CyberWire Daily - WannaCry ransomware—a pandemic. Baijiu spyware in East Asia. APT32 seems to be spying for Vietnam. Al Qaeda calls to lone wolves. Influence operations and tactical operations. The long arm of the law reaches out to tech-support scammers.
Episode Date: May 15, 2017In today's podcast we hear how WannaCry ransomware became a pandemic over the weekend. Johannes Ulrich joins us to help sort it out. A temporary lull is feared likely to be more temporary than most w...ould like. Baijiu espionage malware is spreading through GeoCities. Another APT—APT32—is also devoted to espionage, apparently in alignment with the government of Vietnam. Bin Laden's son is working to inspire lone wolves. National authorities seek to draw influence operations lessons from the concluded French presidential campaign. Armies make tactical use of cyber operations. And there's a dragnet out for tech-support scammers. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Wanna cry ransomware became a pandemic over the weekend.
Johannes Ulrich joins us to help sort it out.
A temporary lull is feared likely to be more temporary than most would like.
Baiju espionage malware is spreading through geocities.
Another APT, APT32, is also devoted to espionage,
apparently in alignment with the government of Vietnam.
Bin Laden's son is working to inspire lone wolves.
National authorities seek to draw influence operations lessons
from the concluded French presidential campaign.
Armies make tactical use of cyber operations.
And there's a dragnet out for tech support scammers.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, May 15, 2017.
Today's leading news is the developing story of WannaCry ransomware,
which broke out in the wild on Friday and has since become, effectively, a ransomware pandemic.
WannaCry ransomware hit hard late last week,
and enterprises worldwide are bracing for further waves of infestation.
The hitherto obscure strain of ransomware propagated in worm-like fashion
against systems running older Microsoft software.
It exploited the vulnerability the shadow brokers leaked last month as the weaponized EternalBlue tool.
Affected systems are running old and in some cases pirated versions of Microsoft operating systems,
specifically Windows XP, Windows 8, and Server 2003.
specifically Windows XP, Windows 8 and Server 2003.
The rate of infection has been very high, temporarily slowed by discovery and activation of a kill switch,
but most observers expect renewed attack as the unknown controllers upgrade the malware.
News of the incipient pandemic broke early Friday with initial reports mentioning infestations in a handful of countries. Early interest focused on the UK's National Health Service,
several of whose facilities suffered disruptions serious enough to send staff home,
reroute ambulances and impede patient care.
Another early infestation hit Spanish telco Telefónica,
which took hasty and extensive emergency measures to contain WannaCry's spread.
The number of affected countries rose steadily over the weekend
until it reached presently reported levels of more than 150,
which is close enough to everywhere as to make no difference.
President Trump has directed Homeland Security Advisor Thomas Bossert
to coordinate the U.S. government's response
and organize the search for the responsible threat actors.
In the United Kingdom, the National Cybersecurity Center is taking the lead,
and late yesterday the center warned that the threat was by no means over.
Microsoft took the unusual step of issuing patches for software that's beyond end-of-life
and are no longer supported.
The fixes covered Windows XP, Windows 8, and Server 2003.
Microsoft characterized the decision as one taken with a view to protecting their customers' ecosystem.
We'll have more on WannaCry and its implications later in the show,
when we speak with the SANS Institute's Johannes Ulrich.
In the meantime, there is some news out of cyberspace that's unrelated to the ransomware pandemic.
Cylance reported Friday the discovery of Baiju malware, which abuses a popular Japanese web
hosting service and spreads through phishing.
The phish bait is a subject line drawing upon sympathy for and interest in victims of a
2016 North Korean flood.
Cylance researchers say Baiju installs an espionage toolkit using the Typhoon Downloader
through some back doors Silance calls Lion Rock.
Baiju is evasive, and Silance warns that appropriating the geocities' free,
high-bandwidth civilian infrastructure also helps Baiju hide in plain sight
and signals a troubling new trend in attack techniques
that is almost surely not restricted to Yahoo's geocities.
The campaign appears to originate in East Asia, but beyond that, researchers are being
circumspect concerning attribution.
FireEye has warned of another ongoing cyber espionage effort, the activities of APT32,
also known as Ocean Lotus.
APT32 appears to be aligned with Vietnam's government,
and its targets include Vietnamese dissidents,
foreign governments, and foreign corporations.
The late Osama bin Laden's son, Hamza bin Laden,
is competing with ISIS for jihadist mindshare.
The younger bin Laden has taken to the Internet
to advise those seeking martyrdom on how best to achieve it.
The Qaeda leader's goal is inspiration.
He's howling at the lone wolves out there online.
Ukrainian soldiers are receiving hate message via SMS from an unknown but probably Russia-aligned actor
exploiting vulnerabilities of 2G networks to man-in-the-middle attacks.
As the hybrid war in eastern Ukraine continues,
other nations' militaries are upgrading their own capabilities.
Brazil's army is standing up its cyber defense command,
and the Israeli defense forces expect their computer service directorate
to be entrusted with both defense and counterattack.
