CyberWire Daily - What's up with Petya/Nyetya/NotPetya? It's a wiper—the extortion is just misdirection. WikiLeaks dumps "OutlawCountry" from Vault7. The ShadowBrokers raise prices. Russia says boo to cybercrime.
Episode Date: June 30, 2017In today's podcast we hear that Petya/Nyetya/NotPetya is almost certainly a wiper, and not ransomware after all. Ukraine blames Russia, but whoever did it had EternalBlue before the ShadowBro...kers leaked it. WikiLeaks Vault7 disgorges OutlawCountry, a Linux attack tool. The ShadowBrokers raise their rates. Emily Wilson from Terbium Labs with research on fraud guides on the dark web. Guests are Drew Gidwani, Director of Analytics at ThreatConnect, and Andy Pendergast, VP of Product & Co-Founder at ThreatConnect, speaking about the findings of a recent SANS Survey on Security Optimization. Russia calls for international cooperation to stamp out cybercrime. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The jury's back, and Petya, Nyetya, not Petya,
is judged a wiper and not ransomware after all.
Judgment, of course, subject to reversal on appeal.
Ukraine blames Russia, but whoever done it had eternal blue before the shadow brokers leaked it.
WikiLeaks Vault 7 disgorges Outlaw Country, a Linux attack tool.
The shadow brokers raise their rates.
Russia calls for international cooperation to stamp out cybercrime.
And Captain Louie is shocked, shocked that gambling is taking place at Rick's.
I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, June 30th, 2017.
Consensus has it that the Petya, Nyetya, NotPetya ransomware campaign isn't really ransomware at all,
but rather misdirection for a quieter campaign designed to install at least an information-stealing Trojan and perhaps other malware as well.
So if you've been infected, the trending advice from the security community is don't pay the ransom.
You won't get your files back that way.
It seems there hasn't been much of a gesture in the direction of file recovery,
so it's best to consider Petya Nechia, not Petya, a wiper.
The extortion screen is just razzle-dazzle, smoke and mirrors,
and pay no attention to the man behind that curtain.
The target of the campaign still looks like Ukraine,
the original locus of the infection,
but gaining access to systems worldwide is surely not an unwelcome side benefit.
Observers and investigators see a slow accumulation of circumstantial evidence
pointing to Russian security organs as the responsible parties.
One interesting development has come in from F-Secure.
Researchers at the security company believe they've found signs that Eternal Blue,
the exploit used by both WannaCry and Petya, Netya, NotPetya,
and allegedly stolen by means unknown from NSA's equation group,
was incorporated into the current campaign's code some six months ago,
which is well before the shadow brokers released EternalBlue in April.
This suggests either a connection between the shadow brokers and the Petya controllers,
perhaps they're the same or working for the same people,
or that the controllers had independent access to the exploit.
In any case, more people who've looked at the malware think that Petya, Netya, not Petya
has only a superficial connection with the original Petya,
which was indeed a classical instance of ransomware hawked by a hacker who went by Janus.
He took his name after a James Bond villain, not the Roman god
of doors and portals. Janus operated through much of 2016 before going dark in December.
He achieved a degree of easy, cheap-jack, Robin Hood-ish fame for the way in which he offered up
decryptors for competing strains of criminal ransomware. But Janus is now back and saying
he'd like to help with this newest, relatively distant descendant of his crimeware.
He tweeted his concern on Wednesday, saying he was examining the Nyetya Nyat Petya code and suggesting that he wasn't responsible.
He probably wasn't.
The original Petya was a straightforward extortion and Janus was looking for cash.
This week's Petya Nyetya, not Petya controllers are almost certainly after
something else, probably staging spyware and doing battle space preparation for future attacks.
It's clearer now how the malware infected its initial victims. The threat actors got into the
patch server used by Emidoc, a Ukrainian software firm that makes a widely used tax accounting
product, a kind of Ukrainian TurboTax. Once
there, they installed the malware in such a fashion that any customer who downloaded a ME
dock update got Petya Netya Not Petya instead. From there, the malware wormed itself across
various local area networks. So it seems fair to chalk Petya Netya Not Petya up to espionage and
hybrid warfare, not cybercrime.
Ukraine thinks the Russians did it, and they've called in international help, including Interpol
and the FBI, to help their security and intelligence organizations with the investigation.
To return to the eternal blue exploit used in the campaign, this is in some ways a good news,
bad news story. The good news is that if you were patched and up to date,
you were probably not affected.
The bad news is that patching can be a lot harder than it sounds,
particularly in systems that touch indispensable legacy software.
If indeed Eternal Blue is an NSA exploit that leaked into the wild,
and most, including Microsoft,
conclude that the shadow brokers are telling the truth,
at least on this count,
the big unanswered question is, how did the exploit leak?
