The CyberWire Daily Podcast 9.4.20
Ep 1167 | 9.4.20
Ransom DDoS is now a widespread problem. Phishing campaign stages malicious payloads in legitimate file-sharing services. Back to school? Back with a new cyber risk.
Transcript

Dave Bittner: Hey, everybody. Dave here. The CyberWire Daily Podcast is taking a break for the U.S. Labor Day holiday, but we have a special treat for you. We're running a fascinating episode of our "Caveat" podcast, a show all about privacy, surveillance and the thorny legal and policy matters in cybersecurity. In this episode, we're talking to Pulitzer Prize-winning writer and editor from The New York Times Stuart Thompson all about his article, "Twelve Million Phones, One Dataset, Zero Privacy." We hope you enjoy it, and be sure to subscribe to "Caveat" wherever you get your podcasts.

Elliott Peltzman: Ransom DDoS - It's been around for a while, but now it's become a much bigger thing. Phishing campaigns are putting malicious payloads into legitimate file-sharing services. Malek Ben Salem from Accenture on proactive alpha innovator organizations. Our guest is Joseph Marks from The Washington Post on his recent coverage of election security. And it's time to go back to school, at least virtually, with all the attendant cyber risk. 

Elliott Peltzman: From the CyberWire studios at DataTribe, I'm Elliott Peltzman filling in for Dave Bittner with your CyberWire summary for Friday, September 4, 2020. 

Elliott Peltzman: BleepingComputer says that the US FBI has issued an alert concerning what's being called RDDoS, ransom distributed denial-of-service. That is, it's a form of criminal extortion that threatens, not doxxing, not encryption, and not data destruction, but simply making victims' networks unavailable. This kind of extortion is particularly serious to organizations that depend upon very high, reliable availability to conduct their business. 

Elliott Peltzman: RDDoS has now become a widespread problem, and the U.S. isn't the country that's been primarily affected. New Zealand's NZX stock exchange is still continuing its week-long struggle to disentangle its systems from the distributed denial-of-service attacks that have plagued it. Authorities in New Zealand haven't yet been able to identify who's responsible, beyond concluding that the attacks originate offshore, but the goal seems likely to be criminal extortion. 

Elliott Peltzman: A similar problem has surfaced in Europe where a number of Internet service providers have seen their DNS infrastructure under attack. ZDNet reports that ISPs in Belgium, France and the Netherlands were all targeted with DNS amplification and LDAP-type DDoS attacks that took their services down. Some attacks lasted more than four hours and achieved volumes of 300 gigabits per second. 

Elliott Peltzman: The ISPs affected include Belgium's EDP, France's Bouygues Telecom, FDN, K-net, SFR, and the Netherlands's Caiway, Delta, FreedomNet, Online.nl, Signet, and Tweak.nl. ZDNet points out, while disclaiming any proof of a connection, that the DDoS attacks began after an earlier wave of similar attacks against European financial services targets subsided. 

Elliott Peltzman: The Netherlands's cybersecurity authorities confirmed that the attacks against Dutch ISPs at least were part of an extortion campaign that seemed likely to be true in the case of the other incidents as well. The attackers demanded a large but publicly unspecified sum in Bitcoin to call off the dogs, or rather the bots. 

Elliott Peltzman: The attacks represent a trend in criminal extortion. To return to the FBI's warning, whatever criminal group is behind the attacks - and it does seem to be a straightforward criminal effort, not the work of state operators - is taking advantage of the notoriety of well-known threat actors by posing as Fancy Bear, Cozy Bear, the Lazarus group, or the Armada Collective. 

