CyberWire Daily - WannaCry ransomware spreads via ShadowBrokers' dumped exploit. Necurs delivers Jaff ransomware. Fancy Bear spoofs NATO emails. President Trump's Executive Order on cybersecurity.
Episode Date: May 12, 2017In today's podcast, we hear about the long-expected US Executive Order, with commentary from Politico's Eric Geller. It was signed yesterday, and gives prominence to the NIST Framework, DHS,and OMB. E...ternal Blue is used to spread WannaCry ransomware, and the UK's NHS is hard hit. Fancy Bear prances in NATO costume. US Intelligence Community leaders warn the Senate that the Russian cyber threat is large, growing, and not going away. The University of Maryland's Jonathan Katz explains some potential browser protocol vulnerabilities. And spamming celebrates its thirty-ninth birthday—no happy returns for you, spammers. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The long-expected U.S. executive order is out,
and Politico's Eric Geller provides analysis.
Eternal Blue is used to spread WannaCry ransomware, and the UK's NHS is hard hit.
Fancy bear prances in NATO costume.
U.S. intelligence community leaders warn the Senate that the Russian cyber threat is large, growing, and not going away.
And spamming celebrates its 39th birthday.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, May 12, 2017.
U.S. President Trump signed his long-anticipated executive order on cybersecurity yesterday,
and we'll have some notes and an interview on that one later.
In the meantime, there are other breaking stories worth your attention.
There's some new fallout, apparently, from the shadow broker's last dump of tools.
A strain of ransomware, WannaCry, is spreading rapidly via the EternalBlue tool the brokers dumped, which they claim they got in some unspecified fashion from the US NSA.
Researchers at security firm Avast tell Forbes that they've recorded 36,000 variants of WannaCry today.
Malware Hunter team counts 12 affected countries and says that Russia has been hardest hit,
with Spain and China placing and showing.
Eternal Blue is an access tool that abused the network file-sharing protocol SMB,
server message block, to exploit a now-patched Microsoft vulnerability, MS-17-010.
The exploit isn't ransomware itself,
but is being used to deliver WannaCry to its targets.
Flashpoint noticed at the end of April
an upwelling of chatter in Russian cybercrime fora
concerning ways of using the Shadow Brokers' dumps.
It would appear this is one use someone's found for them.
As so often happens, the medical sector is being hard hit.
Sixteen National Health Service facilities in the United Kingdom have reported infection.
In some cases, this has caused wards to close and staff to be sent home.
WannaCry isn't the only development in ransomware.
Jaff, a strain of malware that looks a lot like Son of Locky,
is now reported to be spreading via Nikurs.
It's asking for $3,700 from its victims.
As always, it's better to back up than to pay.
While WannaCry seems likely to be predominantly a criminal action,
there are reports of state-sponsored activity today as well.
Romania's Ministry of Foreign Affairs is said to be among the diplomatic organizations
and missions across Europe being fished by Fancy Bear, APT28, or Russia's GRU.
The fishing emails spoof NATO addresses and seek to induce the unwary to download a remote-access Trojan
that FireEye
researchers are calling GameFish. Romanian authorities haven't commented, but NATO,
while declining to say anything about this particular episode,
says it comes under attack all the time and that spoofed emails are no novelty.
Part of the reason the hacking of OnMe emails, also attributed to Fancy Bear, didn't have the kind of malign effect seen in the earlier attacks against the U.S. Democratic National Committee is that the hackers had less time to establish themselves, but a bigger part of the failure seems due to the Macron campaign's early and active mitigation efforts.
efforts. The U.S. Directors of Central Intelligence and National Intelligence tell Congress that rising Russian assertiveness, activity, and influence in cyberspace is an enduring and
growing threat. Senator McCain regrets that U.S. preparations seem unequal to that threat
and exoriates the current national state of readiness.
U.S. President Trump yesterday signed his long-anticipated executive order on cybersecurity.
Its sections address cybersecurity of federal networks, cybersecurity of critical infrastructure, and cybersecurity for the nation.
It's a federal government-centric order whose recurring themes are IT modernization and rationalization,
including more shared services and use of the cloud, an emphasis on
resilience, and an assertion that henceforth agency heads will be held accountable for the security
of the organizations they lead. It mandates use of the NIST framework across the federal government
and places a strong emphasis on implementing sound risk management practices. It also calls
for increased cyber deterrent capability. It's noteworthy that the two agencies singled out as responsible for assessing and reporting on federal cybersecurity
are OMB, which handles fiscal management and so could be expected to address the sought-after efficiencies of IT modernization and consolidation,
and DHS, responsible for securing the.gov domain.
responsible for securing the.gov domain.
Many of the executive order's elements are relatively uncontroversial and represent continuity more than they do a break with past policy or past aspirations.
