Concerns arise over potential proliferation of Chinese security service tools,
exploit black marketeer Volodya and some customers, the Retefe banking trojan is back,
some new ransomware thinks it's the moving finger that writes and, having written,
moves on, and some cause for measured optimism at the Global Cyber Innovation Summit.
From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Friday, May 3, 2019.
U.S. federal authorities have been tight-lipped, as E&E News, which broke the story, puts it,
about a cyber incident affecting electrical utilities in three western states.
But they have said, according to TechCrunch, that the distributed denial-of-service attack
affected neither power generation nor distribution.
More is sure to emerge on the incident. We'll be following it closely.
Chinese security services are making effective use of
online surveillance domestically, particularly against its largely Muslim Uyghur population.
A New York Times op-ed fears the tools perfected in-country will proliferate internationally.
The exploit black marketeer known as Volodya or Buggy Corp. continues to hawk malware and to a rogue's gallery of bad guys.
ZDNet has a roundup of some of their activities and customers.
He seems in part a government contractor, as his clients include, according to Kaspersky, Sandcat, Fruity Armor and Fancy Bear.
Researchers at security firm Proofpoint say the Retife banking
trojan is back with some enhancements. The malware had faded last year, but it has reappeared on
warning screens in 2019. In April, it returned to hit bank accounts in mostly Switzerland and
Germany. Proofpoint calls out three major changes they're seeing in the current infestations of
Retife. First, it's now using Secure Tunnel instead of Tor for secure proxy redirection and command and control traffic.
Second, it's ditched its old intermediate loader for Smoke Loader.
And finally, third, it's abusing a shareware application, Convert PDF to Word Plus,
which it executes as a decoy.
Its actual loader is the similar-looking ConPDF to WordPlus driver.exe,
and that's a malicious executable.
Sophos tweeted that they may have discovered a novel ransomware strain,
possibly being delivered via Emotet.
The ransom note alludes to Belshazzar's feast.
Your defenses, quote, have been weighed, measured, and have been found wanting, end quote.
That's what the moving finger wrote.
It's what the moving finger always writes, the moving finger being a one-note kind of guy.
Anywho, the hoods behind this caper are effectively calling you Belshazzar,
boss of the Neo-Babylonian Empire, which seems like a compliment.
But no, you don't which seems like a compliment. But no,
you don't want that kind of compliment. Sophos promises to tweet more info as it becomes available.
The Global Cyber Innovation Summit concluded yesterday in Baltimore.
We'll have more detailed reports and upcoming issues of the CyberWire Daily News Brief.
Yesterday's highlights included some perspective on what creates crisis instability from cybersecurity and policy expert Richard Clark.
You get dangerous crisis instability when an aggressor concludes that they have a decisive advantage over the defenders. You're at risk, Clark explained, when your opposition concludes
that your defenses aren't credible. A number of speakers addressed concerns about data integrity or data provenance.
NSA's Rob Joyce warned that as governments increase their efforts
to impose national will in cyberspace,
data will come under correspondingly greater attack.
Data integrity is a problem that crosses a number of disparate kinds of activity.
There are obvious industrial control system security implications.
Can you trust the sensors to deliver ground truth about system conditions?
Healthcare data presents similar concerns.
The global financial system depends upon assets and transactions held and conducted in cyberspace.
It's not Goldfinger's world anymore.
If Goldfinger were to come out of retirement, heaven forbid,
he wouldn't bother trying to break into Fort Knox.
Big scores are to be sought elsewhere.
There's also an influence in information operation dimension to data integrity.
If data come to be perceived as untrustworthy,
that loss of faith would erode public trust and confidence
in the institutions of both government and civil society.
This is a slow-motion problem with the potential to creep up on us unobserved.
It may be upon us before we realize we're being gradually boiled alive.
Amid the usual warnings one expects at a cybersecurity conference, however,
we heard some surprising and distinctly encouraging notes at the Global Cyber Innovation Summit. Tenable's Amit Yaran says that they've seen a tremendous difference
between cyber-haves and the cyber-have-nots. It's possible to protect yourself today.
