The CyberWire Daily Podcast 6.16.17
Ep 372 | 6.16.17

More from Vault7. How and why the DPRK hacks. FIN10 hits North American businesses with extortion demands. UK unis sustain ransomware infestation. Free decryptors are out, and ISACs seem to be working.

Transcript

Dave Bittner: [00:00:01:02] The CyberWire podcast is made possible in part by listeners like you who contribute to our Patreon page. You can learn more at patreon.com/thecyberwire.

Dave Bittner: [00:00:13:18] WikiLeaks dumps more of Vault7. There's more attribution of WannaCry to North Korea, where Hidden Cobra and the Lazarus Group appear to be one and the same. FIN10 cybercriminals are asking US and Canadian businesses for a big payoff to head off a big doxing. Conventional ransomware hits British universities. Kaspersky and Avast release free decryptors for Jaff and EncrypTile. The ISAC process seems to be working. And patch early, patch often.

Dave Bittner: [00:00:47:18] Now I'd like to tell you about some research from our sponsor Cylance. You've heard a lot lately here and elsewhere about WannaCry, the sloppy but dangerous ransomware campaign that became a pandemic. Our sponsor Cylance has a few things to say about it you may not have heard elsewhere. WannaCry spread as a worm and a nasty surprising one, so a lot of legacy defenses didn't stop it. But Cylance says its AI did. In fact, if you'd had Cylance's artificially intelligent software running on your systems, you'd have been proof against WannaCry infestations. Go to cylance.com/blog and check out the post on Cylance vs. WannaCry. Their math-driven models make the unknown cyber threats known and stop them from hitting you. Visit cylance.com/blog and see what they can do for you while the next WannaCry is just a gleam in the attacker's eye. And we thank Cylance for sponsoring our show.

Dave Bittner: [00:01:50:10] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, June 16th, 2017.

Dave Bittner: [00:02:00:19] It's been a week of patching news. If there were any patch-skeptics out there, if they've been paying attention, they ought to have a moment of clarity.

Dave Bittner: [00:02:08:12] Not only did Microsoft take the unusual step of reaching back into the grave of beyond end-of-life Windows software to fix the ghosts of operating systems past but WikiLeaks is back, too.

Dave Bittner: [00:02:20:02] Julian Assange's persistent gadflies yesterday released another tranche of files from their Vault7 which they claim consists of leaked CIA hacking tools. The documents in this round concentrate on exploits affecting at least 25 home router models, including devices from Linksys and D-Link. That number could be considerably higher, observers are saying. With relatively minor modifications the implant could be used against upwards of a hundred models.

Dave Bittner: [00:02:48:04] The principal implant described in the leaks, it's called "CherryBlossom," is said to have been used since 2007. Updated routers are probably not susceptible to this particular form of exploitation, which ought to provide yet another reason to patch these usually ignored and all-too-easily overlooked devices. We know. It's tough and we're certainly not going to cast the first stone with respect to home Wi-Fi devices. Still, good hygiene might as well start at home. Consider putting a bright ten-year-old in charge, if you've got one of those knocking around the house.

Dave Bittner: [00:03:20:23] The Washington Post reports that the NSA is attributing the WannaCry ransomware campaign "with moderate confidence" to North Korean espionage services. Much of that confidence derives, of course, from the sort of circumstantial evidence long cited by Symantec, Kaspersky, Dell Secureworks, and others. Telefonica’s ElevenPaths security research unit is among those pointing to countervailing circumstantial evidence, some of it linguistic clues in metadata but consensus is moving swiftly toward DPRK attribution.

Dave Bittner: [00:03:53:17] In the alert US-CERT issued earlier this week, for example, the FBI and the Department of Homeland Security explicitly identified the Hidden Cobra threat actor with the Lazarus Group which, of course, is widely held to be a DPRK security service.

