In today's podcast, we hear that Ukraine's Energy Ministry is under ransomware attack. Kaspersky finds infrastructure belonging to Energetic Bear. Lots of anonymous Twitter accounts pop up in East Asia. Orangeworm is after something in healthcare networks, but whether it's IP or PII is unclear. Disclosure and patch notes. Kaspersky may be the subject of US sanctions. A hacker in the Yahoo! breach case could get almost eight years. As US midterms approach, thoughts turn to election security. Joe Carrigan from JHU ISI on devices that unlock iPhones. Guest is Jerry Caponera from Nehemiah Security on quantifying cyber risk.
Dave Bittner: [00:00:03:07] Ukraine's Energy Ministry is under ransomware attack. Kaspersky finds infrastructure belonging to Energetic Bear. Lots of anonymous Twitter accounts pop up in East Asia. Orangeworm is after something in healthcare networks, but whether it's IP or PII is unclear. We've got disclosure and patch notes. Kaspersky may be the subject of US sanctions. A hacker in the Yahoo! breach case could get almost eight years. And as midterms approach, thoughts turn to election security.
Dave Bittner: [00:00:39:00] Time to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it, the CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings but it's nearly impossible to collect them by eyeballing the Internet yourself, no matter how many analysts you might have on staff and we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you, by automatically collecting and organizing the entire web to identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyber attacks. Go to recordedfuture.com/intel, to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:49:10] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 24th, 2018.
Dave Bittner: [00:02:02:07] A ransomware attack has hit Ukraine's Energy Ministry. A spokeswoman for the ministry told the BBC that the attack was isolated, that no other agencies have been affected, and that indeed the Ministry's email is up and running. Still, the incident is a nuisance. The ransom screens are written in English. It's not good English. It looks very much like and actual non-native speaker's production, and not something in ShadowBrokersese. For example it says, "Ooops, your website have been encrypted," and, "All files will be delete." They're asking for just .1 Bitcoin, which comes to just under $1,000 and they're not taking PayPal or any other substitutes. The indications are that it's a simple criminal attack as opposed to misdirection by a nation-state, like for example NotPetya. Ukrainian authorities have a criminal investigation in progress.
Dave Bittner: [00:02:57:22] Moscow-based security firm Kaspersky Lab says that it's uncovered infrastructure used by the Crouching Yeti threat group, also known as Energetic Bear, for attacks against industrial networks. They've been tracking the group since about 2010. They call it, "a notorious Russian-speaking group that has been active for many years and is still successfully targeting industrial organizations through watering hole attacks." The researchers note, somewhat darkly, that the diversity of infected servers and scanned resources suggests the group may operate in the interest of third parties.
Dave Bittner: [00:03:34:24] A surge in anonymous Twitter accounts in Southeast and East Asia has prompted speculation about the formation of bots to influence public opinion through the social media platform. Twitter doesn't believe it's yet seen anything out-of-order, because maybe it's just a bunch of star-struck types following celebrities, but people are looking for signs of information operations.
Dave Bittner: [00:03:57:19] Symantec and others are tracking Orangeworm, a cyberespionage campaign that's hitting healthcare organizations. X-ray and MRI devices are most often affected. Many researchers doubt that the group behind the campaign is a nation-state but the attackers' goals are obscure. They seem to be after either personal information about patients or intellectual property about the medical devices themselves.
Dave Bittner: [00:04:24:04] Google's Project Zero has disclosed a vulnerability in Windows 10. It's possible to bypass Windows Lockdown Policy in a way that can result in arbitrary code execution. Microsoft missed Google's 90 day deadline for addressing reported vulnerabilities, so Google has gone public with the unpatched issue. Presumably a patch will be forthcoming, but there's nothing available now.
Dave Bittner: [00:04:50:08] The business-focused social network LinkedIn has issued a patch for its autocomplete API. The function turned out to be leaky.
Dave Bittner: [00:04:59:05] Quantifying cyber risk is an ongoing challenge faced by many organizations. Jerry Caponera is vice-president of Cyber Risks Strategy at Nehemiah Security and he maintains, we need a methodology to quantify, justify and advance the risk management conversation among executives.