Richard Clark had a similar observation about the possibility of successful defense,
taking NotPetya as a grounds for optimism. NotPetya was a Russian military action against
Ukraine, but many companies around the world were collateral damage, and that damage was severe.
But a lot of other companies deflected the attack, and these are the dogs that didn't bark.
Existing technology properly applied can defend the corporate network, Clark concluded.
We'll have more on the summit in subsequent
issues of the Cyber Wire. And the larger news also has some positive notes at week's end.
Ad fraud may cost businesses as much as $5.8 billion this year, as an Association of National
Advertisers study predicts, but that's actually the good news. It's down from $6.5 billion over the previous year.
Mixed news, but on balance more good than bad, comes from CrowdStrike,
which sees a drop in hacktivism's effectiveness even as hacktivism becomes more frequent.
Common hacktivist actions include website defacement and distributed denial of service,
which, when you think about it, are pretty small potatoes.
Russia's new autarkic internet, complete with isolation switch,
is now officially law, and many fear censorship.
What? Great Caesar's ghost stopped the press's censorship in Russia?
Who could have seen that coming?
If only President Putin knew, he'd put a stop to it.
Wicked boyars lurking around the Kremlin again?
What? What's that you say? President
Putin signed the law?
Oh, Vladimir Vladimirovich.
You're killing us, Smalls.
Calling
all sellers. Salesforce is
hiring account executives to join
us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Emily Wilson.
She's the VP of Research at Terbium Labs.
Emily, always great to have you back.
You recently attended a conference.
You wanted to share some details about what was going on there.
I recently got back from a conference called Dynamic Connections.
It was in Colorado this year, and it was hosted by General Dynamics Mission Systems.
It was interesting.
As someone who typically is spending time at security conferences,
tech conferences, fraud conferences, what I would call more standard industry conferences,
going and talking to people who are working in and around general dynamics and in and around
government and military operations, it was interesting to see what topics carried over
and what stood out as a little bit different. So what did you see
there? What's different in that government world? I think the main thing that's different is the
stakes are significantly higher. You know, we think about the bad things that would happen if
someone accessed your corporate network. But what if your corporate network is responsible for making sure that
military operatives are in the right place at the right time? What if the, you know, if you are,
if you're working on hardware, you want to make sure that your hardware is good and is going to
last for a long time. But what if your hardware needs to be in extreme temperatures or extreme
situations and has to be able to work correctly every single time. And there's no room for
failure. The stakes are too high. So certainly a different level of intensity, I think, in the
conversations, which is a little bit different from what you would hear, I think, traditionally
in the security industry. And so what did you bring home from that? How does some of that
information you gathered transfer to the work you're doing day to day?
There were two things that stood out to me that I came home and was telling my colleagues about.
One was a panel from one of the afternoon sessions looking at data regulation and privacy legislation, because these organizations face the same issues that we all do in the industry, needing to be compliant,
plus whatever other government or military standards
you might be working off of.
And there was one speaker in particular who said,
the trend is not compliance.
The trend is data privacy.
And the law that we see,
the compliance law that we see coming into place
is a trailing indicator for a big gap
in data privacy practices. and that we should be
looking at data privacy and a little bit less at compliance because, as the speaker pointed out,
you can be compliant and still be negligent with data. And so if you are only thinking as far as
compliance, if you're only thinking as far as what do I do to not get in trouble, what do I do to not get in trouble? What do I do to not have to pay fines? And you're not thinking to, am I doing the right thing, the broader picture right thing for my customers or my employees?
Then you're still going to, in a lot of cases, end up with issues of negligence.
You're still going to fall short.
Interesting.
What else?
The other thing that I thought was interesting, I was in a cybersecurity session with a representative from McKinsey who had some data on security patent filings over the past few years and looking at patent filings as one way to measure how the trends in the industry are shifting and have been shifting.
how the trends in the industry are shifting and have been shifting.
