Recovering from NotPetya. State-actor seen behind wiper attack. Ukraine mulls criminal negligence charges. Documents behind US Congressional wariness of Kaspersky.

Dave Bittner: [00:00:01:01] When you're done chowing down on your leftover hamburgers, hot dogs, coleslaw and deviled eggs from the 4th of July, head on over to patreon.com/thecyberwire and see how you could help support our show. Thanks.

Dave Bittner: [00:00:14:20] Affected enterprises are restoring services after last week's NotPetya pandemic. Maersk's experience prompts some introspection in the logistics sector. Ukraine prepares to charge ME Doc's maker with criminal negligence for allowing the infection to take hold. NotPetya's tied to BlackEnergy and thence to a "state actor" (NATO's not saying it's Russia, but Ukraine is). FSB certificates allegedly express links between FSB and Kaspersky.

Dave Bittner: [00:00:46:20] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future Cyber Daily and, if it helps us, we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future, and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:41:06] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, July 5th, 2017.

Dave Bittner: [00:01:51:23] Yesterday marked the passage of the first week in the NotPetya disruptive malware pandemic. It's taken most affected enterprises, from Maersk to DLA Piper to Ukraine's banking systems, just about that amount of time to restore a tolerable level of service.

Dave Bittner: [00:02:07:21] Maersk announced Monday that it was finally able to bring its major systems back online after sustaining a hit to global operations from the NotPetya wiper attack. Port services reopened Sunday, many of them using manual operations, and other aspects of recovery continue. The hit was substantial. Maersk, which is by no means an inattentive or poorly resourced outfit, is working through a six-day backlog. Among the ports that returned to operation in substantially manual mode are Gothenburg, Sweden and the US ports of Los Angeles, Mobile and Port Elizabeth, all big cargo handlers.

Dave Bittner: [00:02:45:09] The NotPetya attack and its effect on Maersk has led the shipping and logistics industry to some security introspection. Self-examination leads to uncomfortable insights. We heard from Lars Jensen of the maritime cybersecurity company, CyberKeel, who summarized some of those insights as follows: "A top-20 carrier allows shippers using their eCommerce platform to use "x" as their password. A port terminal has a server running the access to their eCommerce tools which is so old that it can be readily taken over using tools one can download directly from the internet. A top-5 carrier claims that the password '12345' is of "medium" strength. 10% of carriers and 20% of the sampled ports and terminals have still not patched the vulnerabilities related to the 'Poodle' and 'Heartbleed' cyber threats which emerged more than 2½ years ago."

Dave Bittner: [00:03:39:04] Jensen also notes that the apparent ease with which the attack propagated laterally across infected networks is a disturbing indicator that security levels are generally too low for comfort.

Dave Bittner: [00:03:51:11] Returning to Ukraine, where the infestation began, authorities are moving forward with their investigation. Police have seized servers belonging to Intellect Service, the small "family owned" software outfit whose ME Doc tax accounting product appears to have been the initial source of NotPetya infestations. A high-ranking official in Ukraine's police unit charged with investigating cybercrime says that Intellect Service should expect criminal charges.

Dave Bittner: [00:04:19:14] Intellect Service, which says it's cooperating fully with the police, denies having anything to do with the attack and says their code was clean when they released it.

Dave Bittner: [00:04:29:11] It seems fair to say that NATO's statement on the attack represents at this point consensus: NATO thinks the attack was the work of a "state actor" but the Atlantic Alliance's Cooperative Cyber Defense Center of Excellence in Tallinn declines to say exactly which state that would be. The statement about the attack mentions, in passing, that cyberattacks with physical consequences could trigger NATO's Article 5 - collective defense - but was silent on whether this would be one of those cases.

Dave Bittner: [00:04:58:18] Almost certainly not, but the statements do suggest the rough area where NATO will draw its Article 5 line: somewhere on the side of physical consequences.