Dave Bittner: [00:04:08:09] So why the wild sloppiness and direct conventional criminality so many discern in Hidden Cobra and the Lazarus Group? A long piece in WIRED, citing conversations with FireEye analysts and others, suggests that from Pyongyang's point of view, there's more rationality here than might appear under Western eyes. North Korea is an international pariah and knows it. It's subject to heavy sanctions and these bite deeply into its economy. It has powerful enemies and even its nominal friends really don't care for it very much. So the DPRK will grasp at whatever asymmetrical advantage it can. It will also look for ways to grab much-needed money and if bank robbery will do it, then bank robbery will do, as the Bangladesh Bank and the New York Federal Reserve learned first-hand. As far as the indiscriminate opportunism of attacks in cyberspace, well, if you've got little to lose, why not?

Dave Bittner: [00:05:02:08] Extortion in both its familiar forms, embarrassing doxing and ransomware, surfaced again this week. FireEye has described a group, "FIN10," which is seeking to extort Bitcoin from North American businesses. They're demanding, it seems, between 100 and 500 Bitcoin in payment, which equates at current rates to between $247,000 and $1,237,000. So this isn't lowball extortion.

Dave Bittner: [00:05:30:23] The threat is doxing and disruption. FIN10 will put sensitive corporate data up on Pastebin if they've not paid within ten days. After the ten-day deadline expires, documents will be posted every 72 hours. Once all the documents are out, and if they still haven't been paid, the crooks threaten that, quote, "Your computer network will be taken down in a large-scale attack," end quote.

Dave Bittner: [00:05:55:01] The criminals pose as known Serbian or Russian cybergangs, using the names "Angels of Truth," "Tesla Team," and "Anonymous Threat Agent," but FireEye thinks that's probably misdirection. Their English is too good, their Russian too poor, to carry off the imposture and their familiarity with Canadian and American targets suggests a lot of local knowledge.

Dave Bittner: [00:06:16:04] More conventional ransomware has disrupted at least two British universities this week, University College London and Ulster University. The institutions are in the process of recovery.

Dave Bittner: [00:06:28:00] There's some good news this week, too. First, on the ransomware front, two security firms have released recovery tools. Kaspersky has released a free decryptor for Jaff ransomware and Avast has done the same for EncrypTile. So, bravo, Kaspersky, and bravo, Avast.

Dave Bittner: [00:06:45:18] There's also some good news in the midst of the very bad news about the CrashOverride industrial control system malware that's been identified in the 2016 Ukrainian grid hack. The silver lining here is that the ISAC process seems to be working. We spoke with representatives of the DNG-ISAC and the American Gas Association this morning and they told us that, while the threat to their sector is as great as the threat to the electrical power distribution system, they were pleased with how quickly their members responded to the quiet warnings Dragos sounded to them last Friday. Their guard's up and mitigations are in place. So, bravo, Dragos.

Dave Bittner: [00:07:28:14] Time to take a moment to tell you about our sponsor Recorded Future, the real time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web to give cyber security analysts unmatched insight into emerging threats. We read their dailies here at the CyberWire, and you can, too. Sign up for Recorded Future's Cyber Daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and more.

Dave Bittner: [00:07:58:03] Subscribe today and stay ahead of the cyber attacks. They watch the web so you have time to think and make the best decisions possible for your enterprise's security. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and it's on the money. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:08:27:15] Joining me once again is Markus Rauschecker. He's the Cyber Security Program Manager at the University of Maryland's Center for Health and Homeland Security. Markus, great to have you back. Saw a story come by on the Hill and it was about the new cybersecurity laws coming from China. Give us a breakdown here. What are we dealing with?

Markus Rauschecker: [00:08:45:04] Yeah, everyone's watching this very closely. China's passed a cybersecurity law, a pretty comprehensive law. And, as I said, everyone's watching it very closely to see what this will mean. Businesses are concerned that this law is very vague and very broad and businesses are thinking they don't really know how to necessarily comply with the law.

Markus Rauschecker: [00:09:07:22] There's a lot of the questions about some of the terminology in the law and what the requirements will be that are placed on businesses that are, that are doing business in China. So, there's a lot of uncertainty and a lot of unease about this new law coming through.

