The CyberWire Daily Podcast 6.4.21
Ep 1347 | 6.4.21

Advice on ransomware from the US National Security Council. JBS announces its recovery from the REvil attack. Cyber diplomacy (and maybe retaliation). Ransomware-themed phishbait.


Dave Bittner: JBS recovers from its REvil ransomware attack. This and other apparent instances of privateering will figure among the agenda at the upcoming U.S.-Russia summit. The U.S. is said to be mulling retaliation. The White House issues general advice on preparing for ransomware attacks. The Tokyo Olympic Committee suffers a data breach. Ransomware may have interrupted some media live streaming yesterday. Attribution on the MTA attack. Dinah Davis from Arctic Wolf helps prevent your SOC from becoming ineffective. Carole Theriault warns of data privacy leaks in online home tours. And a ransomware-themed phishbait.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, June 4, 2021. 

Dave Bittner: JBS said yesterday that it had resolved the ransomware attack it sustained on Sunday and that operations had returned to normal. The company's statement reads in part, quote, "The company's swift response, robust IT systems and encrypted backup servers allowed for a rapid recovery. As a result, JBS, USA, and Pilgrim's were able to limit the loss of food produced during the attack to less than one day's worth of production. Any lost production across the company's global business will be fully recovered by the end of the week, limiting any potential negative impact on producers, consumers and the company's workforce," end quote. All things considered, the response seems to have been swift and effective, and it will be interesting to see what lessons may emerge from JBS's experience. The impact of the incident on food availability and price appears to have been limited. And Huff Post observes that there appears to have been no impact on food safety whatsoever, which is unsurprising given the nature of the attack. 

Dave Bittner: The U.S. FBI was unusually quick with attribution, fingering the Russia-based REvil gang as the group behind the attack. REvil, which operates a criminal affiliate network, told BleepingComputer last October that the gang itself cleared more than $100 million in profit annually. They may have at least two revenue streams - direct ransom payment and the proceeds from auctioning victims' stolen data. REvil's claims about its revenues and operations are difficult to corroborate, but the gang at least gives the appearance of being financially motivated. As with other Russian criminal groups, however, their activities now arouse suspicions that they're state-tolerated cyber privateers and that their motivations may be complex. Utah Public Radio quotes Ryan Larsen, a Utah state farm management extension specialist, who said, quote, "When you read that a large percentage of the meat processing has been hacked, it causes concerns for citizens. So I think a lot of the motivation was purely just to cause concern and scare people," end quote. Fox News talked to various experts who thought that the prospect of the JBS hacks being a dry run for a more damaging operation slightly paranoiac, albeit possible. On balance, the consensus was that the rise in ransomware attacks was driven by the criminals' realization that there was a great deal of money to be made from extortion. ABC News reasonably sees a convergence of contributing factors. Quote, "Ransomware strikes have surged over the past year due to a confluence of factors, experts say, including the rise of hard to trace cryptocurrency, a work from home boom that has resulted in new IT vulnerabilities and a political climate marked by ongoing tensions between the U.S. and Russia, the nation from which many of these attacks are believed to emanate," end quote. 

Dave Bittner: Privateers or ordinary gangsters, The Voice of America reports that the JBS attack and other ransomware incidents will figure among the agenda of the upcoming U.S.-Russia summit. Some, like NBC News, report that U.S. patience with ransomware, especially state-tolerated or encouraged ransomware, is nearing an end and that naming, shaming and sanctions may be played out as effective responses. They are hair on fire, a former U.S. official said of the administration. And retaliatory cyberattacks may be under study, perhaps under active consideration. 

Dave Bittner: The U.S. government is said to be taking the ransomware threat seriously. Reuters says the Justice Department will accord ransomware attacks the same priority it gives terrorism. Quote, "To ensure we can make necessary connections across national and global cases and investigations and to allow us to develop a comprehensive picture of the national and economic security threats we face, we must enhance and centralize our internal tracking," Justice Department guidance says. It's a procedural change that involves giving information-sharing and coordination greater importance. John Carlin, principal associate deputy attorney general at the Justice Department, told Reuters, quote, "We've used this model around terrorism before, but never with ransomware," end quote. 

Dave Bittner: The New York Times interprets an advisory letter from Deputy National Security Advisor Anne Neuberger as a prescriptive, blunt, general call for all organizations to adopt the cybersecurity standards that Federal agencies and contractors now follow. Neuberger wrote, in part, quote, "The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively. To understand your risk, business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations," end quote. 

