OilRig hires the Russian cyber-mob. WannaCry updates. Other EternalBlue exploits surface in the wild. Pending legislation in the US Congress. NIST issues guidelines for Executive Order compliance.

Dave Bittner: [00:00:00:22] The CyberWire podcast is made possible in part by listeners like you, who contribute to our Patreon page. You can learn more at patreon.com/thecyberwire.

Dave Bittner: [00:00:13:10] Iran's OilRig cyberespionage campaign seems to employ Russian hoods and BlackEnergy. WannaCry recovery continues, but there may be worse to come. Still talking funny, the ShadowBrokers say you'll be able to subscribe to an Equation Group leak service next month. The US senate considers putting the Vulnerability Equities Process on a legal foundation. NIST issues draft guidance on cyber Executive Order implementation, and political parties in western Europe still stink at email security, for all their worries about Fancy Bear.

Dave Bittner: [00:00:49:12] Time to tell you about our sponsor, Recorded Future. You've heard of Recorded Future, they're the real time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web: cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of cyber attacks. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and the price is right. That's recordedfuture.com/intel, and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:53:08] Major funding for The CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore, with your CyberWire summary for Thursday, May 18th, 2017.

Dave Bittner: [00:02:03:16] We begin with news about matters other than the WannaCry ransomware pandemic. OilRig, a cyber espionage campaign generally believed to be run by Iran against regional rivals, especially Saudi Arabia, has resumed. This time, researchers at California-based TrapX Security see evidence that Iran is using the services of Russian cybercriminals. In particular, they're finding some use of BlackEnergy malware in the OilRig campaign. BlackEnergy, of course, was most famously used against Ukrainian power distribution infrastructure back in late 2015.

Dave Bittner: [00:02:38:12] Victims of WannaCry ransomware continue to treat their infestations. Researchers are increasingly convinced the attack was a North Korean operation that bears the fingerprints of the Lazarus Group, but the evidence remains circumstantial, the attribution preliminary and provisional.

Dave Bittner: [00:02:54:24] Other, better crafted and arguably more dangerous campaigns exploiting EternalBlue vulnerabilities are under way, and they seem to be playing a longer, more focused game. ProofPoint has described Adylkuzz, a malicious cryptocurrency miner that began quietly circulating in the wild weeks before WannaCry appeared. Its masters are using infected machines to accumulate coin. This cryptocurrency mining scheme has been quietly in progress for some weeks before WannaCry came to light.

Dave Bittner: [00:03:25:01] Heimdal Security warns of the discovery of what they're calling BlueDoom, and this one is disturbing. It's more sophisticated in execution by far than WannaCry. As Heimdal puts it on their blog, "BlueDoom is different from WannaCry because it shows a long term intent to make use of vulnerabilities stemming from virtually all ShadowBrokers' leaks containing Windows exploits. BlueDoom disguises itself as WannaCry, but it's a completely different type of worm that does not drop ransomware." In fact, BlueDoom appears to aim at quietly establishing persistence in victim networks, presumably with a view to activation later for future attack campaigns.

Dave Bittner: [00:04:03:09] Where the ShadowBrokers got the EternalBlue exploits remains unknown. Unknown also are the identities of the Brokers themselves. Speculation tends to focus on either Russian intelligence services or a rogue American, a high-end hacktivist. Whoever the ShadowBrokers are, they're sticking to their outrageously bogus broken English and promising a subscription service for Equation Group zero-days, coming to a black market near you in June.

Dave Bittner: [00:04:30:12] As more of our time is spent on our mobile devices, the security of the apps on those devices is a growing concern. Mandeep Khera is from Arxan Technologies, a company that specializes in app protection, and he spoke with us about protecting your binaries in your mobile apps.

Mandeep Khera: [00:04:42:05] We find that over 90% of mobile apps out there have not been protected from the binary port protection point of view, so hackers are coming in. I mean you know, they find the weakest link and they go in and they're exploiting the heck out of these applications.