Markus Rauschecker: [00:09:22:11] At the same time, human rights experts are also very concerned about this law, again for-- because of its vagueness, and in some cases, outright censorship provisions in the law that will put a limit on, you know, freedom of expression and other statements that might be critical towards the, towards the state. The law is going into effect and, you know, we'll have to see what the, what the outcome will be.

Dave Bittner: [00:09:50:02] Of course, China is saying that this law, a big part of it, is to improve the privacy for their citizens, but that's being met with some skepticism.

Markus Rauschecker: [00:09:58:11] Absolutely. To its credit, China is trying to address the cybersecurity issue as most countries are. Certainly, there are many human rights organizations that are seeing this law with a great deal of skepticism because there are provisions within the law that call for a lot of monitoring and privacy invasions and outright censorship of certain activities online.

Markus Rauschecker: [00:10:21:09] So that certainly goes against a lot of the human rights values that are generally accepted. But China argues that some of these restrictions are necessary if it is to secure its networks and its Internet and provide for greater security.

Markus Rauschecker: [00:10:38:11] One of the issues that multinational corporations specifically are looking at in terms of this law are these restrictions on cross-border data flows. This is of special concern to these businesses because, as we all know, these multinational corporations are moving data around the world continuously, 24/7. So this new Chinese law actually restricts that data flow. The law says that any data that's generated within China must be kept in China and stored in China. So this is of special concern to a lot of businesses, who are multinational, who are moving data around to have this new restriction placed on them.

Markus Rauschecker: [00:11:16:03] That provision may or may not apply to every business. It applies specifically to, quote, "critical information infrastructure," but no one's really sure what that means. There's-- that term isn't really defined. So there's just a lot of uncertainty about the law in general and about these specific provisions that are creating a lot of unease for businesses that are operating in China.

Dave Bittner: [00:11:39:21] All right. Well, it certainly bears watching. Markus Rauschecker, thanks for joining us.

Dave Bittner: [00:11:47:18] Time to thank our sponsor Telos Corporation, who reminds you that the key to cybersecurity is risk management. You can't make sound security decisions if you don't know what your risks are, where they are and what's involved in addressing them. That's where Xacta 360 from Telos can help. Xacta 360 enables you to manage IT risk and maintain compliance day to day of your on-prem, cloud and hybrid computing environments. Xacta 360 helps you visualize your threat landscape, supports risk-based decision-making and automates the processes for complying with the leading security standards and frameworks. Xacta 360 is especially engineered for workloads in the Amazon Web Services Cloud. It can save you up to 50% in time and effort by automating and eliminating many of the manual tasks in cloud compliance reporting.

Dave Bittner: [00:12:36:19] To learn more, visit telos.com/cyberwire for white papers and other goodies. That's telos.com/cyberwire. And we thank Telos for sponsoring our show.

Dave Bittner: [00:12:56:23] My guest today is Jocelyn Aqua. She's a partner with PwC, focusing on emerging technology and data protection laws. Prior to that, she spent several years in senior positions at the US Department of Justice. She joins us today to discuss the results of a PwC survey, A Revolutionary Partnership: How Artificial Intelligence is Pushing Man and Machine Closer Together.

Jocelyn Aqua: [00:13:20:02] Both industry and consumers were extremely enthusiastic about the potential for AI, that they started to reap the benefits in their personal lives just from music and exercise trackers and things to that effect where they're seeing choices provided to them based on their realizing AI and voice recognition. They see that the potential for medical breakthroughs and other life-changing technology advancements are going to happen within the next few decades and they see how exciting it is.

Jocelyn Aqua: [00:13:50:11] That said, they also-- one important part, which I thought was interesting, is the top issue, privacy and cybersecurity, where they thought that that would be resolved immensely by AI. Cyber and privacy are both significant concerns. But one of the things that I found a little disconcerting is that 87% of the folks surveyed thought privacy was a major concern of using AI.