Reaction has been, of course, mixed but on balance positive.
A little later in the show, Politico's Eric Geller joins us to review the order.
Sophos rather sourly notes, spam turned 39 last week.
Sure, it's Jack Benny's permanent age, but it's also a reminder of how enduring an obvious threat vector is.
So no happy returns of the day, spammers.
Finally, a correction on a story we ran earlier this week.
a story we ran earlier this week.
On May 8th, we made note of the Fat Boy ransomware as a service offering
and how it uses the Big Mac Index
to automatically set the price of the ransom
depending on where you live.
So far, so good.
We went on to say that the Big Mac Index
has nothing to do with the delicious
multi-layered McDonald's hamburger of the same name.
That was wrong.
The Big Mac Index is indeed named for the burger.
We do our best to get our facts straight, but from time to time we get it wrong,
and we think it's important to let you know when we do, and make it right.
Incidentally, I'm more of a Filet-O-Fish guy myself. Rubble rubble.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta dot com slash cyber. That's Vanta dot com slash
cyber for a thousand dollars off. In a darkly comedic look at motherhood and society's
expectations, Academy Award nominated adams stars as a passionate
artist who puts her career on hold to stay home with her young son but her maternal instincts
take a wild and surreal turn as she discovers the best yet fiercest part of herself based on
the acclaimed novel night bitch is a thought-provoking and wickedly humorous film from
searchlight pictures stream night bitchitch January 24 only on Disney+.
Cyber threats are evolving
every second, and staying ahead
is more than just a challenge. It's a necessity.
That's why we're thrilled to partner
with ThreatLocker, a cybersecurity
solution trusted by businesses
worldwide. ThreatLocker
is a full suite of solutions designed
to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Jonathan Katz.
He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center.
Jonathan saw a story come by on InfoWorld about some HTTPS inspection tools that might weaken security. Let's start with some
basics here, though. Can you just give us a quick overview of how HTTPS works and how
that traffic can be inspected? Yeah, so let me start with a very high-level overview of how
HTTPS works. Basically, HTTPS is a protocol that allows a user to set up a secure connection
with a server. And typically,
this is done, let's just say, in two steps at a very high level. One step would be that the user
will get an authentic copy of the server's public key. And then using that copy of the server's
public key, there will be some interactive protocol that they run that allows the user
and the server to set up the secure connection. Now, in the article you were talking about,
what happened basically is that a third party was introduced into this mix.
And what that third party did was basically sit in between the user and the server.
And rather than having a connection directly between the user and the server,
what you had instead was one connection between the user and this intermediary,
and then a second connection between the intermediary and the server. So that meant that you had encrypted
traffic going between the intermediary and the server. The intermediary would then decrypt it
and inspect it, and then re-encrypt it and forward it back onto the client.
This sort of inspection is a pretty routine thing to happen within,
like, for example, a corporate IT environment.
Yes, it could be set up in that way, right. What you would have is, say, a user was accessing
some internet site from their computer at work, and rather than setting up a connection directly
between themselves and the server, they would, say, set up a connection between a firewall,
say, within the company, and then that firewall would act as the intermediary and allow the user
to connect out to the server. So in this particular story, there was sort of a degradation of the
type of encryption that was used along the way? Well, what happened in this particular case was
that the encryption part was okay, but the intermediary was not doing a proper job of
obtaining the legitimate copy of the server's public key. Typically,
you can think of the fact that a user who was particularly paranoid, or even just if they were
following good security practices, they might do several different things to validate the public
key of the server. But in this particular case, apparently the intermediaries, these border
gateways, or firewalls as they were, were not doing that appropriate validation. So then they
ran the risk that
the intermediary itself could be man in the middle by an attacker, thereby reducing security
for the end user. All right. Interesting stuff. Jonathan Katz, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
I'm pleased to welcome Eric Geller back to the Cyber Wire.
He's the cybersecurity reporter for Politico Pro,
where you can find his coverage of the just-released executive order on cybersecurity.
Eric Geller, welcome back to the Cyber Wire.
Thank you for having me.
President Trump signed the executive order on cybersecurity yesterday.
Let's start off, just give us an overview.
What's in this executive order?
Well, it has us an overview. What's in this executive order?
Well, it has three major components. It deals with securing federal networks. It deals with securing the critical infrastructure that powers basically all of our modern lives. And then it
deals with international engagement, essentially building a more secure world for cyberspace.
So a couple of the highlights that folks may want to
know about, all agencies are now required to use the NIST cybersecurity framework, which is something
that has been evangelized in the private sector, and pieces of it have made their way to various
government agencies, but it has not been an outright requirement, so it now is. The Office
of Management and Budget and the Secretary of Homeland Security are going to
work on, essentially, every agency has to send them a report on how they're implementing the
framework, how they're making cyber risk management choices. And OMB and DHS have to look at those and
decide, are they good enough? And then what is the sort of executive branch-wide cyber picture?