Dave Bittner: [00:05:04:23] And so, from a real world point of view, what are some typical ways that you see this affect people?

Mandeep Khera: [00:05:11:12] Yes, so it depends on the industry, right? So, for example, in the financial services, mobile banking, mobile payments type of applications that any of the large to mid-size banks release out to Apple or Google Play Store. What hackers do is they get into the binary code, which is available openly, and they would use an off-the-shelf tool like Clutch, for example. They decompile the binary code. They can reverse engineer, get to the source code. They can steal the cryptographic keys. They can steal the credentials. The end result is a number of things within that they can do. For example, they can point the app to their own bank account, so it could result in, obviously, financial losses for the consumer, then ultimately for the bank. Obviously, they can create like a malicious app. They can put malware on it.

Mandeep Khera: [00:05:30:12] If you look at other industries like, for example, in gaming, the two big issues that come up on the gaming side are IP protection issues, because hackers can steal the actual game and post it on Reddit and other places so everyone can have access to that for free. They can also have anti-cheat type of issues. So, for example, they can create some cheats by hacking into the application, and then they can release it and sell it, actually, in the Dark Web.

Dave Bittner: [00:06:19:10] So, what are you recommending for how companies can address security when it comes to these mobile apps?

Mandeep Khera: [00:06:40:05] I think the most important thing companies need to realize is that binary code is the weakest link and it's exposed, that hackers can get into. So they need to protect that by doing things like encryption, obfuscation and also making sure that there are checks in there so they can see when the attack is happening, and they can take action if an attack is happening, those types of things.

Mandeep Khera: [00:07:02:15] But, beyond that, they also need to protect their cryptographic keys which, if they're exposed, hackers can steal those, get back to the source code and basically reverse engineer the whole code. One of the biggest issues right now that we find, at least in talking to hundreds of CSOs that I've found, there is again a misconception that, "Hey, I'm storing everything on the server side. I don't have as much on the mobile app, end point side, so I'm secure." That is absolutely not true, and I think, you know, again, once cryptographic keys are exposed, hackers can come back and get to the source code on the server side. So they just need to understand it much better in terms of what the exposure is here and how to fix it.

Dave Bittner: [00:07:49:01] That's Mandeep Khera from Arxan Technologies.

Dave Bittner: [00:07:54:11] The US Senate is considering legislation that would take the Vulnerability Equities Process out of the hands of the intelligence community and formalize it as a matter of law. The pending bill, the PATCH Act - the Protecting our Ability to Counter Hacking Act of 2017, to unpack the forced acronym for you - defines vulnerability and establishes a mechanism by which disclosures would be made.

Dave Bittner: [00:08:18:08] The bill places responsibility for overseeing disclosure of vulnerabilities in a Vulnerability Equities Review Board, to be chaired by the Secretary of Homeland Security. The Board would set disclosure policy, and the draft bill expresses an expectation that the default position would be public disclosure, with the very large and flexible exception of vulnerabilities deemed to affect national security.

Dave Bittner: [00:08:42:03] NIST has supplemented US President Trump's cybersecurity Executive Order with guidance on how agencies should implement that order. Public comment on the document will be accepted until June 30 of this year. It's good that NIST has done so, since its Cybersecurity Framework, formally known as the Framework for Improving Critical Infrastructure Cybersecurity, is the armature around which the President's order is constructed.

Dave Bittner: [00:08:42:12] Finally, for all the concerns about election hacking in the West, security company Agari studied the state of email security in German, Norwegian and British political parties. Some score better than others - Britain's Liberal Democrats and Greens doing best - but in general they're all deficient in email authentication, with poorly implemented DMARC policies, that's Domain-based Message Authentication, Reporting and Conformance. Perhaps someone should remind the leaders in the various parties worried about Russian influence operations, that email was, at least in part, the downfall of the US Democratic National Committee.