Dave Bittner: [00:05:09:23] The NotPetya attack on Ukraine with either intentional or collateral damage throughout most of the rest of the world, has been tied more closely to Russian services as researchers at Kaspersky, ESET and elsewhere find links to the BlackEnergy APT group. That APT has long been suspected of being a Russian cat's paw. In fairness to Kaspersky and ESET, neither draw that explicit conclusion, but Ukraine's government certainly has. They're convinced the incident is another shot in Moscow's hybrid war aimed at re-engulfing Ukraine.

Dave Bittner: [00:05:10:09] It's probably safe to say that one thing we all wish we had more of is time, and when it comes to security investigations time is of the essence. The folks at Splunk recently sponsored an IDC info brief titled "Investigation or Exasperation? The State of Security Operations." Haiyan Song is SVP and General Manager for Security Markets at Splunk.

Haiyan Song: [00:06:08:11] We always talk about the ideal situation; security needs to be proactive. Unfortunately, one of the things we have found is that in security investment in tools and technology, even operations, only 70% of the companies actually do that after a serious breach. It's still good to do it, but I think it would be much better if we took a proactive approach. Further, since we're in security information event management analytic space, one of the interesting things we found is that 72% of US companies are not fully taking advantage of the capabilities in connection with the skill shortage and the fact that we have to deal with a lot of sophisticated attacks which are morphing all the time.

Haiyan Song: [00:06:58:01] We also should have surveyed how people are using machine learning, advanced data, science, and technology machine learning. Certainly, we're still in a very early stage, but only 81% of US companies are not at all or not extensively leveraging that. That's interesting because for a lot of the new sophisticated attacks you really cannot use known patterns or rules, you've got to look for anomalies, look for the base lining to start with and, using threat modeling, bring out some of the anomalies. That is really the biggest challenge for a lot of security operations.

Haiyan Song: [00:07:43:23] There is still a lot of time that the security analysts have to invest even to just take care or address one security incidence or alert. Some of them will turn out to be real. It's still days and hours - that's the granularity we're looking at - but for security, in the computer world, minutes can be a long time, let alone hours or day. 39% report that it takes, on average, two to four hours to resolve an incident and we need to get them to minutes. Therefore, investigation, forensics and automation becomes really key in improving that statistic.

Dave Bittner: [00:08:26:12] That's Haiyan Song from Splunk. The report is called Investigation or Exasperation? The State of Security of Operations, you can find it on the Splunk website.

Dave Bittner: [00:08:37:24] Two cryptocurrency services have come under attack, the Bithumb exchange and client-side Ethereum wallet, Classic Ether. Bithumb users lost both Bitcoin and Ethereum; Classic Ether Wallet's website was hijacked.

Dave Bittner: [00:08:53:00] Researchers at Sucuri have found an SQL-injection flaw in a widely used WordPress plugin: WordPress Statistics. Look to your blogs, bloggers.

Dave Bittner: [00:09:04:00] Kaspersky, which has responded to US Congressional suspicions of its connections to Moscow by offering to show the US its source code, remains under scrutiny. McClatchy is reporting on certificates Russia's FSB issued to the company that appear to associate it with an intelligence program. While connections among security companies and intelligence services are far from unusual, experts consulted by McClatchy think that the certificates appear at the very least to be odd ones, and worth further scrutiny. The Bear suspected of consorting with Kaspersky, by the way, would be Cozy Bear, not her sister Fancy.

Dave Bittner: [00:09:41:08] Russian authorities aren't happy with the suspicions and tell the US to expect blowback. Maybe, the Communications Minister suggests, Russia will stop using Microsoft and Cisco products.

Dave Bittner: [00:09:57:16] Now I'd like to tell you about some research from our sponsor, Delta Risk. We all depend on the power grid, you've heard a lot over the last few months about the grid's vulnerability, crash override, in particular through a scare into the energy distribution sector. It's a real threat and its masters demonstrated what they can do last December in Ukraine. Even a minor disruption to the power grid could be devastating to all of us. Download Delta Risk's new white paper Cybersecurity and the Grid, the Definitive Guide for insight into how the North American power grid works, an overview of current regulations and a look at potential cyber threats. You'll find the guide at deltarisk.com/grid-whitepaper. Delta Risk LLC, a chaired-off group company, is a global provider of strategic advice, cybersecurity and risk management services to commercial and government clients. Learn more about Delta Risk by visiting deltarisk.com and while you're there get that guide The cybersecurity for the grid. It's deltarisk.com/grid-whitepaper, and we thank Delta Risk for sponsoring our show.