Jerry Caponera: [00:05:16:17] Pretty much everybody I've ever spoken to has said they want to be able to treat cybersecurity as a business. But there's just a li-- lot of churn on what that means, how to do it, and what they should do. So definitely early but with just a huge upside.
Dave Bittner: [00:05:33:06] Now I feel as though in the last year or two the conversation has certainly shifted at the board level where people are talking about risk, in terms of risk. Do you feel like there's still a ways to go?
Jerry Caponera: [00:05:46:10] I do. So it's interesting as I think you're right, I think in the last year or two I've seen that shift as well too. I think there's a couple of drivers for that shift personally. One is obviously we're seeing and hearing more about large financial losses due to attacks. I think it was last fall Merc was hit with a cy-- with a ransomware attack and they finally said they lost on it-- it cost them on or about 100-- about $350,000,000. About a third of that was really to revenue and the rest was other costs. So that's, that's kind of an eye-opening number. You're starting to see I think one more high profile attacks. The second thing I think that's driving much more awareness for companies at the board level is you're starting to see some more regulations. I'm actually a big fan of what the EU has done with GDPR because they're finally starting to put teeth to some of the cyber regulations that exist. You know, having-- losing data on a European national and having to deal with potentially 4% of my revenue lost, that's a big number potentially so you're starting to see more numbers pop up which is good. And the third thing is just recently we saw the SCC release a report that basically says companies need to start talking about what a material cybersecurity risk is.
Jerry Caponera: [00:07:01:15] Now the gen-- the guidance was vague there but reading on-- you know, reading that on the walls, reading what software are actually compliance and where that's going, you can see that, not only your companies starting to get aware, they're starting to have to become aware which is-- unfortunately I don't believe full change for a company will take effect until they have to.
Dave Bittner: [00:07:23:13] So how do you guide people along towards these conversations?
Jerry Caponera: [00:07:27:20] It kind of depends on who you're talking to. The reality is these conversations are still amongst two different camps, right? Those, I'll call them, I think you said in the security camp or-- and those on the business side of the camp. You have to drive them to the answer based on which camp they're actually in. So we were just having a conversation about working on some material to help educate security folks that what they really need to be doing is aligning with the key strategic initiatives the organization is taking in the next 12 to 18 months, right? How do they start to show that security's an enabler? And the only way to do that is to actually tie to the business initiatives. If your goal as a company is to grow 400%, which means you have to increase your online presence by, you know, 50% to generate more leads, what would a cyberattack potentially do that could impact that? On the security side, how do I make sure that an attack doesn't happen, because if it does, it's going to inhibit my ability to basically make that number?
Jerry Caponera: [00:08:22:10] I heard a gentleman once say that the best way we can answer the question you ask is to stop thinking of cyber professionals. When we announce ourselves saying we're cyber people, we should be saying we're business people with a cybersecurity focus. Because it's that closing of the gap between the cyber and the business, that's going to make this a reality, and you have to drive those conversations up from where security is and down from where the business is. And that simple example of, "Hey, I want to grow my online presence by 50% so I can generate more marketing leads, because marketing is our number one driver for future revenue," the question then becomes, well, how can cyber help the business reach that goal. And if we can have that conversation, we're on the right track.
Dave Bittner: [00:09:04:00] That's Jerry Caponera from Nehemiah Security.
Dave Bittner: [00:09:08:12] As the US Government weighs sanctions against Russia, one of its targets may be Kaspersky. Officials say they're considering banning all of the company's operations in the US, in addition to the already effective ban on US Federal agencies buying Kaspersky products. Any such sanctions would be imposed after Kaspersky's suit alleging it's the victim of an unconstitutional bill of attainder is resolved. Kaspersky denies that it's improperly connected to Russian intelligence, but Western officials say there's a problem in Russian laws that compel cooperation with security services.
