Ransomware attacks in Mexico and Germany. Wipers in criminal service. Supervising Siri and Alexa. Mass shooters find inspiration and online expression.
Dave Bittner: [00:00:03] A Mexican publisher is hit with an extortion demand. Ransomware increasingly carries a destructive wiper component. Apple and Amazon, after the bad optics of reports that they're farming out Siri and Alexa recordings to human contractors for quality control, are both modifying their approaches to training the assistants. And investigators sort through mass shooters' digital trails.
Dave Bittner: [00:00:32] Now I'd like to share some words about our sponsor Akamai. You're familiar with cloud security, but what about security at the edge? With the world's only intelligent edge platform, Akamai stops attacks at the edge, before they reach your apps, infrastructure and people. Their visibility into 178 billion attacks per day means that Akamai stays ahead of the latest threats, including responding to zero-day vulnerabilities. With 24/7/365 security operation center support around the globe and over 300 security experts in-house, Akamai surrounds and protects your users wherever they are - at the core, in the cloud or at the edge. If you're going to Black Hat USA this year, visit Akamai at booth 1522 to take part in their Crack the Code challenge. Akamai - intelligent security starts at the edge. Learn more at Akamai - that's akamai.com/security. And we thank Akamai for sponsoring our show. Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com.
Dave Bittner: [00:01:52] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday August 5, 2019.
Dave Bittner: [00:02:00] Comparitech reports that a bookseller and publisher in Mexico, Libreria Porrua, left a MongoDB instance publicly accessible. The bookseller was warned by researchers on July 15 that its database was accessible but apparently did not take action to secure it in time. Criminals claim to have copied the data, then wiped them. They've demanded 500 bitcoin, almost $6 million, to restore the data. It's unknown whether the company has attempted to pay the ransom, let alone whether even if they did pay their files would be recoverable. The affected database contained 2.1 million customer records. Customers would do well to be on the lookout for spear-phishing attempts.
Dave Bittner: [00:02:43] Another destructive attack, GermanWiper, is destroying files in victims' systems and then demanding ransom for their restoration, Computing reports. In this case, in contrast, restoration seems impossible. BleepingComputer describes the attack. The infection vector is a phishing email, and the phishbait is a polite inquiry about a job opening from someone called Lena Kretschmer. Frau Kretschmer is clearly a catphish and no genuine job seeker, but at least the emails are formally courteous. Once a system is infected, the ransom note tells the victim that their data have been encrypted, but, in fact, they're gone, overwritten. Germany's federal CERT advises people not to pay. It's futile, and you'll just be out the roughly $1,700 in bitcoin the hoods are asking for.
Dave Bittner: [00:03:33] If this is the criminal hit it seems to be, the hoods must be in it for one or two quick payouts before everyone is wise to their game and stops sending bitcoin. The mode of propagation isn't the same, but there's at least this similarity to NotPetya. That, too, was pseudoransomware. Like GermanyWiper, it had a relatively low ransom demand, and you weren't getting your files back from it, either. There was an earlier case of destructive pseudoransomware deployed against German targets. In 2017, HSDFSDCrypt, also called Ordinypt, destroyed files in what was nominally at least a ransomware attack.
Dave Bittner: [00:04:11] Destructive attacks seem to be trending. In the past, they had tended to be the work of states, NotPetya being Exhibit A. But this seems to be changing. Over the past six months, IBM’s X-Force has seen a 200% rise in criminal ransomware attacks that have a wiper component. Wipers have been integrated into such familiar ransomware strains as LockerGoga and MegaCortex. The criminals seem to have adopted this approach as a way of ratcheting up the pressure on their victims, increasing the consequences of holding out and making them more likely to pay. After all, if it’s conventional ransomware, someone might come up with a decryptor. But if the files are gone, they're just gone; you can’t decrypt destruction.
Dave Bittner: [00:04:55] There are several effective defensive measures an enterprise can take. IBM lists seven. First, test your response plan under pressure. Use threat intelligence to understand the threat to your organization. Engage in effective defense in depth. Implement multifactor authentication throughout the environment. Have backups, test backups and offline backups. Consider an action plan for a quick, temporary business functionality. And create a baseline for internal network activity and monitor for changes that could indicate lateral movement.
Dave Bittner: [00:05:28] Let's do a quick, little experiment together. If I ask you to imagine an image in your mind of something related to cybersecurity, what's the first thing you see? Let's extend the experiment and imagine doing an online image search for the term cybersecurity. What do you expect you'd find? It's the same old images over and over again, to the point of most of them being cliches. Eli Sugarman is the Cyber Initiative program officer at the Hewlett Foundation, and they've decided to take this image issue head-on.