Dave Bittner: It strikes us that in this case, the Times perceives clarity as bluntness. Neuberger's letter goes on to say, we've selected a small number of highly impactful steps to help you focus and make rapid progress on driving down risk. Specifically, those steps include - implement the five best practices from the president's executive order, back up your data, system images and configurations, regularly test them and keep the backups offline, update and patch systems promptly, test your incident response plan, check your security team's work and segment your networks. This, with the supporting details that are too long to read here, seems like useful advice. 

Dave Bittner: According to the Japan Times, the organizing committee for the Tokyo Olympics has suffered a data breach as a consequence of Fujitsu's recent compromise. It's another instance of third-party risk. Some personal information was apparently exposed in the incident. 

Dave Bittner: The Record reports that Cox Media livestreams were interrupted yesterday in what multiple sources tell the Record was a ransomware attack. The story is still developing, but it appears to be another case in the ongoing wave of ransomware attacks. 

Dave Bittner: The ransomware attack against New York's Metropolitan Transportation Authority is being attributed, BleepingComputer writes, to a Chinese threat actor that exploited a Pulse Secure vulnerability to gain access to MTA systems. SC Magazine speaks with industry sources who express concern that the operation may be a harbinger of more to come, especially if the group responsible should prove closely connected to the Chinese government. 

Dave Bittner: BlackBerry reports that the Avaddon ransomware operators now pose a triple threat, adding the prospect of distributed denial-of-service to the familiar threats of encryption and data theft. 

Dave Bittner: And finally, all the recent, high-profile ransomware attacks have spawned a large brood of unrelated but obviously parasitic phishing campaigns. INKY has been tracking some of them and finds that the emails represent themselves as coming from a more-plausible-than-usual help desk. The recipients are told that their organization is upgrading its security after the wake-up call it received from the Colonial Pipeline incident. Specifically, users are asked to download a ransomware system update from an external site. That site, of course, is malicious. 

Dave Bittner: Among the many things the pandemic has upended is the real estate market. In my neck of the woods here on the east coast of the U.S., a shortage of home inventory is causing home prices to spike, with some fearing we are entering another real estate bubble. Sellers have also shifted to largely selling their homes online, with fancy 3D virtual tours replacing the traditional open house - again, a practical adjustment accelerated by the pandemic. Our CyberWire U.K. correspondent Carole Theriault was recently doing a little real estate online window shopping and happened upon an unsettling privacy issue. 

Carole Theriault: So one of my pastimes is property porn. Is that OK to say in a cybersecurity podcast? I guess I'll find out. But it's true. I imagine myself picking up sticks and moving to a brand-new place, and I check out properties in that locale 'cause, well, you never know. Anyway, there I was indulging in my pastime when I land upon a house that has a bunch of private information laying bare in their 3D virtual tour. Now, many, many houses out there are staged to increase the sale price, but quite a few out there are not. And in this particular case, I could see stuff I shouldn't, even if I were walking around in person. We are talking financial documents that you could easily zoom in upon, full name, address, details for anyone to gawp at. 

Carole Theriault: Other identifiable data about the homeowners and the property included, like, names of their pets on a photograph. We all know that pet names are often used as passwords. There were clues about their political views based on their choice of reading material and their health. There was an asthma inhaler that was visible in one of the bedrooms. And then you've got to think about the opportunities that this presents for potential phishing attacks. I mean, getting the address and visiting the property in person is a doddle. All you need to do is call the estate agent. Couldn't someone call them up and pretend to be the representative of their periodical magazine that they buy or the book club that they belong to or their share company? It's kind of scary. 

Carole Theriault: With the help of a BBC journalist, we were able to alert the agents and get the video taken offline. But how do things like this happen? Here's my thoughts. One, camera tech is way more advanced than you might think. Think Google Maps, but inside your house. I mean, I could read every single title in their bookcase. Two, a remote camera snaps hundreds, if not thousands of photos across a property. Who's going to go through every single photo individually? The real estate agent, the owner? Who has the time? Well, make time. That is, I think, the takeaway. 

