Another ransomware victim pays extortionists. Business email compromise. Government impostor scams. ShadowBrokers still airborne. Exploit supply chain. Silence suspected in bank heists.

Dave Bittner: [00:00:03] Another ransomware victim pays up. Privilege escalation comes to ransomware. Vendor impersonation scams hit cities, and government impersonation scams hit citizens. Be wary of both. Former NSA contractor Hal Martin will be sentenced later this month, with suspected connections with the Shadow Brokers still unresolved. An exploit supply chain is described. The Silence gang is suspected in Bangladeshi bank heists. And a bad message can brick a phone.

Dave Bittner: [00:00:38]  Now a moment to tell you about our sponsor, ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms: Everything You Need to Know About Security Orchestration, Automation, and Response." The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:01:48]  Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com. 

Dave Bittner: [00:02:03]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 8, 2019. 

Dave Bittner: [00:02:11]  Forensic lab Eurofins is paying the extortionists who hit it with ransomware. The BBC says the amount is unknown but large. The Times puts it at hundreds of thousands of pounds. In any case, the payment is regarded as very large - huge, in some headlines. Eurofins is not, we should point out, a digital forensics shop. Their work is of the physical laboratory type - DNA typing and toxicology. 

Dave Bittner: [00:02:39]  Sodinokibi ransomware is using a Windows privilege-escalation bug, CVE-2018-8453, to gain admin access to its targets. As ZDNet notes, it's relatively unusual for ransomware to exploit a privilege-escalation vulnerability. But here's something that's not at all unusual. The bug, which was patched in October 2018, was first exploited by a state, and then was picked up by the criminal underworld. The vulnerability first came to light as a zero-day exploited by FruityArmor, a state-directed espionage crew active mostly against Middle Eastern targets. 

Dave Bittner: [00:03:17]  The city of Griffin, Ga., located in the greater Atlanta region, recently lost a cool $800,000 to a scammer posing as a vendor the city's water department was accustomed to doing business with. The loss came through a phishing email in which someone impersonating the vendor told the luckless city employee that they needed to change their banking info. Change it the employee did, and the city subsequently flushed away a few hundred thousand dollars. The city manager is quoted by Atlanta's 11Alive news to the effect that he's shocked by the whole thing. 

Dave Bittner: [00:03:53]  And of course, government agencies are also impersonated by scammers working against individual citizens. It's worth remembering that contact from people claiming to represent a government agency should be treated with appropriate suspicion. That phone call from the Social Security police, that pop-up from the CIA, that email from the FBI are all too likely to be bogus, especially the Social Security police, since there really is no such thing, and a Social Security number doesn't get suspended. 

Dave Bittner: [00:04:22]  Anywho, the U.S. Federal Trade Commission reports that government impostor scams are running at an all-time high, with over 46,000 attempts reported to the FTC in May alone. The median amount lost by individuals hornswoggled by the impostors is $960, so don't be taken in. The government - the U.S. government, anyway, and we think matters are much the same in the rest of the civilized world - isn't going to call you up to threaten arrest or ask for personal information. 

Dave Bittner: [00:04:53]  What will happen, should you run afoul of the Federal Bureau of Investigation, is that they may show up with flashbangs and other methods of forced entry. That's how they collared Hal Martin, the former NSA contractor convicted of unlawful retention of defense information. Mr. Martin will have his sentencing hearing on July 17 in a Baltimore federal court. The Washington Post observes that his widely suspected connection, if any, to the Shadow Brokers leaks remains as obscure as ever. There was much speculation around the time of Mr. Martin's arrest that he had been in Twitter contact with the Brokers, but the government has apparently not established this, either because the evidence isn't there, or because they secured more than enough evidence from his Glen Burnie, Md., residence, or because there are other sensitivities at play. As for the Brokers themselves, they have kept a low profile for some time after their leaks of purported NSA tools, and they and their implausibly broken English are as much on the wing as ever. 

Dave Bittner: [00:05:55]  There is growing attention given to the security of the software supply chain, particularly the increased use of open source components. Derek E. Weeks is vice president at Sonatype, a provider of DevSecOps automation tools. 

Derek E. Weeks: [00:06:10]  Every single organization that is developing software is taking advantage of a software supply chain today. And that software supply chain takes on a couple of different forms. One, it's really how software is delivered into organizations that use it for development. And in different cases, you can use open source components that are freely available on the internet that developers use to assemble large portions of their code that they're developing into applications. And the other source is containers that are open source for downloading from places like Docker Hub people can use within development or operations practices. 

Derek E. Weeks: [00:06:56]  The supply chain volume on the demand side is huge. It's also huge on the supply side. So when we study and analyze open source component contributions from different development ecosystems, whether it's Java, JavaScript, Python, .NET, Ruby, about 13,000 new open source projects having releases every day. The amount of supply of these components that is available to developers is tremendous. And the consumption volumes are huge, too. 