Elliott Peltzman: Radware and Akamai have also warned of this trend, with Radware saying that they've seen it used against victims in North America, Europe, Asia and the Pacific, the Middle East, and Africa. The ransom demanded seems to range from 10 Bitcoin, which comes out to about $113,000. At current rates, and 20 BTC, or roughly $226,000. Akamai offers a couple of samples of the ransom notes they've seen used since this past November, when the trend was in an earlier, more aspirational stage, like this one. Quote, "if you report this to the media and try and get some free publicity by using our name instead of paying, attack will start permanently and will last for a long time," end quote. The hoods signed this one, Armada Collective. The Armada Collective is a criminal organization that's long engaged in denial-of-service attacks. Akamai described them at length as far back as 2015, so they might fairly be regarded as early adopters of the RDDoS tactic. 

Elliott Peltzman: Or consider this example. Quote, "your websites and other connected services will be unavailable for everyone. Please also note that this will severely damage your reputation among your customers. We will completely destroy your reputation and make sure your services will remain offline until you pay," end quote. Signed Fancy Bear. But no, The Bears have better writers, unless they're deliberately sandbagging, and these extortion attempt seem to be the work of criminal opportunists looking for the added FUD names like Fancy Bear bring with them. 

Elliott Peltzman: The FBI has four recommendations to make. First, don't pay the ransom. It only encourages the crooks, funds their next operation, and stokes a bandit economy. Second, report attacks of this kind to your local FBI field office, or their counterparts in other civilized countries. Third, use DDoS mitigation services that could identify and block such attacks. And, finally, work with your ISP to monitor network traffic and block it when the signs of DDoS present themselves. 

Elliott Peltzman: Researchers at Cisco's Talos unit describe a series of phishing campaigns that use legitimate file-sharing services to store the malicious documents they linked in their emails. The malware payloads include, among others, Gozi ISFB, ZLoader, SmokeLoader and AveMaria. 

Elliott Peltzman: So it's back to school, right? We assume all of you have a clean pair of sneakers and a nice new pencil box. All of us do. But, of course, this isn't an ordinary school year as schools pretty much everywhere figure out how to operate during a pandemic. Much of the adjustment has involved moving to distance learning with all of the inevitable attendant vulnerability that produces. Some of that vulnerability has been exploited through DDoS; although, the motive for this has generally been truancy as opposed to extortion. Such has apparently been the case in the DDoS attack on the Miami-Dade school district this week as a 16-year-old high school junior admitted when arrested that he'd done it. 

Elliott Peltzman: It's not solely a U.S. problem, either. The U.K.'s Department for Education has told schools to be on the qui vive for cyberattacks in the young academic year. And it's also not solely a school problem. The student who learns from home exposes the home to whatever badness is going on in the schools' networks. KNX News Radio in Los Angeles points out breathlessly that, quote, "hackers attacking school districts could end up in your living room via remote learning," end quote. 

Elliott Peltzman: OK. We know. We know. So get it out of your system and crack wise that you're good to go because you never use electronics in the living room, that all of your devices are reserved for the rec room, the nursery, the man cave, the she shed, the downstairs toilet, et cetera. It's a metaphor. Living room equals home. And KNX is right. Threats can propagate into your home network. So look to your home security. What goes on in school doesn't stay in school. 

Elliott Peltzman: We'll hear now from Dave's conversation with Joseph Marks from The Washington Post on his recent coverage of election security. 

Joseph Marks: You know, we spent a couple of years after 2016 preparing for one kind of threat, which was Russian interference or interference from other nations in the 2020 election. And then, you know, obviously, as of March, we've been dealing with this whole different kind of threat, which is - how do you run an election during a pandemic and try to both keep people safe and get the votes in and counted in a secure and reliable fashion? And while we're dealing with that second threat, the first one hasn't gone away. 

Joseph Marks: So there's been a lot of movement in a lot of states on both of those things. But they're also a bunch of concerns in a number of cases on both levels. In terms of how we're going to vote, probably about two-thirds to three-quarters of the states now have really made a significant transition to allowing voting by mail in a much broader sense and preparing for - in a broader sense, even if it was basically allowed for one before. Whether they have the capacity to process all of that stuff in an expedient way is still a little bit unclear. In terms of being secure against interference by foreign nations, we're a lot better on the technical side, you know. Going into 2016, probably about 30%, maybe a little bit more of all voting machines in the country didn't have a paper trail so that if someone monkeyed with it, you'd really have nothing to audit and no evidence of what went wrong. That's down now to probably about 8%. 