Dave Bittner: [00:09:49:03] As our sponsors at E8 Security will tell you, bliss is not only knowing what's going on in your networks, but being able to distinguish the goodness from the badness. That's their promise for their behavioral analytics, and they're willing to show you, too. So, go to e8security.com/joyride for a small scale checkout where you can see for yourself. Their behavioral analytics platform gives you insight into every stage of the attack lifecycle across your network, users and end points, even those often overlooked little things in the Internet of things. The bad actors can spoof an identity, they can steal a credential, but their crimes will betray them. That's what behavioral analytics can do for you. You can check it out for yourself at e8security.com/joyride. Don't let the data trees get in the way of seeing the risk forest and enjoy the ride. And we thank E8 for sponsoring our show.

Dave Bittner: [00:10:47:22] My guest today for our partners segment is Dale Drew from Level 3 Communications. We're talking about ransomware and, just as a listener note, we recorded this segment a few days before WannaCry was released. It's interesting to hear Dale's predictions about how bad ransomware was going to be in 2017. That came true.

Dave Bittner: [00:10:52:08] Dale, we are well into 2017 and, certainly, one of the big threats this year - people predicted it and it's come true - that's ransomware.

Dale Drew: [00:11:15:00] Yeah. We think ransomware is going to be the biggest threat for 2017. Not only does it use all the other traditional sort of deployment mechanisms, you know, phishing attacks, to be able to get an employee to click on a link. Malware droppers to be able to deploy the ransomware, but it also provides sort of direct pay benefit for the bad guy. Some really depressing studies have come out that show that about 40% of people are paying ransomware and so, you know, the motivation for them to be repeat victims is definitely up there. They say that the average ransomware payout is between 100 to $500 per victim.

Dave Bittner: [00:11:58:15] And are they getting their data back when they pay?

Dale Drew: [00:12:00:16] No. See, that's the thing. Now, in some cases we've seen some ransomware operators who actually provide the key. Our typical experience is we see a victim pay, pay in escalation, and then the bad guy just disappears and does not provide the key to be able to unlock all their files.

Dave Bittner: [00:12:23:08] It was a remarkable finding about consumers and awareness of ransomware.

Dale Drew: [00:12:27:19] Yes. So, this study from Trustlook was showing that about 45% of consumers have not even heard of ransomware as of yet. That's the single largest concern that we have with regard to consumer based security issues, especially ransomware. The step is to be able to protect yourself, even if you are a victim, it's really easy if you were just to make a backup copy of your critical files before you become a victim. Once you become a victim, then all your files are already gone. So it's just like ID theft, having protected mechanisms to protect your identity upfront, like locking your credit history. Those things you can take proactively to prevent yourself from becoming a victim or better protect yourself once you are a victim. It really concerns me that 45% of consumers have not even heard of it and are just waiting to be victimized up front.

Dave Bittner: [00:13:22:06] Yes, it's a tough thing to learn about the hard way.

Dale Drew: [00:13:24:15] Yes. You know, the other concern is that they said ransomware has jumped about 23% in 2016, and so far - I mean we're in May - it's already at another increase of 25% in 2017. So that trend in ransomware growth is going to grow fairly significantly, I think, in 2017.

Dave Bittner: [00:13:45:03] And, of course, grow it did, thanks to WannaCry being released not long after we recorded this segment. Dale Drew from Level 3 Communications.

Dave Bittner: [00:13:55:03] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance protects you using artificial intelligence, visit cylance.com.

Dave Bittner: [00:14:12:14] If you enjoy the CyberWire every day, we hope you'll consider leaving a review for us on iTunes. It is one of the best ways that you can help other people find our show and, of course, you can show your support for the CyberWire by supporting us on Patreon. Visit patreon.com/thecyberwire to find out about how to become a contributor and all of the benefits we've put together for those who give.

Dave Bittner: [00:14:33:06] The CyberWire Podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jennifer Eiben, technical editor is Chris Russell, executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.