The CyberWire Daily Podcast 9.16.21
Ep 1419 | 9.16.21

Election-season cyber incidents in Germany. South Africa works to recover from a ransomware attack on government networks. Cryptojacking botnet moves to Windows targets. Ransomware notes.


Dave Bittner: Denial-of-service at a German election agency, as Federal prosecutors investigate GhostWriter. More nation-states get into election meddling. South Africa works to recover from a ransomware attack against government networks. A cryptojacking botnet moves from Linux to Windows. A ransomware gang threatens to burn your data if you bring in third-party help. Ransomware cyberinsurance claims rise. Rick Howard checks in with Tom Ayres from Lead-Up Strategies on cyber piracy. Caleb Barlow shares insights on CMMC. And boy, is it a really good week to patch.

Dave Bittner: From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Thursday, September 16, 2021. 

Dave Bittner: Germany's Federal Returning Officer, the agency responsible for running next week's elections, was subjected to a distributed denial-of-service attack, AFP reports. The incident occurred as Federal prosecutors continued their investigation into a cyberespionage campaign against the Bundestag and other targets. 

Dave Bittner: The incident was brief and of minor effect, but it contributes to concerns about the security of the elections scheduled for the 26 of September. The incursions into Bundestag networks, and the parliamentary email accounts in particular, have been traced to Russian intelligence services, and they’re believed to be contributions to a broader campaign intended to disrupt or influence elections. 

Dave Bittner: While Russian operators have been most often associated with election influence and interference, especially in that part of the popular mind that pays attention to such things. After all, Fancy Bear and Cozy Bear achieved their Western media fame from their operations during the U.S. 2016 election season. 

Dave Bittner: But Russia isn’t the only country that’s in the business of election meddling. This week’s summit, sponsored jointly by AFCEA and the Intelligence and National Security Alliance, included a discussion of election security. Speaking at the conference, U.S. Army General Paul Nakasone, Director NSA and Commander, U.S. Cyber Command, said, as quoted by SIGNAL Magazine, "What has changed with influence in regard to the elections - first of all, there is more than one adversary. It began with just the Russians, and now it is the Russians, the Chinese, the Iranians. It is a number of different actors. In terms of 2022, our focus right now is obviously being able to generate the insights of what adversaries are doing and who might be doing that. That focus will move very, very quickly to being able to share that information with a broad range of partners," end quote. 

Dave Bittner: The September 6 ransomware incident in South Africa has spread through the networks of the country’s Department of Justice and Constitutional Development, according to BleepingComputer. No group has claimed responsibility, and no stolen data have appeared on the usual dump sites. The Department says it has no evidence that any data were compromised, and that it's working to restore its networks. Thus far the most important service disruptions have been in child maintenance payments, which are on hold until the systems that deliver them are more fully restored. 

Dave Bittner: Security firm Akamai, which has been tracking the Kinsing cryptojacking botnet, reports that the threat has evolved from Linux malware to Windows malware. Kinsing has RAT capabilities as well as its primary coin-mining functionality. There are several things an organization can do to help protect itself against Kinsing and similar cryptojacking attacks. Akamai recommends that a good place to start is by "monitoring processes on your systems for abnormally high resource consumption and suspicious network activity. Abnormal high CPU usage for a given process may be an indicator of cryptomining activity," end quote. 

Dave Bittner: Ransomware gangs really don’t want you calling for help. Don’t call the cops, they say, and don’t bring in a hired negotiator to dicker with them. 

Dave Bittner: RagnarLocker earlier this month threatened to dump stolen data should victims work with law enforcement or seek the assistance of third-parties. A second ransomware gang, Grief, has adopted a similarly aggressive stance. BleepingComputer reports that Grief has said it would delete decryption keys if a victim brought in a third-party to negotiate its ransom. We'll burn your data if you get a negotiator, is how the Register describes the threat. 

Dave Bittner: What Grief actually wrote on their Tor-hosted blog was this - quote, "We want to play a game. If we see professional negotiator from Recovery Company, we will just destroy the data. Recovery Company, as we mentioned above, will get paid either way. The strategy of Recovery Company is not to pay requested amount or to solve the case, but to stall. So we have nothing to loose in this case - just the time economy for all parties involved. What will this Recovery Companies earn when no ransom amount is set and data simply destroyed with zero chance of recovery? We think millions of dollars. Clients will bring money for nothing, as usual," end quote. And it's signed Grief ransomware gang without so much as a sincerely, a yours truly or even a respectfully, still less a deferential Naval very respectfully. 