So far, that's publicly unknown, and members of Congress are getting a bit restive about the matter,
asking NSA for a fuller accounting of the undisclosed exploits it holds and how it controls them.
That such controls are not bulletproof may be seen in the results of a Defense Department inspector general's report on NSA's self-protection against insider threats.
The study was prompted by the Snowden affair, and the results were mixed.
Privileged account management was found to be particularly loosey-goosey with work to be done.
Wikileaks has opened Vault 7 again, this time with Outlaw Country.
They claim it's a CIA-developed tool for exploiting Linux systems.
The concentration on Linux suggests an interest in attacking servers.
And how about those shadow brokers, those speakers of Amrushlish?
They've declined with cheeky false modesty not to comment on Petya, Netya, NotPetya.
As they put it,
Another global cyber attack is fitting end
for first month of the shadow brokers dump service.
There is much the shadow brokers can be saying about this,
but what is point and having not already being said?
And what can we do but agree?
What indeed is point having not already been said?
They haven't yet made good on their promise
to expose an equation group operator
and tie him or her to American espionage against China, but the brokers have doubled the price of
membership in their exploit of the month club. It will now set you back $65,000 in Zcash or $46,000
in Monero. June sales of memberships did so well, the brokers claim, that the market practically
obliges them to charge more. They're also introducing a VIP service. We can't figure
out exactly what you get. Could it be that mint Mr. Bogachev missed on his Platinum Rewards hotel
pillow, we wonder? But whatever it is, it can be yours for a cool $130,000. So hop to it,
wealthy elite. Russia has called for an international crackdown on
cybercrime, to which one can only say, hey, yeah, sure, you're right, Mr. Peskov.
Stop me before I hack again, eh, Vlad? Next Tuesday, of course, is Independence Day in the
U.S., the day we observe and celebrate the amexit of 1776. We'll publish the week that was, as usual, on Sunday,
and the CyberWire daily news briefing,
and post our daily podcast, as usual, on Monday.
But Tuesday will be a holiday for us.
Enjoy the 4th.
We'll be here Monday, and we'll be back, as usual, next Wednesday.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Emily Wilson.
She's the Director of Analysis at Terbium Labs.
Emily, you and the folks over at Terbium recently published some research about online fraud guides. What can you share about that? Yeah, so we've been looking at these fraud
guides that are for sale on most of the major markets. These are the kinds of things that
really only appear on the major markets. You have effectively PDFs or Word documents that contain
either fairly sophisticated or fairly mundane instructions on how to defraud different institutions.
And this can be everything from here is exactly how, step by step, you find or create a false identity
and defraud this particular bank from this particular company for this particular kind of account
to here's how you get free pizza.
So really running the whole gamut of a little petty crime,
but all the way up to
fairly sophisticated things with big dollars. A very good example, I would say, of a way to
remind us that the dark web really is just another part of the internet. People can be very crafty,
people can be very clever, people can do very interesting or very creative things.
And then at the end of the day, people just want pizza.
interesting or very creative things. And then at the end of the day, people just want pizza.
So what kinds of prices are we talking about to buy a guide to do various types of fraud?
You'd be surprised at how inexpensive or expensive it can be. I know we saw a couple of outliers on the far end that were getting into the tens of thousands. I think we even saw one for hundreds
of thousands of dollars, something having to do with real estate. Either the vendor made a mistake putting the price in,
or I don't know what's in that guide. If you want to buy it and let me know, I'd be curious to hear.
Well, there's no way to know for sure that it's actually being sold at that price, right?
Is there? That's the price that's listed for the market listing. So really,
that's the transactional price.
You kind of pay that in Bitcoin if you want to be able to access it.
In terms of general pricing, though, these are fairly inexpensive.
You can buy individual guides for, you know, there are some that are available effectively for free for a couple of dollars.
You know, you can get some that range up to the $40,, 80, 100. And then in some cases, you know, a couple of the things that we bought for this research
were big packs of 200 or 500 guides for about $10.
Before we went on the air, you mentioned one particular one that was interesting about fishing.
Yes, so, you know, you're not surprised.
You have this big pack of how to defraud, right? Best fraud guide on whatever market.
And buried in these 200 or 500 PDFs, there's a guide on fishing.
Only it's not fishing.
It's fishing with an F.
It's how to catch kingfish.
It's a PDF about how to go out and catch large fish in the sea.
So don't know if perhaps some machine learning gone bad and gathering it up,
or just maybe somebody who has a pretty good sense of humor. Yeah, no, I definitely appreciate the
advice. You know, I'm always looking for new hobbies. Never know. All right, Emily Wilson,
thanks for joining us. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Thank you. to discuss the survey findings are Drew Gidwani, Director of Analytics, and Andy Pendergast,
VP of Product and Co-Founder. We begin with Drew Gidwani.