Dave Bittner: [00:07:30]  From a security point of view, what are the pluses and minuses of using open source software? 

Derek E. Weeks: [00:07:36]  That's a really good question. So the pluses are absolutely that open source components being fed through software supply chains make us a lot more efficient in development practices. Why spend an hour, a week, a month writing something from scratch when you could download it from the internet in a second? The incredible efficiency that it allows is, you know, why the consumption patterns are going up exponentially. Most of the open source projects out there develop and help deliver high-quality code to these development organizations, and many of them want to move very fast because they need to deliver new capabilities to their customers in order to serve them better and maintain their competitive position in the market. So if you're, you know, trying to be the next Amazon or the next Netflix or the next Uber, you have to move a lot faster at delivering value to the market than your competitors. 

Derek E. Weeks: [00:08:38]  Now, at the same time, when we look at open source component downloads that we examined last year, we saw 1 in 10 of these Java components being downloaded having known security vulnerabilities. And then also, in late last year, the JavaScript repository led by npm - or the npm packages used by JavaScript developers - they had analyzed 4 million component downloads, of which they found 51% had known vulnerabilities in them. It's really a matter of borrower beware. 

Dave Bittner: [00:09:12]  Are there any consistencies that you see when it comes to companies who are doing a good job managing these supply chain issues? Anything that you find that they have in common? 

Derek E. Weeks: [00:09:22]  Yeah, there's a couple of things that they're doing in common. One is they're controlling the use of open source within their organization. So there's something that is referred to as an open source governance policy. We've spent the last couple of years serving organizations where - about 57% of organizations say that they have a policy in place. And really, the developers in those organizations are saying that. So the developers are aware of the policy that basically guides them on - hey, you know, it's your responsibility that, when you're using these components, to use the good ones and not the bad ones that provide some level of risk, whether that's legal risk or security risk, to our organization. 

Derek E. Weeks: [00:10:04]  There are also organizations, as a kind of second-best practice, that are keeping track of the components that their developers are using within the applications that they're building. That list of open source components is called a software bill of materials. And usually, you know, if you're a mature DevOps practice, about 56% of those organizations, I believe, are keeping a bill of materials. In organizations that aren't practicing DevOps or DevSecOps, it's about 25% keep a complete software bill of materials. The reality is when a security vulnerability comes up, whether that's Struts or Bouncy Castle or OpenSSL's Heartbleed - kind of, you know, open source vulnerabilities, the first question any organization is asking is, did we ever use that component and that vulnerable version of that component? And if we did, where? The software bill of materials allows them to get that answer. 

Dave Bittner: [00:11:05]  That's Derek Weeks from Sonatype. 

Dave Bittner: [00:11:08]  Anomali has described a Microsoft Office exploit supply chain being shared among at least five Chinese groups - Conimes, KeyBoy, Emissary Panda, Rancor and Temp.Trident. Specifically, they're all working the Royal Road Rich Text Format weaponizer and using it to exploit CVE-2017-11882 and CVE-2018-0802. 

Dave Bittner: [00:11:35]  Three banks in Bangladesh sustained substantial thefts by hackers in May. It now appears that the gang behind the raid was the crew known as Silence. Group-IB, which has been tracking Silence since late last year, believes the gang has two core members, Russian-speaking operators who appear to be white hats gone rogue. Their hacking involves jackpotting by money mules, some of whom have been caught in the act. 

Dave Bittner: [00:12:01]  Britain's Information Commissioner's Office has announced its intent to slap a record fine on British Airways, over 183 million pounds for a data breach that put the airline in violation of GDPR. It's a record fine which the BBC reports British Airways intends to fight vigorously. 

Dave Bittner: [00:12:20]  Google's Project Zero has confirmed that under certain circumstances, a malformed message can brick an iPhone. An infected device can be recovered, Forbes reports, but at the expense of losing data. 

Dave Bittner: [00:12:33]  We close with two sad notes. Jeffrey Sessions, CEO of security and networking firm Red River, and his wife, Elizabeth Howle, died in a watercraft accident last week. Our condolences go to their family, friends and colleagues. And on Friday, Mike Assante succumbed to the cancer he'd resisted for many years. He was a leader in - indeed, a fixture in - the industrial control systems security sector. Again, we offer our condolences to his family, friends and colleagues. For all who passed away last week, we wish that those close to them find courage and consolation, and we trust that those who knew them will remember the departed for lives well led. 