Dave Bittner: If you're keeping score, Grief is the child of BitPaymer or DoppelPaymer or maybe both. And these, in turn, were begat by the ironically named Russian gang Evil Corp. Evil Corp has been under U.S. sanctions for some time. The general opinion among those who think about these things, like the security firm Emsisoft, which has made a specialty of working against ransomware, is that these kinds of sanctions flow down to the progeny. So if you are within reach of U.S. law, it's not a good idea to pay the ransom since Grief can't be legally paid in any case. 

Dave Bittner: Marsh's annual report finds that claims associated with ransomware attacks have accounted for roughly a fourth of European cyber insurance claims between 2016 and 2020. Quote, "ransomware claims accounted for 32% of cyber claims in 2020. This has been a significant increase. Indeed, ransomware claims accounted for 14% of cyber claims notifications from 2016 through 2019. The 2020 notifications have pushed that overall percentage up to 24%, nearly double what had been reported in the previous four years," end quote. 

Dave Bittner: So the more recent rates of ransomware claims are running even higher than the long-term figure suggests, amounting to about a third of them. And Marsh points out that if anything, this rate understates the frequency of ransomware attacks themselves. It doesn't include many unsuccessful attacks. Quote, "this figure would be even higher if malicious cyber claims events had not been stopped in their tracks. For many cyberattacks, the ultimate objective is the extortion of a ransom payment. However, when a proficient IT department or external emergency response team is able to stop the attack before an actual ransom demand is identified, the event will not be recorded as ransomware," end quote. 

Dave Bittner: And finally, WIRED offers some sound advice. With this week's patches from Apple, Microsoft and Google's Chrome, this would be a good time to update all your devices. 

Dave Bittner: Batten down the hatches, hoist the main sail and fly the Jolly Roger - my CyberWire colleague Rick Howard recently checked in with Tom Ayres from Lead Up Strategies on the topic of cyber piracy. Here's Rick. 


Rick Howard: If that music sounds familiar, it is. It's from the "Pirates of the Caribbean" movie soundtrack. Because today, we're talking about pirates - aargh. I'm joined by Tom Ayres, an advisor with the RAND Corporation, CEO of a consulting group called Lead Up Strategies and a retired major general of the U.S. Army, where he spent most of his career as a judge advocate. And he published an opinion piece in The Wall Street Journal back in May about an archaic law buried deep in the U.S. Constitution called letters of marque and reprisal that we used to fight pirates with back in the 1800s. And the great thing about it is we might be able to take advantage of the law today in the fight against cyber pirates. 

Rick Howard: Tom, I read your essay. It's really interesting. So tell me what a letter of marque and reprisal is. 

Tom Ayres: The letters of marque and reprisal were not invented by us. It's French. The idea was to help fight pirates. It was to give merchant men the opportunity to arm their ships and then go out and fight pirates. What it really did was it gave them standing in admiralty court so if they actually sunk a ship or if they took a ship captive, the title of that ship would go over to them. So that was really important. You know, ships were expensive. 

Tom Ayres: If they acted without a letter of marque, then if they captured a ship, it would become the government of France or the government of Spain, wherever they were from. It was called prize money. So it was an incentive for them to go on and take on these nasty pirates. And it was a way for the national navies to really expand their reach. 

Tom Ayres: It's in the Constitution. In Congress' power, it specifically says that Congress can grant letters of marque and reprisal. And, you know, our Constitution doesn't have that many words, so when we have some words, I think we ought to take advantage of them. And we haven't taken advantage of this part of the Constitution really since the Barbary Wars in the early 1800s. 

Tom Ayres: The idea was our Navy was very small. When we first started issuing letters of marque, we had one ship, really - a 14-gun, the Enterprise. And so they started building the six frigates. And with this letter of marque idea, lots of merchmen (ph) started arming their ships. And we expanded the size and the reach of our ability to defend ourselves and take on pirates or the British ships. So it was very important. 