Dave Bittner: [00:09:45:16] Speaking of Russian security services, the hacker accused of exposing three billion or so Yahoo! records on behalf of Russia's FSB is getting his day in court. Karim Baratov, a Canadian citizen of Kazakh origins, was snaffled up by Canadian police and extradited to the US to face charges on his March 2017 indictment. The US prosecutors are asking that the spearphisher be awarded 94 months in Club Fed. That's just shy of eight years.
Dave Bittner: [00:10:17:11] It was a nice gig while it lasted. Baratov was a hacker for hire who made it a point of not asking his employers too many questions, and it paid for him. He's a car guy. He used his FSB paychecks to buy a Lamborghini, a Porsche, an Aston Martin, a Mercedes and a BMW. His defense team is pleading in mitigation that, one, Mr Baratov is young, under 22 when he was most active, and two, after all it's his first arrest.
Dave Bittner: [00:10:48:12] As US midterm elections approach, voting is more than six months away but American elections cycles are famously long, at least 20 states have expressed a degree of uneasiness about the security of their election systems. One solution a number of people are proposing is to call the National Guard, that reliable standby the states use to deal with emergencies of all kinds. The Guard itself has cyber units of various kinds in some 38 states and room to grow, as officers say. Such units could provide some useful incident response capability. A RAND study in 2017 concluded that there were more than 100,000 personnel in the Army Reserve and Army Reserve National Guard. That latter name is the official name of what we civilians just call the National Guard.
Dave Bittner: [00:11:36:15] How such expertise might be used is untested. We heard one useful suggestion at RSA in conversation with the Chertoff Group's Adam Isles. Find people with IT skills in the Guard, and give them the ability to build up their security chops. Then they can take those skills and lessons learned back with them to their jobs. A lot of the 100,000 plus RAND saw in the Guard with some relevant skills are people who work in IT jobs. That's not security directly, but it's a good start, so have at it, weekend warriors.
Dave Bittner: [00:12:09:17] Of course there are plenty of people in the private sector willing to help too. We heard from Tom Kemp, CEO of security firm Centrify, who's got an offer for state election boards. If they want to ameliorate the risk posed by stolen or compromised credentials, the kind of thing that could gum up the polls on Election Day, imagine the election judges turning you away with a, "Sorry, sir, we regret it, ma'am, but your address is a digit off," they can get Centrify's zero-trust platform at no charge. So that's another offer on the table.
Dave Bittner: [00:12:42:08] And for those of you keeping track of these things, GDPR is just one month away. Thought we'd mention that.
Dave Bittner: [00:12:54:15] I'd like to give a shout out to our sponsor, BluVector. Visit them at bluvector.io. Have you noticed the use of fileless malware is on the rise? The reason for this is simple. Most organizations aren't prepared to detect it. Last year BluVector introduced the security market's first analytic specifically designed for fileless malware detection on the network. Selected as a finalist for RSA's 2018 Innovation Sandbox Contest, BluVector Cortex is an AI driven sense and response network security platform that makes it possible to accurately and efficiently detect, analyze and contain sophisticated threats. If you're concerned about advanced threats like fileless malware, or just want to learn more visit bluvector.io. That's b-l-u-v-e-c-t-o-r.io. And we thank BluVector for sponsoring our show.
Dave Bittner: [00:13:57:01] And I'm pleased to be joined once again by Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. Joe, welcome back.
Joe Carrigan: [00:14:04:00] Thanks, Dave.
Dave Bittner: [00:14:04:17] So interesting research released from the folks at Malwarebytes Labs. They were talking about a device called a GrayKey which is an iPhone unlocker, and they're saying there's some serious concerns here. What do you take-- what do you suspect is going on here?
Joe Carrigan: [00:14:20:08] I'm not entirely sure. These people have developed a, a small piece of hardware that does something to an iPhone that then causes that iPhone to display its passcode to unlock the phone.
Dave Bittner: [00:14:34:07] Yeah.