And what's interesting to me was the highest volume of patent filings in recent years are actually around data security, which is an encouraging trend,
certainly given the kind of work that I do and the kind of work that underlies the work that we all do.
But it's an interesting measure.
We're seeing more people find new and interesting ways and really pursue better paths forward for data security based on technology evolution and based on an understanding, a different understanding of risk.
And I'm glad to hear it. I think we should be talking more about security and more about privacy.
I think that's an interesting insight because I think it's a common mistake that they intermingle security and privacy as if they're almost the same thing, and they're not.
They're not. There are different motivations behind them. There are different
incentives, depending on what kind of industry you're in and what kind of data you have.
And I would say there are also different beneficiaries. You know, there are different
beneficiaries of the results of this. There's a difference between trying to keep the data secure
and trying to keep your users' privacy protected.
But there is a difference between
a goal in keeping data secure
and building secure systems
and a goal in keeping data private
and building private systems.
We want to have both.
But if you only design with security in mind,
then we may end up with,
I think we've seen that we continue to end up with
data proliferation and data mining. You can say, I don't really care about privacy, but don't worry,
I'll keep it secure. We need to be thinking about both things. We need to be thinking about what
data do you actually need on your users to do the work that you do? What data is actually relevant?
How can you protect your users? Because protection isn't just security.
Protection is and has to be privacy.
All right, Emily Wilson, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
My guest today is Joseph Carson, Chief Security Scientist and Advisory CISO at Thycotic.
He joins us to share his story of a boardroom presentation gone wrong and how it served as a wake-up call for how security teams need to communicate
and consider their role within the overall organization.
So myself and the CISO, I was doing the penetration test myself,
and it was actually with a power station.
And some of the vulnerabilities we were finding were quite significant, at least to our viewpoint.
So myself and the CISO, we got down and we discussed about how we wanted to communicate, what things we thought were going to be important for the board to hear.
And it was really one of the major things was it was the budget review.
So the CISO had some plans and goals things was it was the budget review.
So the CISO had some plans and goals in order to get certain budget available for upcoming
strategic plans and projects and priorities that was for the following year.
So we got together and we looked through basically the vulnerability results we wanted to align
with technologies and solutions that we thought would reduce and mitigate those
problems. And we sat down and we basically got together our plan. We went through some of the
major items that we had identified and we put together a presentation and we communicated quite
strong in how we wanted to approach it. We came to an agreed conclusion and that was pretty much it.
And, you know, we'd set out how we wanted to position
those items to the board.
And how did the board react?
Not exactly to our expectation.
And we're actually quite shocked.
So one of the things was,
when we did the penetration test itself,
we'd find major vulnerabilities,
such as things like default passwords,
we'd find unpapped
systems, we looked at human errors, supply chain integrity failures, and
background checks were not being processed. And when we went to the board
and we presented it, we went in and we were talking about cybersecurity,
we're talking about the human failures and threats, and the increased
landscape, and looking at other major
breaches that had occurred that same year.
We talked about fear of not doing something.
We talked about the importance of the solutions.
And we really went in basically going and talking about how it was important to invest
in the security solutions, how it was important to get this budget in order to really make
sure we had the right technologies in place.
And when we presented and right afterwards, the board said thank you, appreciate your
time and of course later after we finished that time, they go off and they convene to
have their discussions privately and then they come back and they present back to you
whether you got your accepted budget. So the time went past and we came back, the board
came and sat down. We were actually quite shocked because the board came back and they
said your budget request has been declined. We deemed the threats and the vulnerabilities
that you had raised as low risk, but we'd like to speak with you privately afterwards
and we were quite shocked we thought we'd done a amazing job we thought we
presented very clearly the threats and very clearly you know the issues that
you hear in the media and the news and we thought we would that a doubt that
our plan was going to get the right budget you know we were getting
attention of the board the board was listening and we thought this was the time where we'd really get the
reaction and the budget in order to really make them need improvements for
the forthcoming year afterwards the CEO and the CFO came down and we sat down
having a side meeting to talk about what happened and I think this was the most
important realization and it was when the CEO had said, your presentation was great.