Carole Theriault: If you're going to employ whiz-bang features to help you sell your house or improve your sales strategy, enhance your service offering, whatever it is, do your homework before enabling them. And that means testing. Like, imagine you're a visitor and use and abuse those features so you can get a strong indication of what a visitor might experience and see. Do this before you make it live, so to speak. See, it turns out that Mom was right. Cleaning up before your guests arrive or before non-employees show up for a meeting is a good idea, not just to hide any sloppiness, but it also allows you to see what's left out in the open and lets you decide whether it should be put away. I mean, think about it. If you don't value your privacy, who will? This was Carole Theriault for the CyberWire. 

Dave Bittner: And joining me once again is Dinah Davis. She is the VP of R&D at Arctic Wolf. Dinah, great to have you back. I wanted to touch today about some tips you have for SOCs and in particular some things maybe not to do, things that might torpedo some of your efforts within your SOC. What do you have to share with us today? 

Dinah Davis: So some of the things that can make your SOC quite ineffective is having a high amount of false positives. So you want to really focus on reducing the alert overload. So when you first are setting up your SOC and putting in place the tooling, usually a SIEM is part of that or a SIEM-like tool. And the way it works is you set up a whole bunch of rules, and it alerts you when those rules fire. Right? Now, unfortunately, a lot of the time, those rules will alert you on things that aren't actually real, false positives, and you get really tired. And it's called alert fatigue, right? So... 

Dave Bittner: Sure. 

Dinah Davis: ...Spending a lot of time looking at your system, knowing what you really care about and what you don't and tuning your system to only notify you when it's important is key here. Right? You don't want to manually review every alert. There's thousands that'll be coming in per day. So you want to tune that down, right? So that's one thing you can do to make yourself more effective. 

Dinah Davis: The second thing you can do is make sure you have really good security processes. Right? So you want to focus on the two most important processes of a SOC, which is intrusion detection and incident response. So when something happens, how is the team notified? What is the criteria for escalation of event to an incident? What does the investigation and response protocol all entail? What do remediation efforts look like? You want to have that all really well-defined so that when something happens, you are just reacting and following a process and not trying to figure all of that out at the same time as trying to remediate whatever is going on. 

Dinah Davis: Another thing you can do is try to streamline team communication. So you want to have an easy and clear way to communicate and have set up with your team. So most people today are using a tool like Slack, right? But just having that tool is - you know, it's probably not enough. You have to set it up in a cohesive way. So you can create channels for reporting threats, one for daily communication. And then one that I really recommend doing is for each big incident you have, you create a channel, and only the people working on that incident work there. I also highly recommend throwing in a Zoom room at the top, like in the topic, if you're using Slack and Zoom, because just keeping the same Zoom room open - and anybody can pop in and out of there - you don't have to set that up every time - it makes it super easy. 

Dinah Davis: Another great thing to do is make sure you're adding a reporting capability. So you need to know how effective your SOC is being. To this end, some metrics you may want to track are the volume of events, how much false positives you have, what your false positive ratio is - and you want to try and drive that down, like I mentioned above - head count-to-ticket ratio, time to detection and time to response. Those are all things that you want to be able to track so you can see if there's any trends happening so that you can course-correct. 

Dinah Davis: And then finally, orchestrate and automate because we all know how much, like, just automating the crap out of everything is amazing. So you want to extract the most value from your security tools and then orchestrate and automate everything else, right? So orchestrations can connect your security tools into a single pane of glass, ensuring they're all working together cohesively. You can set up streamlined workflows that will work between tools to eliminate any manual or tedious tasks. And you can free up that time for those, you know, very skilled security workers that you have to work on higher-value things. 

Dave Bittner: Now, when it comes to, you know, turning off that fire hose of alerts, I mean, is it kind of like email, where every now and then, it's a good idea to go through your spam folder just to make sure that nothing's accidentally getting shuffled off into there? 

Dinah Davis: Yes, it definitely is - definitely. You want to take a look at that, you know, on a regular basis, whether it's monthly or quarterly. You can often, like, prioritize the results coming in as, like, high, medium and low. So you probably want to go through your mediums more than you want to go through and do a review of your lows, right? 

Dave Bittner: Right, right. No, that makes good sense. All right. Well, good information - Dinah Davis, thanks for joining us. 

Dinah Davis: You're very welcome. 

Dave Bittner: Thanks to all of our sponsors for making the CyberWire possible. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: Be sure to check out this weekend's edition of "Research Saturday" and my conversation with Karl Sigler from Trustwave. We're discussing their research on HTML Lego: Hidden Phishing at a Free JavaScript Site. That's "Research Saturday." Do check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.