Joe Carrigan: [00:14:34:23] So what is going on there, it, it-- just in the article they're speculating that there's something go-- where they install a-- where they root the phone or jailbreak the phone and then they-- I guess they have to install some kind of app that goes through and guesses the passwords, that runs in the background and displays a message on the screen.
Dave Bittner: [00:14:54:09] Going through some sort of brute force process?
Joe Carrigan: [00:14:56:05] I'm, I'm almost guaranteeing there's a brute force process, because one of the, one of the key indicators is that it takes longer to pass or to come up with a six digit passcode than it does a four digit passcode. And that to me just says brute force. So there's no magic in how they're breaking the phone open, they're just trying all the different combinations. The magic comes in how they stop the phone from erasing itself after so many failed attempts. And that's probably why they-- they're jailbreaking it. They're probably intercepting the system calls that would go back and erase those-- erase the memory chips.
Dave Bittner: [00:15:28:05] And one of the concerns here is that these sorts of devices have been available in the past with, you know, previous versions of iOS. Cellebrite was a manufacturer of a different one.
Joe Carrigan: [00:15:39:12] Yeah.
Dave Bittner: [00:15:39:23] And these, well, they're intended for law enforcement, but as with these sorts of things they can sort of slip out and make their way out into the wild.
Joe Carrigan: [00:15:48:20] Yeah, there was one-- the article talks about one called the IP-BOX 2, which unlocked older or still unlocks older iPhones. In fact you can still get them on Amazon the article says. So, yeah, these things have been released into the wild in the past. The GrayKey box however looks like they're being very tight with their control with it, over-- you know, making sure that only law enforcement get it. That being said, the road to hell is paved with good intentions, right? So I'm sure it's only a matter of time before one of these things disappears from some law enforcement site. There are models that can be used anywhere. They have a key, but the key is small, that can also be swiped out with the device, no problem. I don't know how concerned I am about this. It's definitely an edge case.
Dave Bittner: [00:16:38:13] Yeah. Well, it strikes me that if you're someone for whom this sort of security is a concern, you're going to know that, and you're going to be using more than a four digit numeric password?
Joe Carrigan: [00:16:49:00] Right, right. And even if you're using a longer password, I guess this thing will eventually break it but, you know, you'll be using other, other ways of communicating that don't necessarily rely on the security of an Apple device.
Dave Bittner: [00:17:03:03] Yeah, concentric circles of security, you know, unlocking the phone is one thing, but then maybe another layer encryption, you know, point to point, all that sort of stuff?
Joe Carrigan: [00:17:13:00] Yes. You know, plausible deniability apps that, that delete chat histories.
Dave Bittner: [00:17:17:20] Right, right. Alright, well, it's an interesting cat and mouse and--
Joe Carrigan: [00:17:22:17] It is. And it's-- you know, it's, it's-- what's interesting about this is I'd like to know if-- you know, what Apple's doing to try to address this? I'll bet that they're aware of this.
Dave Bittner: [00:17:31:13] For sure.
Joe Carrigan: [00:17:32:07] Because Apple generally tends to have a pretty good security stance. I like to pick on Apple, but one of the things I don't generally pick on them about is their security.
Dave Bittner: [00:17:40:21] All right, Joe, it's interesting stuff as always. Thanks for joining us.
Joe Carrigan: [00:17:44:00] My pleasure, Dave.
Dave Bittner: [00:17:47:20] And that's the CyberWire. Thanks to all of our sponsors for making this CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor, VMware, creators of Workspace ONE intelligence. Learn more at vmware.com.
Dave Bittner: [00:18:09:17] The CyberWire podcast is proudly produced in Maryland out of the start-up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.
Dave Bittner: [00:18:19:11] Our show is produced by Pratt Street Media with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Get trending information on hackers, exploits, and vulnerabilities every day for FREE with the Recorded Future Cyber Daily. Sign up now.
BluVector Cortex is an AI-driven sense and response network security platform. Designed for mid-sized to very large organizations, the platform makes it possible to accurately and efficiently detect, analyze and contain sophisticated threats including fileless malware, zero-day malware, and ransomware in real time. Learn more at bluvector.io.