You really conveyed the threat landscape.
But there was one major thing that was missing.
You never talked about how you're going to help the business.
And they said that we know how important cybersecurity is.
We know how important it is for the business to improve and invest in the right areas.
However, we really needed to work. And that's why we're having this conversation.
And for me, it was the best timing because when you get that scenario
and you get a CEO and a CFO coming and being so absolute, direct, and honest to you,
rather than just letting that meeting go and not getting what you needed,
we really sat down because they knew the importance
and they really wanted to be successful.
And they said to us, you know, when you come in,
you present just like everyone else has presented on the news
and when you're here at these events and all these executive briefings
that they've had before on the cyber threat landscape.
But they said, the most important thing was missing,
was how are you helping the business
be successful.
Every other presentation from the other businesses, whether it be engineering, innovation support,
and sales, they come in and they presented their business plan.
And we come in and presented fear.
What we really needed to understand was the return on investment.
How are you helping your peers be successful?
How are you helping them do their successful? How are you helping them
do their job? How are you helping us reduce the risk of the business? What is the cost of doing
something and what's the cost of doing nothing? What's the gap that we're having? Are we covered
with insurance? Do we have the ability to survive if we actually have such an attack that you talked
about? We need to be successful. We know how important it is, but we need you to approach
this in a different way. It needs to be a business first approach and it needs to be based on risk.
And it was a big realization we've set. And actually, you know, when you realize that
this is what you needed to hear, this was the sizzle getting the wake up call that how we've
been communicating cybersecurity and threats to the executive team and to our peers for years has been the wrong approach.
And we really needed, and it was this wake-up call, it was this alarm bell ringing, that we realized that we needed to change our approach.
When you look back on that, thinking back, knowing what you know now, why do you suppose there was that gap from your side? Were the information you were
presenting, was the business case, did you consider it to be self-evident? What were you thinking?
It was more self-focused. We were focusing on what our needs were, not of what the business
needs were. We were focusing at the tools and the technologies that would help us do our job,
but we weren't aligning that with how it was helping our colleagues be successful.
The ultimate people who were actually protecting and making safer,
we had not considered their feedback and their input into our needs.
And this was the biggest gap.
The gap was that we were basically focusing on ourselves as a silo
and what we needed to do to be compliant with regulatory needs,
and as well as what we needed to be able to do to reduce the threats as we've seen it.
And what we realized was that for too many years,
we've been going down this technology-driven path.
And we've been seen as, you know, in the cybersecurity area and IT security,
we've been seen as the enforcers.
We've been going to employees and saying,
this is how you need to be doing things and no you can't install
that software because it has this risk and need to patch the systems you need
to change your passwords we've been enforcers and it's the time where we
realized when we had that meeting that we actually we're doing it the wrong way
we as the CISOs and security officers and security operations and
MINS, we need to be doing more listening. And one thing that we haven't been doing is listening
enough to our colleagues, to the other peers and other departments, to the employees and the
customers within the business that we're actually providing services to. We weren't listening to
the board. We were actually communicating and enforcing a message.
And what we realized was that it was more important for us to sit
and listen to an employee and ask them,
what is it exactly you're being measured on?
How can I help you be successful in your job?
How can I help you be more efficient?
How can I help you win and actually get your
bonus and be able to meet your metrics that you're measured on? And that's what we need to be doing.
And then looking at how we can actually add security into the existing job, rather than
saying to employees, don't click in these things, stop clicking in links, stop opening attachments,
because in many businesses, that's actually their job.
And we have to understand about, well, how can we make sure that since that is what they're doing,
how can we make sure they're doing it safely with reduced risk,
but at the same time making sure that they're able to stay productive?
And that's what we need to be changing in our going forward. So the CISO in 2019 needs to start doing more listening and a time of outlining how we can help the business be successful.
That's Joseph Carson from Thycotic.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.