Dave Bittner: [00:13:21]  And now a few words from our sponsor, Dragos, the leaders in industrial cybersecurity technology. Threats to industrial organizations are proliferating, as Dragos recently identified the most dangerous threat to ICS. Xenotime, the activity group behind Trisis, has expanded its targeting beyond oil and gas, illustrating a trend that will likely continue for other ICS-targeting adversaries. Learn more about the eight public threat activity groups Dragos tracks at dragos.com/adversaries and how taking an intelligence-driven approach to ICS security is the most comprehensive defensive strategy to combat industrial adversaries. To register for a free 30-day trial of Dragos' ICS threat intelligence, visit dragos.com/worldview. And we thank Dragos for sponsoring our show. 

Dave Bittner: [00:14:24]  And joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, it's always great to have you back. A story came by. This was on Medium from a group called OneZero, and it's about a company that bar owners use to scan people's IDs. And there's a lot of information being gathered here in ways that perhaps people aren't really aware of or prepared for. What's going on here? 

Ben Yelin: [00:14:54]  So I've learned to be more careful about what I do at bars, the rare occasions that I go to bars, after reading this article. This is a company called PatronScan. And I'm sure at any bar you've been to, you see the kiosks they have at the entrance with the big bouncers. They'll take your ID, and they'll scan it. And what you probably thought they were doing is just making sure that your ID was legit, that you were of age, that the ID comes from a reputable state or international location. 

Ben Yelin: [00:15:23]  What this article talks about is how those kiosks are turning into repositories of a permanent record of bar attendees, meaning if one bar puts some sort of red flag and associates that with your driver's license, the one that you scan when you go in, that will be visible to users of the software at every other bar that you go to. So if you have an incident at a bar and they put something on your permanent file that says, you know, Dave was very difficult; he was throwing punches, got in a bar fight - when that's scanned at the next bar, that information is going to show up. 

Ben Yelin: [00:15:58]  So not only is it concerning from a civil liberties perspective as it applies to other bars - you know, frankly, we may not care that much about what other bars think of us as long as they let us in - PatronScan is one of the relative few technological companies that seems enthusiastic about cooperating with law enforcement. If you're wanted for some sort of criminal action and evidence is needed as to whether you were in a particular location, PatronScan will voluntarily hand that information over based on when you scanned your ID. And you know, that can be relatively concerning for people. Most technological companies go out of their way to say that they will not give information to law enforcement unless there is either a valid subpoena or some sort of judicial warrant. And what PatronScan has said is that, well, they're not selling your information to third parties - at least that's what they claim. They are willing to give your information to law enforcement. 

Ben Yelin: [00:16:56]  So the upshot of this is, when you go to a bar, just by entering that bar and having your ID scanned, you're potentially putting yourself at some risk for, A, being blacklisted from other institutions because you get something marked on your permanent record, so to speak and B, exposing yourself to law enforcement. And I think, you know, that can be concerning for a lot of people. 

Dave Bittner: [00:17:19]  Yeah. I mean, I think back to, you know, my own days, my younger days when I used to visit bars. I'm thinking of my college days. And it's hard for me to imagine the equivalent of this, where I would hand someone my ID, and they would say, hold on; I need to make a copy of this, and then I'm going to stick it in a filing cabinet. I don't think people would be OK with that. 

Ben Yelin: [00:17:39]  No, certainly not. And to extend that metaphor a little bit, imagine they'd made copies and gave it to every single bar in a geographic area so that before you could enter any bar, they would check the file and see, you know, has this person assaulted anybody, gotten into a bar fight? And if not, we can't let them in. 

Ben Yelin: [00:17:58]  You know, from a legal perspective, the patron doesn't actually have much of a legal leg to stand on. This is your classic third-party doctrine case. You have a choice whether to go to a bar or not. You are voluntarily giving your ID card to the bouncer to get in. And once you do that, it's fair game for the company that's doing the scanning to send that information to law enforcement. But simply from a, you know, personal perspective, I think it is quite intrusive. 

Dave Bittner: [00:18:30]  And to this point, really, the only way around this is to vote with your feet. 

Ben Yelin: [00:18:34]  Right. So the adoption of PatronScan is voluntary on the part of the bar, so, you know, perhaps the free market will take care of this. And there are going to be bars that say, well, I'm not going to use this technology. Now, bars have incentive to use it. They're audited on whether they sell alcohol to minors. And one of the ways they can make sure they don't sell alcohol to minors is to verify their driver's licenses. And this is one of the key technologies that they're going to use to do that. 

Ben Yelin: [00:19:03]  So bars certainly have their own incentive to use technology like this, but you're right. I mean, I think there is going to be a market out there - sort of a dark web for bar-goers - of places where their names won't be put on a permanent record, especially if this becomes something that's more widely known, widely talked about and written about online. 

Dave Bittner: [00:19:26]  All right. That's an interesting one. Ben Yelin, thanks for joining us. 

Ben Yelin: [00:19:29]  Thank you. 

Dave Bittner: [00:19:35]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:47]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.