Tom Ayres: Also, during World War II, there's some controversy over the Goodyear blimp. It said it had a letter of marque from Congress. It might have been just a phone call because there's nothing really on the books about the letter marque. But they started hunting for submarines on the West Coast after the attack on Pearl Harbor. So that was, you know, what made me think, if it was good enough for the age of flight after the age of sea, why not in the age of cyber? The analogy is not perfect because, you know, in the letter of marque, they had standing in an admiralty court and they were able to get this prize money, take title. Now, I'm not talking about a letter of marque that would allow them to retake data and then keep data, you know, or to take intellectual property that's been stolen by pirates. That's a thought. That's an idea. But that's not what I'm talking about. I'm talking about, you know, as that found an array of incentives to enlist private enterprise in a war, let's look at an array of incentives to enlist private enterprise in this cyber war that we seem to be in these days. 

Rick Howard: Are you saying that we could use these letters of marque to authorize, let's call them, volunteer privateers to take down bad guys' cyber infrastructure or maybe bad guys' cyber operations? 

Tom Ayres: I don't think that would be the logical first step. That would take some more thought. I think that might be somewhere we need to go in the future. What we see right now is that those who are hacking against us, they are using safe haven, and they're operating out of countries that if we were to strike back, it might be seen as an act of war. So in the original days, letters of marque were used. The pirates were given safe haven in countries like Tunis and Morocco and places like that. And so the same thing - the United States didn't want to get in a war with those countries, but they wanted to be able to attack the pirates that were getting harbor in those safe havens without it being an act of war. So I think that's something worth thinking about, but it's not something I would say would be the first step. 

Rick Howard: As a steadfast romantic myself, I really love this idea. It appeals to the swashbuckling way I'd like to view myself - that we'd actually, officially authorize an arm of, let's say, FireEye or the Palo Alto Networks' Unit 42 to seek out and destroy bad guy infrastructure like Errol Flynn did in the old '40s movies. And truth be told, the idea of it was one of the reasons I got into security back in the day originally. But when I finally come to my senses and start thinking practically, there is one thing that I've learned in my cybersecurity career, if I've learned anything at all. It's that just because you hit back, doesn't mean that the bad guys will give up. Escalation would most certainly happen, and I don't know if I want to see what happens if we get into that situation. 

Tom Ayres: I agree with you, Rick. But what if you were - even in the first stages, say you allow somebody - if they're hit from a certain IP address, that you would then allow them to immediately counterpunch and take out that portal with some kind of bot, so something that would be very limited. And again, I'm not a techie, so I don't know if that's even possible. But I like the idea of if you could have a limited response immediately that would counterpunch, that would affect the ability of them to attack us. 

Rick Howard: I knew if I waited around long enough, that I could call myself a pirate. How great is that? And it's certainly an out-of-the-box idea. Thanks, Tom, for all of that. That was Tom Ayres, the CEO of Lead-Up Strategies, a lawyer and a retired major general of the U.S. Army. And we will link to his essay in The Wall Street Journal in today's show notes. 

Dave Bittner: And I'm pleased to be joined once again by Caleb Barlow. He is the CEO at CynergisTek. Caleb, a lot of talk about CMMC, and I wanted to check in with you on that. What is it - first of all, what is it? What does it mean? And it's something that you in your world have an intimate relationship with here, so can you give us some tips on how folks should be approaching this? 

Caleb Barlow: Well, Dave, before we start, we probably need a disclaimer for listeners, right? 

Dave Bittner: OK. 

Caleb Barlow: This is - you know, this is content for mature cyber environments only. 

Dave Bittner: (Laughter). 

Caleb Barlow: Immature environments may find the following content disturbing. It may result in pounding one's head against the wall, going to one's boss for additional budget or feeling that one should go out right away and hire a consultant. So listener discretion is advised for this content. 

Dave Bittner: Fair enough. 

Caleb Barlow: So look, all kidding aside - right? - CMMC is the U.S. government's response to leveraging its purchasing power to change behavior in the private sector. It stands for the Cybersecurity Maturity Model Certification, or CMMC. 

Dave Bittner: Right. 

Caleb Barlow: And basically, all 300,000 suppliers to the defense industrial base, the touch-controlled unclassified information, are going to have to start to comply with it. And, you know, my - one of our divisions, a company called Redspin, was actually the first company to be certified at this level and also the first company to be certified to do these assessments or authorize, I should say, to do these assessments. And here's the big thing about it, right? The documentation requirements are quite significant. 