To do security better, and by that I mean the four primary functions of security, prevent,
detect, respond, and predict, you need to align your people, your processes, and your technology. You need to take down silos and data and workflow,
as well as interconnectivity between the different security products,
endpoint networks, et cetera, that enterprises typically deploy to be able to coordinate action across them.
You know, not having silos is just a prerequisite.
It adds some
efficiencies and capabilities that otherwise wouldn't be there inherently, but it also,
perhaps more importantly, is a prerequisite to enabling more advanced automation across
the technologies and better, for lack of a better term, better workflow across the teams.
and better, for lack of a better term, better workflow across the teams. And that should enable scale to better prevent, detect, respond, and predict against threats to the network,
to the business processes of the organization.
Why do you suppose that there's this tendency for different groups to end up in silos in the first place?
I believe it's part of the human condition.
As any system grows in complexity and size, including and especially human systems, you are going to have silos because roles are segmented.
People need to focus on one aspect of what they're doing, usually, especially as you get in larger areas.
You start wearing less hats and focusing on one hat, if maybe two.
And as that happens, communication typically becomes more sparse across those different functions.
To add to that, Dave, I would say that there's sort of a different evolutionary pace for some of the disciplines that we see across the security operations spectrum.
That's Andy Pendergast.
As some of these things have matured faster or they've been around for longer,
and certain buzzwords kind of hit critical mass at different times,
what we see is that, especially in our customers,
different parts of the organization grow, they get budget,
the talent pools that they can hire from are available at different times
and at different rates. And as a result, you see different levels of maturity and sophistication
for processes. And that's where the silos really start to get entrenched.
Take me through some of the key findings from the survey.
So I would say one of the biggest findings is that kind of along the vein of silos that we
just discussed, it's really difficult to scale security operations linearly with the vein of silos that we just discussed, it's really difficult to scale security operations
linearly with the size of a company. And what we find there is that if people are trying to stay
at the forefront of the functions that we talked about earlier, all of the detection, response,
prediction, they really need to find force multipliers at each stage. And again, we're
dealing with different groups with different skill sets,
different missions, and they may even be located geospatially on different continents.
And I think that the big takeaway is that when we start to see breakdowns in the scaling there,
we can also start to see there are major impacts to the risk posture or visibility across the organization. And it's pretty unilateral that as companies have had issues centralizing and automating,
they are starting to see a lot of these problems come to the forefront.
The survey does address the two major issues or two major challenges companies see with
scaling are lack of skills and lack of funding.
And those are two very hard problems to solve. are lack of skills and lack of funding, right?
And those are two very hard problems to solve, right?
There are lots of initiatives, including SANS specializes in creating a better educated security workforce on many different levels and in many different skill sets.
So there are folks addressing those problems,
but I suspect that we're not going to
solve the skill gap anytime soon, you know, in the next five to 10 years, even as security becomes,
the demand for security becomes ever more present as we shift ever, ever more into the digital age.
And there are more and more threats out there and more and more surface area for attacks to occur.
So looking for force multipliers, as Drew suggested, is really kind of the focus of what we at ThreatConnect look to do
to try to either inform decisions with intelligence so that you can work smarter with less or allow your teams
to work better together with data from both inside the enterprise and outside the enterprise.
I think the most paramount ideal is that there needs to be kind of an organization-wide attitude.
There needs to be a mentality that's cultivated that the whole Intel lifecycle
is everyone's problem. And this really goes counter to the whole silo mentality that people
may inadvertently develop. We especially saw in our prior lives as analysts, there were times where
somebody would throw something over the fence and say, that's an incident response problem. I did my
job. And when you start to have those very discrete lines in the sand, it's very difficult
for people to break out of that mentality. It's very difficult for an organization to evolve
alongside the threats that they're facing. And along that line, I think executives need to
articulate a vision. That's really where the entire organization, down through management,
down to the individual analyst that's sitting there in the trenches all day doing the work,
everybody can use that as a rubric to guide their decision making.
And if everybody's on the same page with the vision,
then it naturally follows that collaboration can start to thrive there.
We've got all these moving targets, right?
We've got nascent disciplines.
We've got maturing technology.
And then, of course, the threats aren't exactly staying still on their own.
And so it comes down to those people having the tools, being equipped to do their job.
And then once you set them loose, there really needs to be a mindset of iteration.
We always talk about being better scientists.
We have to experiment. We have to try things.
We have to measure and see what's working and what's not so that we can refine these things,
because you're certainly not going to get it right on the first try.
Our thanks to Drew Gidwani and Andy Pendergast from ThreatConnect for joining us.
The SANS Survey, Integrating Prevention, Detection, and Response Workflows,
SANS Survey on Security Optimization can be found on the SANS website. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.