Joseph Marks: And as Chris Krebs, the director of the Homeland Security Department's cybersecurity division, said last week, if there's one tiny little bright line in all this pandemic, it's that because a lot of places have shifted to mail voting, well, mail is a paper trail. It might be a little more complicated for states that aren't used to it. But there's a paper trail there. So in places like New Jersey and a few other districts elsewhere in the country that didn't really make the transition to paper trail voting machines - they should have after 2016 - things will be a little bit better than might otherwise be in terms of having an auditable record so that we know definitely who won and can tally up the results. 

Dave Bittner: What about the whole notion of uncertainty itself, you know? We're seeing these stories, some accusations that perhaps the administration is making use of the Postal Service to potentially slow things down. What's your insights on that in terms of the actual seriousness of those types of accusations? 

Joseph Marks: The danger of uncertainty is probably one of most dangerous things we face. Certainly, there has been - there is a new Trump appointee at the Postal Service. It is - the one thing they're trying to do in order to get mail going and transiting effectively with limited resources is to slow delivery of some things that could affect ballots in some cases. It seems as if whether or not mail is actually going slower, the post office has done some decent work at contacting particular states and saying, hey, your deadlines for ballots to come in don't match with what we're capable of doing. We need to work that out somehow. 

Joseph Marks: Now, that's good or that's bad. I mean, a lot of states are of the opinion that you ought - mail voting ought to be like voting in person. You ought to be able to cast your ballot any time on Election Day or before. And it ought to be counted as long as it's postmarked. If the Postal Service is saying, OK, do that but we can't get those votes in until six, seven, eight days later, that's going to be a real problem in terms of what those states consider to be the franchise. 

Joseph Marks: But this broader issue of uncertainty, you know, that's really what Russia was after in 2016. And as far as we know, it's what they're after this time as well, you know? You don't have to actually change any votes in order for a lot of Americans to feel as if they don't trust the results of the election. And, you know, since 2016 the thing that we've done the least well at is trying to effectively combat disinformation, both - there have been some decent efforts at shutting down, you know, large Russian and Chinese and Iranian networks on social media. But in terms of educating the American public, getting them to take this stuff with a grain of salt and creating the kind of unified nation where - sort of like we had in 2000. After the Supreme Court stopped the recount in Florida, Democrats didn't go to the hills with their guns and try to get Al Gore in office, you know? It's to - broad American understanding that we accept the results of the election, even if our guy didn't win, you know? We're not doing great on that as a nation right now. And that's probably the most dangerous thing we face. 

Dave Bittner: Yeah. I mean, that's really an interesting insight and I suppose sort of chilling in a way that it's not - it's hard to imagine that we're at this place, where there are people having serious conversations about - you know, what if the sitting president through his own channels, through his own - his megaphone, you know, says that we're not going to accept the results of this election? I mean, that would be unprecedented. And yet we have folks having serious conversations about those possibilities. 

Joseph Marks: And a lot of things have become unprecedented in the last four years and arguably longer. But, you know, the other real concern is, you know, we've sort of reached a place as a nation that that stuff is effective, you know? It's - you could do - we've arguably made a huge amount of progress in terms of securing the actual ballot since 2016. That's great, you know, for those of us who, you know, are borne by the facts, you know? I feel a lot more comfortable about my vote being counted in 2020 than I, in retrospect, would in 2016. But if the public doesn't buy it, then that's the ball game. 

Elliott Peltzman: That's Joseph Marks from The Washington Post. If you'd like to hear an extended version of this interview, head on over to thecyberwire.com and check out CyberWire Pro. 

Dave Bittner: And joining me once again is Malek Ben Salem. She is the Americas' security R&D lead at Accenture Labs. Malek, it's always great to have you back. You and I recently spoke about Accenture's security vision paper that you all put out. And we wanted to dig into some more of the details this time. What sort of things do you have to share with us, today? 