And they have to tell that to the president and give some
recommendations for addressing that. So that is, I would say, the big piece on the IT modernization
side. I should also say that the American Technology Council, headed by Jared Kushner,
is going to put together a report on all the different considerations around moving to shared
services, moving to one network across the
entire executive branch. So that is going to be an ambitious effort for sure. And then, you know,
the critical infrastructure, section two, that's kind of the other big thing. It requires essentially
a study from DHS of current efforts to protect critical infrastructure, current efforts to work
with the operators and what resources they might need and what capabilities the government doesn't yet have that it should
have to protect, or I should say to help those companies protect their infrastructure.
And they, again, they have to report to the president on what we could be doing better
in that area.
Then there's, you know, just kind of a smattering of other things, studying power outages, creating
efforts to fight botnets,
looking at the defense industrial base, cyber threats to the defense industrial base.
And then you get into kind of the international area, which is deterrence, capacity building.
The secretary of state has to submit a report on an international cyber strategy.
It ends actually with something that I think is really interesting and important, which is workforce development, looking at different ways to train people better,
education programs, apprenticeships, that kind of thing. There are a number of reports on what
the U.S. is doing, what our foreign cyber peers are doing. The director of national intelligence
has to prepare a report on basically what we can learn from how other countries are training their cyber workforces, because that is an issue on the horizon that
a lot of people are very concerned about the U.S. falling short in that area. It really
runs the gamut of a lot of the high level cyber issues that are out there.
And so far, what have reactions been to the executive order?
Mostly positive. I have to say I've spoken to a number of former Obama cyber folks who say that this is really a vindication of what they did.
There's no attempt here to roll back Obama efforts.
Yesterday at the briefing, Tom Bossert, the Homeland Security Advisor, was asked.
He said at one point that the previous administration dropped the ball, and he was asked to clarify clarify and he basically said, I think they didn't do enough. But really, this is just a continuation of everything
that they have been doing. It moves the ball forward a little bit in terms of concrete steps,
you know, reports that have to be written and that kind of thing. But there's nothing here
that deviates from the Obama efforts. There really wasn't a lot of criticism. I will say that the
main line of criticism that
did exist was people saying they wanted more concrete action rather than just a series of
reports. But this is very much a table setting move for the Trump administration.
And speaking of action, are there any deadlines in the report? What kinds of timelines are set
for some of the elements they want to implement? Yeah, most of the reports are due within 60, 90 to 120 days. There is a report that is due in 240 days and a report, actually the State
Department International Strategy Report is due within 45 days. So you're going to see, I think,
over the next three or four months in particular, a lot of effort to move the ball forward on those
reports. What are you hearing in terms of people's take on the ability to actually implement
some of the things that are outlined in this executive order?
A major challenge for them is going to be that they don't have people in a lot of the
third, fourth tier positions, the subcabinet roles that are responsible for not only
managing the career staffers who are doing these things, but also advocating for them
and advocating for the priorities that come out of their work
so as an example DHS has to look at critical infrastructure engagement
career staffers are going to reach out to the critical infrastructure operators
they're going to talk to them they're going to hear about essentially what
they could be doing better but without an assistant secretary for cybersecurity
and communications and without a deputy undersecretary for cybersecurity and the National Protection and Programs Directorate, those are two very important roles for taking the information and going to the deputy secretary, the secretary, the National Security Council and saying, here's what we've learned.
Here's what we need to do. So, you know, one problem here could be that the career officials put together their reports and they filter up to the deputy secretary and
they make their way to the president. But the people who are supposed to be advocating for
next steps aren't in place. They're not actually ready to say, OK, here's the report. Now here's
what we've got to do about it. Anything that struck you as being surprising or unexpected
in the executive order?
I think what was most unexpected to me looking at the other executive orders in the Trump administration so far is that this is not very political.
There's nothing in here that jumps out to you as suggesting an imminent court battle or anything like that. They even toned down the language in the botnet section to avoid specifically calling out the telecommunications industry to sort of make them a little bit
happier, kind of appease them. That section is more general than it used to be. It doesn't
say that they have a particular responsibility. So I think, you know, to step back and look at
this order, it's a very technical, apolitical document. It is a reflection of
how apolitical a lot of cybersecurity is. As you start delving into implementation,
there are bureaucratic concerns. And so you could say there is office politics in the sense of who
gets what money and all that. But this isn't a partisan area for the most part. It's not an area
where Republicans and Democrats have fundamentally different visions. So what surprised me most is really how they were able to lean on
the career staffers and put out a product that looks very different from a lot of the other
executive orders in this administration so far. All right, Eric Geller, thanks for joining us.
Thank you. We'll be right back. shaken espresso. Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.