Shamoon is back, now with credentials for virtual desktops. Ukraine believes it was hacked again. Ransomware updates. Elections, investigations, and influence operations. The Pokemon threat?

Dave Bittner: [00:00:03:11] Shamoon is back and still a nasty piece of work. Ukraine's grid was hacked again last month, probably by the same people who did it at the end of 2015. A new strain of ransomware offers a tiered extortion model and, unfortunately, pretty solid encryption. France and Britain prepare for Russian election hacking and go figure, China's government still feels threatened by Pokemon.

Dave Bittner: [00:00:30:15] Time to take a moment to tell you about our sponsor, CyberSecJobs. If you're an information security professional seeking your next career or your first career, you need to check out cybersecjobs.com and find your future. CyberSecJobs is a veteran owned career site and job fair company for information security professionals and students. Job seekers can create a profile, upload their resume and search and apply for thousands of jobs and it's great for recruiters too. If you're an employer looking to source information security professionals, contact CyberSecJobs about their flexible recruitment packages designed to meet your needs. To learn more visit cybersecjobs.com. That's cybersecjobs.com. And we thank CyberSecJobs for sponsoring our show.

Dave Bittner: [00:01:25:20] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, January 11th, 2017.

Dave Bittner: [00:01:35:03] Shamoon is back. The destructive malware famous for having wiped some thirty-thousand Saudi Aramco computers in 2012 has been discovered circulating in a new variant. Researchers at security company Palo Alto Networks say the targets this time around, that is, targets of attacks observed since November 2016, are again in Saudi Arabia, but that this version of Shamoon appears to come equipped with stolen credentials for accessing virtual systems. Notably, they've observed default credentials for Huawei's FusionCloud desktop virtualization solution. They speculate that the accumulation of credentials is intended to lend greater destructive impact to the malware once it's employed. The goal appears to be, as it was in 2012, the destruction of data and systems. How Shamoon's controllers got the credentials remains under study. Observers generally concluded that Shamoon, at least in its first go-round, was an Iranian cyber weapon, unleashed perhaps in retaliation for Stuxnet.

Dave Bittner: [00:02:36:20] The suspected attack on Ukraine's power grid around Kiev last month has gained some confirmation this week. The outage on December 17, 2016, appears to have been part of a larger campaign against "high-value targets" in a variety of sectors, including Ukraine's Ministry of Finance and the nation's railway. The larger campaign seems to have begun on December 6. Sources close to the investigation say the attack looks like the work of the same actors who took down electrical service in December 2015. Ukraine's government attributed that attack to Russian intelligence services. The motivation this time is thought to be sabotage, but sabotage possibly conducted as a rehearsal for some larger campaign.

Dave Bittner: [00:03:20:14] The security firm, Emsisoft, which has a long record of successful work against ransomware, reports on a new variety they're calling "Spora." Emsisoft calls Spora "highly professional in both implementation and presentation," and indeed the screenshots they provide show a nice, clean design. Spora's developers are apparently Russian criminals, as the ransom demand is composed in Russian, but it's only fair to note that such evidence is circumstantial.

Dave Bittner: [00:03:48:18] The extortion demand is relatively low, but it's interesting in that you can buy tiers of service. You, were you a victim, could purchase restoration of your files for just $30. They'll restore two files for free, as a loss leader. But that won't remove the ransomware. If you want that done, it will cost you another $20. And if you'd like immunity from reinfection, that will run you $50. You can buy all of these things as a package for the low low price of $75. They also offer a chat feature as a customer service, and Emsisoft says that the hoods seem to reply fairly promptly.

Dave Bittner: [00:04:25:04] Spora encrypts using a mix of RSA and AES. Unfortunately, as Emsisoft observes, the developers managed to get their encryption right on the first try. There's no known way of retrieving affected files without access to Spora's author's private key. Emsisoft reiterates the tried and true advice that your best security is regular, secure backup. They also offer a behavioral blocking solution that can alert you to the presence of ransomware before it encrypts..