Jocelyn Aqua: [00:14:14:02] And so the reason why I got looped in is because I am a privacy lawyer by trade and now I'm a consultant to industry who are looking at trying to strategically think about these emerging tech issues from a-- and, and build privacy in. And so it-- while it's clear that in the cyber side, we are using AI to do a lot of beneficial things now, scanning for vulnerabilities and seeking patterns for attribution and ensuring that, you know, systems are being monitored and that's only going to get better and only more successful and we're going to improve our cyber security.

Jocelyn Aqua: [00:14:52:21] But at the same time, I think there's a significant concern about what the other side of AI. There's whether AI is going to be used to hack into systems, to inject malware, to dupe other AI. And the longer and more complex that the systems are, how can humans be intervening and observing what's going on.

Jocelyn Aqua: [00:15:13:18] My most important takeaway was the fact that there is a lot of room for considerations of the trustworthiness of AI and the privacy and the effects that come with that.

Dave Bittner: [00:15:24:20] Do you think that 87% number reflects the reality of the situation? In other words, does that align with what we see on the technical side as what would be a reasonable concern when it comes to privacy in AI?

Jocelyn Aqua: [00:15:37:19] I do. I think that, you know, every day there's another data breach, there's another hack. There's so much information about the benefits of AI. One of the things I thought was very comforting is that while this is such a concern, what people want to do with their data is really be able to share it. You know, a significant portion of the respondents also said that they recognize that their data could be used for medical breakthroughs to improve the life of others. But they want to make sure that it's going to be secure, that it's not used in the back end to discriminate against them, that they want to be able to share data in a protected way and they want AI to be used this way.

Jocelyn Aqua: [00:16:18:10] And so the concern is on multiple factors, it's multiple issues. So I think that what my goal would be is to work with companies and work with our teams in-house here to really start thinking about all of the privacy and trust issues that come with building these new products and the new technology and what to do to resolve that now while we're starting out and build that into the systems and build that into the academic world that's thinking about these issues.

Dave Bittner: [00:16:48:05] One of the words that was sprinkled throughout the report was this notion of amplification and, and it strikes me that part of what people are looking toward AI to do is not necessarily replace the, the humans in the equation, the things that the humans do but to provide a sort of backup or an advisor or, like, a multiplier to allow people to process and handle more data than they'd be able to do but still partner with the people.

Jocelyn Aqua: [00:17:21:10] Yeah, that's true. And I think it's being used, and a lot of tools are being developed to prevent computers from being hacked, to make sure that there's no insider threat type of issue where people are accessing things they shouldn't. AI is really going to solve a lot of our cybersecurity problems. That said, there is the human part of it that still needs to happen because of the intuition, because you have to be able to look at everything and really know what's going on in a system and then being able to make a real assessment.

Jocelyn Aqua: [00:17:54:02] In fact, if you think about it, in terms of making these decisions, it doesn't benefit humanity if there's a decision by AI that just gives you the answer but not how they arose to the answer. So they can point out where a population is most likely to get a certain type of cancer but can't get you to the understanding of where they came up with that using all of the additional technology that's been inputted into the AI and the data. It doesn't solve all of the problems that humanity needs. And so having that conversation between human and AI is essential.

Jocelyn Aqua: [00:18:29:00] And it's not the underlying problem now. We're not at that stage yet. But to not think through these issues now that when you're using it to amplify, at one point, we suspect and we see from the, the investment in driverless cars and all of these areas of autonomous AI, that this is something that we need to think about now while we're building our systems, while we're advising strategically on how to build in privacy and trust and ethics. It's for all of that.

Dave Bittner: [00:19:00:04] That's Jocelyn Aqua from PwC. The report, A Revolutionary Partnership: How AI is Pushing Man and Machine Closer Together, can be found on the PwC web site.

Dave Bittner: [00:19:15:02] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining partner, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com.

Dave Bittner: [00:19:26:22] Don't forget to check us out on Patreon. It's patreon.com/thecyberwire where you can find out how you can support the CyberWire and all the things we do.

Dave Bittner: [00:19:35:19] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. Have a great weekend, everybody. We'll see you back here on Monday.