Caleb Barlow: And, you know, what I want to talk a little bit about today is - what you need to think about in this is if you've ever been in, like, a manufacturing environment where, you know, you need to comply with ISO 9000 or, you know, you've gone through a Six Sigma process, this is like that for security. And it's all effectively based on the NIST framework as it's underpinning. So people are going to be very familiar with it, but it requires a few things like, you know, your documentation needs to describe both your policies and your procedures. Those are two different things. They need to be updated regularly. Everybody's got to understand it. And the documentation requirements are just not trivial. But here's my point, Dave. It's going to be required for those DIBBS suppliers, but it's also a really great framework for anybody else that's maybe historically been using the NIST CSF to think about maybe how they up their game and so up their cybersecurity posture, particularly on the documentation. 

Dave Bittner: How heavy a lift is this? I mean, if I'm coming into this, is it - can you frame it in a way of, it's going to take, you know, X% more effort on our part to be compliant here, or is that even a good way to look at it? 

Caleb Barlow: Well, Dave, your listeners can't see this, but you and I are on video. And... 

Dave Bittner: Yeah. 

Caleb Barlow: This is my documentation. It's a binder 3.5 inches thick. 

Dave Bittner: (Laughter). 

Caleb Barlow: OK? 

Dave Bittner: That is a major metropolitan phonebook. 

Caleb Barlow: It is a major frickin' lift, right? 

Dave Bittner: (Laughter) Right. OK. 

Caleb Barlow: But here's the thing. 

Dave Bittner: Don't hurt yourself. 

Caleb Barlow: It doesn't ask you to do anything that you didn't think you were already doing. And that was the fascinating thing about this. Is - when we approach, oh, yeah, we do all that. And then we started to look at our documentation, we're like, oh, well, maybe we kind of implied that, but maybe it wasn't quite as crisp. 

Caleb Barlow: So here's the thing - a couple of things it's looking for to demonstrate maturity. One, have you kept your documentation up to date? So every major incident, did you go back in and update what worked and what didn't work? Every major cyber exercise, every change in the organization of who's responsible for what, did you update the documentation? 

Caleb Barlow: And one of the key tasks that we use to pass this was - you know, Dave, if you fell into a volcano and weren't able to administer systems tomorrow, would the documentation be good enough that the next person could step in and figure out what to do? And if you think about it, a lot of people - the documentation, it's probably there, but is it really crisp enough to do that? 

Caleb Barlow: So let me give you an example, Dave. Let's say something like multi-factor authentication, right? So if you're the admin over MFA and you fall in the volcano, can your team understand the policy of what and where you do this? Like, where does multi-factor authentication need to be applied? Where do you keep the exceptions? Like, you know, OK, we've got an exception on this system because it just won't support MFA. So how do you track the exceptions? Do the procedures - are they articulate enough that if somebody needs to set it up again, they know how to do it? 

Caleb Barlow: And then, here's the interesting thing. CMMC goes beyond just the security team to, let's say, the CFO. If I go to the CFO, can I say, hey, you know, you've said your policy requires multi-factor authentication. Where is that in your budget? How do we know that you're funding this? And can you demonstrate that this requirement is properly being funded? 

Caleb Barlow: But also, it turns to HR and says, OK, when, you know, Dave quit because he, you know, wins the lottery and goes on to a desert island and I go to hire the next admin, how do I ensure that I'm hiring an admin with the skills to manage that system? So it's really comprehensive and, again, required for DIBBS suppliers that are in that 300,000, but also worth looking at for everybody else. It's a great framework to take your kind of NIST CSF to the next level. 

Dave Bittner: Really, it sounds like it overlays a certain level of discipline and organization to the - as you mentioned, the things you may already be doing. 

Caleb Barlow: Well, here was the funny thing. When we went through this, our CFO - now, we're a public company, right? So, you know, Sarbanes-Oxley and everything else. 

Dave Bittner: Yeah. 

Caleb Barlow: You know, our security team's like, oh, my gosh, this is a ton of work. We've got to get all this stuff documented. Our CFO is looking, and he's like, why are you guys crying? He's like, this is what I do every day as a public company. 

Dave Bittner: (Laughter). 

Caleb Barlow: I can't do anything without having crisp controls and having them documented. So in a lot of ways, once you get past all the political drama and everything else around this, this is all stuff that the rest of the industry has been doing for years. And security professionals are just catching up. 

Dave Bittner: All right. Well, Caleb Barlow, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.