Dave Bittner: [00:04:53:20] IBM Security recently released the results of a study on ransomware, and some of the results are surprising. Limor Kessem is executive security advisor at IBM.

Limor Kessem: [00:05:01:23] What we ended up finding out during the survey was actually pretty startling. All across the board, we found out there's definitely not enough awareness when it comes to ransomware. On the business side there was only two out of three executives who knew about ransomware, where you would think it would be a lot more people who would be aware of such a threat that's been so rampant in this past few years. Also very interesting was that one in two businesses were affected by ransomware, so a lot of businesses have been seeing all kinds of damage from ransomware and 75% of those hit with ransomware actually paid the criminal. 50% of the people who paid, paid more than $10,000 and twenty percent of those who paid, paid more than $40,000. So businesses have been paying a lot of money to criminals for pretty much nothing, for attacking them and having to recover from that attack eventually.

Dave Bittner: [00:05:55:22] I found that statistic striking. I mean, we hear quite often, people say don't pay the ransomware people. That the best defense against this is good backups. But that's not what the survey found.

Limor Kessem: [00:06:07:13] Correct. So, what we were wondering is how come businesses have been paying. I mean, you would expect every business to have proper backup systems and, you know, they have a routine and they have business continuity and all that kind of stuff in place. So it turns out that a lot of times, even if they did have backup data, there could be a few things that would happen. One is that the criminals would actually find the backup data, even the backup server and over time and in a more targeted attack fashion, encrypt the data and make them pay. You know, let's say a business got encrypted for six months worth of date, they really are, you know, in trouble and they would probably have to negotiate with the criminals. In other cases, the backups didn't work, so they had backup, but for some reason they weren't able to restore it from them or they maybe they weren't as up to date as they needed them to be. In many cases businesses didn't have an actual response plan in place. So, when they were caught off guard with such an attack, they started having to speak to the criminals, because they weren't sure how to act from there and what to do.

Limor Kessem: [00:07:10:23] Having an incident response in place would be super important for businesses to be able to recover. To have, of course, within that response line, to have the backups properly done, to help them disconnect it from the live network. Have them done frequently enough, but not connected directly to the live network, for criminals not to be able to reach those backups or backup to, you know, a cloud service or other ways for them to make sure that their backups are going to be present. And also test them to make sure, yes you can recover from an attack if ever that was to happen and I think that there are success stories out there. You just don't hear about them that much. But businesses that do have a proper response in place, they can recover from a ransomware attack without having to pay the criminals.

Dave Bittner: [00:07:57:21] That's Limor Kessem from IBM Security.

Dave Bittner: [00:08:02:07] Louis Pasteur said it, and we'll say it again "Fortune favors the prepared mind." If you're planning to be down around Norfolk, Virginia this Groundhog Day, take a look at our event sponsor Rsam's lunch-and-learn session on security incident response. SANS instructor Alissa Torres and Rsam CISO Bryan Timmerman will help you prepare your mind. See the Event Tracker at thecyberwire.com for information.

Dave Bittner: [00:08:27:13] Yesterday, Microsoft patched Edge, Office, and Windows in what was a relatively light Patch Tuesday. Light or not, patching it always important, so look to your systems.

Dave Bittner: [00:08:37:19] European governments, especially France, Germany, and the UK are looking to shore up election security in the face of hacking and influence operations Russia mounted against voting in other countries, especially, of course, the US. Foreign policy types have been observing that fiddling with elections is nothing new and those foreign policy types old enough to have made their bones during the Cold War point out that both sides in that long struggle worked hard on all kinds of propaganda and influence.

Dave Bittner: [00:09:07:01] Consideration of influence operations attracts new interest as the Guardian, sourced largely by Buzzfeed, which in turn appears to have been largely sourced by 4Chan, reports rumors of compromise and collusion with Russia in President-elect Trump's campaign. The media treat the rumors with cautious but interested skepticism. The President-elect tweets that it's all fake news. The story is developing, but more slowly over the course of the day than it had last night.