Malek Ben Salem: Yeah. So our security vision this year focused on adopting new or emerging technologies and adopting them, securely. So how can organizations innovate at speed and scale with implicit security? And we performed a survey. We surveyed about 500 companies across the world, you know? These are big companies that have revenues of $5 billion or more and who are already adopting emerging technologies, such as AI, XR, 5G and quantum computing. And in our analysis, we wanted to focus on how are the companies doing or how are the successful companies - or what are the successful companies doing when it comes to adopting these technologies, securely, and how are the followers doing. So we wanted to identify the behaviors that organizations can emulate in order to innovate at speed and scale with implicit security. So we've identified a number of companies that we call the alpha innovators. These are the companies that are investing in three or more of these emerging technologies. And, again, the technologies are AI, XR, 5G and quantum. And we looked at what they are doing well, and we compare them with what we call the followers who are investing in just one or two of these technologies. 

Malek Ben Salem: So one of the behaviors we've identified is this collaboration between security executives from day one with the business leaders or other executives. And so when we did this survey, we wanted to understand, also, how SISOs viewed this collaboration versus how the other executives viewed this collaboration. So we wanted to look at this from both perspectives. 

Dave Bittner: What did you discover? 

Malek Ben Salem: So the - we found, basically - or we've identified five power plays, if you will, that these alpha innovators are doing right. Number one is this multipronged strategy where they're investing at scale across a number of emerging technologies. So three or more they're investing at scale. So they're investing at least $500 million in these emerging technologies. That was true for more than 50% of the alpha innovators. The followers invested less. Only 29% of them invested $500 million or more. 

Malek Ben Salem: The second power play, if you will, is this risk mindset that allows these alpha innovators to fully assess security risks early in the adoption cycle, you know? We've talked in our previous discussion that, generally, you know, a lot of these executives are not aware of the risk associated with these technologies and that they are - they tend to be more aware of the risk associated with technologies that they're - where they're further along in their adoption journey. But when we dig deeper and we look at these - you know, this awareness, comparing alpha innovators versus the follower group, we can definitely see that the alpha innovators are much more aware of the security risks associated with these technologies. 

Malek Ben Salem: For AI, which is further along the adoption journey for both groups, the numbers do not - the numbers are very similar. So 76% in the alpha innovator group are aware of the security risks associated with AI. But when it comes to the other technologies, there is a big discrepancy between these numbers. So we see, for 5G, 69% are aware versus 56%; 69% are aware among the alpha innovator group versus only 56% within the follower group. For quantum, it's 75% versus 53%. And for XR, it's 67% versus 52%. So, again, it seems that this first group, these alpha innovators, are adopting this risk mindset, have better awareness of the security risks of these emerging technologies wherever they are in the adoption cycle. 

Dave Bittner: Do you suppose - I mean, is this as straightforward as - you know, that some organizations are more proactive versus being reactive? 

Malek Ben Salem: Exactly. I think this - that's - those are the kinds of insight that - we wanted to analyze and explore and understand what are these behaviors that are making these bigger companies or these alpha innovators - sorry, not necessarily bigger companies - be able to adopt one of many technologies at the same time and do so, you know, at scale and with security in mind. What are those behaviors? And it's - being proactive is definitely one of them. 

Elliott Peltzman: And that's the CyberWire. A happy Labor Day to everyone, and especially to those of you in the U.S., who, like us, will take Monday off. We'll be back as usual on Tuesday. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Elliott Peltzman: Don't forget to check out Research Saturday here in this same feed tomorrow. Dave sat down with Chet Wisniewski and Dan Schiappa from Sophos on ransomware package TK and the five signs organizations are about to be attacked by ransomware. That's Research Saturday. Don't miss it. 

Elliott Peltzman: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Elliott Peltzman, filling in for Dave Bittner. Thanks for listening.