In the United States, the army sends a clear signal
that it's serious about the tactical use of cyberspace.
It's integrating cyber operations into its premier training establishment,
the National Training Center at Fort Irwin, California.
Finally, in some good news on cyber law enforcement,
there's a global dragnet underway against tech support scammers.
Seven men in Florida have already been scooped up, and more arrests are expected soon.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed
novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second and staying ahead is more than just a challenge,
it's a necessity. That's
why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
Joining me once again is Johannes Ulrich from SANS and also the Internet Storm Center Stormcast podcast.
So as we record this, it's mid-morning Monday.
In terms of the WannaCry ransomware, where do things stand?
Well, it really all started on Friday with this massive spread of this WannaCry worm. At this point, according to some of the online counters that track this particular infection,
there are about 180 000 infected systems
worldwide pretty much any country is infected at this point what really helped us over the weekend
was that the malware actually checks if a very particular domain is reachable and it doesn't
run if it's reachable and luckily that domain got registered relatively
quickly towards the end of Friday and somewhat slowed down the spread of this particular malware.
So are we seeing new variants hit the net this morning that can work around that limitation?
There were a couple of variants that were reported over the weekend that, for example, made subtle changes to that domain
name, but they didn't really spread as far or as fast as the original. And we've seen reports from
a variety of antivirus vendors saying that they're able to protect you against this. Yeah, antivirus
will help in hindsight once they have a signature for it, course and now some antivirus vendors they do
have products that for example look for behavior like malware that encrypts files like in this case
but really what we're talking about here are the vulnerable systems these are systems that really
escape sort of any basic cyber hygiene that haven't been patched for whatever reason that may even be running old versions of Windows so it's very possible that they don't run any
up-to-date antivirus either yeah we saw certainly over the weekend Microsoft
being critical of the government for as they described you know stockpiling
these sort of vulnerabilities any thoughts on Microsoft coming at NSA? Yeah, I can see where Microsoft
is upset because they're really stuck with having to deal with the fallout here. They even
released a patch for Windows XP on Friday, which was highly unusual given that Windows XP is now
out of support for a couple of years. It would have been nice if the government would have shared
these particular vulnerabilities
ahead of time. Now, there is some indication that some sharing actually happened there,
because the patch was actually released in March, about a month before this particular
vulnerability was made public by the shadow broker group. So it's very possible that the government actually did share details about the
vulnerability before or after it became evident that the vulnerability would have been made public.
And I've heard other people make the argument that is it really the government's responsibility
for Microsoft's quality assurance of their products?
That's certainly true too, but in general, it is considered sort of responsibility
of a security researcher to notify the vendor of vulnerabilities. Now, this is really a tricky
issue here, given that security researchers also put in quite a bit of work to find these
vulnerabilities. So in some ways, they should be rewarded for it. Bug bounty programs, of course,
So in some ways, they should be rewarded for it.
Bug bounty programs, of course, are a way to deal with this with security researchers.
Not clear how this would work with government entities.
And in terms of the bigger picture with the crypto wars,
people are using this as ammunition, saying that the government says,
trust us with your keys.
This may be an example of ammunition to say, well, the government can't protect these zero days. Why should we trust them with backdoors to encryption?
And that's exactly a good argument here,
that these encryption backdoors will be leaked,
just like these exploits have been leaked in the past.
So there's really no guarantee that the government is any good
in sharing these kind of backdoor secrets.
We heard this morning former Secretary of Homeland Security Michael Chertoff was on NPR,
and he made an interesting point that countries like China, who are being particularly hard hit,
they may be getting hit due to the amount of pirated software that they run.
That's probably true in some ways that they're not as good in
patching software because they're somewhat afraid that the software will be turned off if they're
patching because it is pirated. But these are also countries that often run just out-of-date systems,
out-of-date hardware, because they can't afford the latest, greatest hardware that runs Windows 7, Windows 10. So that's also why you see more out-of-date systems and unpatched systems in these countries.
And back to WannaCry, are people paying and are they getting their files back?
There are some people paying.
I haven't checked today yet, but over the weekend, there were about 100 people that paid according to the Bitcoin blockchain. It's not clear if they're
getting their files back. Now, the process is rather manual and convoluted. You first have to
pay. And then again, it's not really clear how much you have to pay because the exchange rate
between US dollar and Bitcoin keeps changing. Then you have to actually contact the people behind this particular malware and have to tell them
that you paid and they will sort of manually issue you a recovery key.
They post some business hours that are actually fairly limited
during which you should contact them. Given all the pressure
from law enforcement in this case, it's very
possible that they'll actually disappear,
given that they didn't really make
an awful lot of money in this case.
Yeah, perhaps they bit off
a little more than they could chew.
Right.
Johannes Elric,
thanks as always for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. and that's the cyber wire we are proudly produced in maryland by our talented team
of editors and producers i'm dave bittner thanks for listening Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.