Dave Bittner: [00:09:35:09] And finally, those foreign policy types we mentioned before are commenting that lots of embassies are tweeting away to beat the band, and they wonder what's up with that, since proper diplomacy used to conducted in person, preferably in French. Russian embassies appear to be particularly enthusiastic Tweeters. For some reason their tweets are often marked by the unedifying image of Pepe the Frog. Pepe is not, as one might think, a harmless if poorly rendered and somewhat dissolute water Pokemon, but rather forms part of various extremist memes, we're happy to say we haven't had to come into close acquaintance with.

Dave Bittner: [00:10:11:09] Speaking of Pokemon, Chinese authorities have reiterated their decision. Pokemon-Go is a threat to state security. Ash Ketchum, think twice before boarding that plane to Shanghai.

Dave Bittner: [00:10:27:17] Time for a message from our sponsor Netsparker. You know, when you want automated security, you want it to be automatic. Netsparker delivers a truly automated web application security scanner. It can be surprisingly labor intensive to scan websites and other solutions need a lot of human intervention. To take one example, with other scanners you have to configure URL rewrite rules to properly scan a website. Not with Netsparker. They say it's the only scanner that can identify the setup and configure its own URL rewrite rules. Visit netsparker.com to see how Netsparker's no false positive scanner frees your security team to do what only humans can. And don't take their word for it. If you'd like a free trial go to netsparker.com/cyberwire and you'll get a 30 day fully functional version of Netsparker Desktop. Scan your websites with no strings attached. That's netsparker.com/cyberwire. And we thank Netsparker for sponsoring our show.

Dave Bittner: [00:11:28:15] Joining me once again is Professor Awais Rashid. He heads the Academic Center of Excellence in Cybersecurity Research at Lancaster University. Professor Rashid, you know, we talk a lot about automation, we talk about the things that the computers are doing, but I think it's pretty easy for us to overlook that the human factor in all of this is really a critical part of it.

Professor Awais Rashid: [00:11:49:00] Indeed. One of the things that we often overlook is it is the humans who actually write the software that sits underneath all of this infrastructure. So, for instance, if you use mobile apps or you have Internet devices such smart watches on your person, in your home or your workplace, do you actually think about who developed the software that drives these apps and devices?What was their understanding of cybersecurity? How they did make decisions that impact the cybersecurity of the software that is within these systems and how did they make those design choices? Or, on the other hand, you might be someone who develops this software and do you actually think about how do you make decisions about security within this software, what drives your design choices and at the moment, we really have very little understanding of this fundamental issue, as to how security decisions are made within the software development process and the developers who are actually working on this software that is used by millions around the world, how do they come to those decisions, what are the factors that affect them, for example, the cost, the pressure to market, the features that customers or the users might want? This is something that needs to be explored in detail and something that we will be doing within a research project that we will be starting within the next few months.

Dave Bittner: [00:13:12:07] You know, I hear a lot of people talking about how, rather than sort of bolting on security, that we need to design it in from the outset.

Professor Awais Rashid: [00:13:20:16] Absolutely. We need to design it in from the outset, but the problem is more complex than that. If you are a programmer, what would you rather do? Let's say you're an app programmer and you are wanting to push your app to millions of people around the world, you're going to focus on the functionality that will attract those people and often security can take a bit of a backseat, because it is seen at times, you know, rightly or wrongly, to get in the way. One of the key things is, we need to understand the drivers that influence developers in their choices about security and in many ways we need to give them the right tools that don't mean that security, in not so many words, gets in the way. We need to make sure that the way we want people to do secure programing works with them, rather than against them in the objectives they want to achieve from the software that they are developing.

Dave Bittner: [00:14:17:24] Professor Awais Rashid, thanks for joining us.

Dave Bittner: [00:14:22:09] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, and especially to our sustaining sponsor Cylance. Find out more about how Cylance can protect you at cylance.com. Don't forget to follow us on Twitter and on Facebook. The CyberWire podcast is produced by Pratt Street Media. The editor is John Petrik. Our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.