Dave Bittner: [00:11:09:06] Joining me once again is Professor Awais Rashid, he heads the Academic Center of Excellence in cybersecurity research at Lancaster University. Professor, welcome back. You know with this recent high profile ransomware attack, WannaCry and the disruption it did to the NHS in England, you wanted to talk about the anatomy of attacks and getting back to the basics.

Professor Awais Rashid: [00:11:31:15] Thank you very much for having me again. Indeed, I think the ransomware attack that disrupted many different systems across the world, but most notably the National Health Service in the UK, just simply demonstrates what is effectively a fairly simple type of attack in the sense that it's an attack that blocks out your files and access to your disk. However, it can disrupt one of the largest organizations in the world. To look at the causes of this disruption, we need to really look back at the anatomy of an attack and normally what would happen is that an attacker breaches the system, for example, through a weaponized document or a payload which could come via a phishing attack or any other means to deliver it into the network and then the goal tends to be to get some kind of command and control infrastructure set up and also do lateral movement and move across the network.

Professor Awais Rashid: [00:12:31:19] What we can see in the case is that that has happened with relative ease in the sense that, yes, we don't really know what the initial point of breach was, but once the initial point of a breach had been reached by the attacker, the attack moved very quickly, not only within a particular part of the organization but across many National Health Service Trusts across the country. That leads to the very fundamental question as to how basic security practices can actually disrupt different types of attack. What we know in this case is that some of the systems were based on Windows XP, which is an outdated system and is not supported currently by Microsoft, but also that that particular vulnerability has been known since March and patches were available but they weren't applied. That leads to the particular question about security investment, good security practices and good security hygiene.

Professor Awais Rashid: [00:13:28:06] Also, another really fundamental thing which I often teach my students on a regular basis is that it's not only what you do to keep an attacker out - and in this case clearly things could have been done by patching systems to at least make it harder for the attackers to breach the system - but also what happens once a breach has occurred. What kind of recovery plans are in place and, for a complex and highly critical organizations such as the National Health Service, for it to be disrupted on a large scale for such a long period of time is a big problem. Therefore, one of the questions we have to ask is what kind of recovery plans were in place? What kind of backup systems were in place? And why did it take so long for the system to come back online but, equally, why was it so easy in terms of what kind of network isolation was put in place or not that made it possible for the attack move laterally across the organization very quickly?

Dave Bittner: [00:14:26:10] One of the things I've heard about these sorts of attacks, particularly when it comes to health care, and I'm not sure this is the case with the NHS, is that sometimes restoring from backup can take more time than simply paying the ransomware and having the files unlocked.

Professor Awais Rashid: [00:14:41:04] Yes, that might be the case but, first of all, one would never condone paying the ransom for a ransomware because, ultimately, the attacker's motives are economic and that simply plays into the attacker's motivation. Equally, in this case, a lot of these systems are not always set up with, for example, local files. Therefore, they are often delivered from a server and we just do not know, in this case, what the scale of the infection was. For example, did the ransomware also lock key servers within the organization that were delivering those files to the terminals? If you think about it, the ransomware is a fairly simple attack. A vulnerability may have been exploited here; it was a fairly simple attack that simply encrypts your disk. If you have effective backups and you can restore them quickly then the attacker's purpose is defeated because their purpose is to get money to unlock your data. But if you can restore your data fairly quickly then their purpose is defeated. Therefore, I do think that an effective recovery plan, in such cases, is actually very important.

Dave Bittner: [00:15:46:04] Alright, good information. Professor Awais Rashid, thank you for joining us.

Dave Bittner: [00:15:52:09] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben and our Technical Editor is Chris Russell. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thank you for listening.