Eli Sugarman: [00:05:59] So we took this on because we were about to publish a report on cybersecurity grant-making, on all of the the work that our grantees and we had been doing. And we realized that we didn't have a good image to put on the cover of it that really captured the complexity and importance of these issues. And so we searched. We did a Google image search. We looked around and realized that everybody else was having the same problems - that you look at think tank reports or websites or even newspaper articles and you get the same things. You get men in hoodies over keyboards. You get Matrix-style ones and zeros. Locks and swords and shields. And it doesn't actually tell you anything. And so I said, aha, there is a problem here.
Dave Bittner: [00:06:38] It seems to me that we almost have a bit of a feedback loop here, where we have a limited number of images that we use. So we use those images, and people see that and they decide those are the images we should use.
Eli Sugarman: [00:06:50] I think that's exactly right. And I think that if you do a Google image search, you see clear clusters where everybody said, oh, you know what? I'm just going to tweak that image of a lock to make it a little bit cooler or maybe it'll shoot lasers because, to your point, they're - no pun intended - locked into a certain way of depicting this visually. And you see companies using those images, too, because they haven't invested in new creative ways to show why you would want to buy something related to cybersecurity or why it matters to an individual consumer. So I think you're right; I think that the really sad state of imagery just feeds off itself.
Dave Bittner: [00:07:20] And so how are you coming at this?
Eli Sugarman: [00:07:22] We're coming at it from a creative perspective, if you will. That is, that we know that we actually don't know how to come up with a better image. If you were to ask me what is the better image, I can give you general attributes. But if I knew what it was, I would draw it myself. But I'm not an artist. So what we've done is we've partnered with a really top-tier creative firm, Ideo, which spun out of the Stanford design school, that really focuses on how do you bring design thinking and a creative process to interesting challenges like this?
Eli Sugarman: [00:07:51] And so, basically, we're working with them to launch a global contest, saying, you know, we're going to offer prize money. Here's some background information on the sad state of these visuals. Here are some examples. You know, here are some examples of the kinds of things we think you should try to do. Now give us your best ideas, and we're going to have a formal contest and a jury award prizes and really try to generate some interest that way.
Dave Bittner: [00:08:13] And then what happens once you've selected a winner? Do those images become available?
Eli Sugarman: [00:08:18] Yeah, that's exactly right. The winner would, of course, receive the prize that he or she is entitled to. And all of the submissions are licensed under Creative Commons, which means they'll be made available to anybody who wants to use them, to be credited to the artist, of course, who should deserve credit for their work, but then can be used by think tanks, by universities, by CyberWire itself, to try to tell better stories and really explain these really important cyber concepts. So the whole idea is to put out better-quality visuals that that people can then use.
Dave Bittner: [00:08:45] Now, beyond the creation of the images themselves, are there any plans for any sort of promotional campaigns to help get the word out there and, you know, influence people to try to move on and use some of these new images?
Eli Sugarman: [00:08:58] Right now our campaign is starting to just raise awareness about this contest and the problem it's trying to solve. I think once we see what we get out of it - because it's hard to predict how many images will come out, how many will really be used and really galvanize the field - I think then we may come up with some ideas to then use them and do, you know, secondary campaigns and pushes.
Eli Sugarman: [00:09:19] What we're going to focus on is really making sure that folks already doing, you know, public awareness, capacity building, education on cybersecurity know about this contest, and then we make sure that the images are shared with them so that they can then put them into use in their important work, some of which we're already funding. And so I think we'll wait and see whether or another type of broad campaign's indicated or whether just making that connection between the - this new resource and those who can make use of it is strong.
Dave Bittner: [00:09:47] And so if someone wants to find out more information, what's the best way to do that?
Eli Sugarman: [00:09:51] We have a website. If you are interested in learning more about the contest and sign up for updates and see the background reports and everything, there's a website to visit, which is www.openideo.com/signup/signup-hewlett-cybersecurity. Another way to do it is to pay - just check the Hewlett Foundation website, where we'll be announcing this and sharing all the relevant links.
Dave Bittner: [00:10:25] That's Eli Sugarman from the Hewlett Foundation.
Dave Bittner: [00:10:29] Concerns over human-administered quality control checks of voice assistants have driven changes at both Apple and Amazon. As the Times of London reports, following up on stories broken earlier by The Guardian, Apple had been sending Siri recording to contractors for review. Siri was found to be pretty indiscriminate in what it recorded, too. Amazon had been sending audio clips of people talking within earshot of their home Alexa devices to contractors in Poland for analysis. The intent wasn't to spy on people in their homes; Amazon was clearly interested in improving the quality of Alexa's responses, but it amounted in effect to unwelcome eavesdropping.
Dave Bittner: [00:11:10] Apple is changing the way it trains Siri, Threatpost reports, and TechCrunch describes how Amazon is making similar changes with Alexa. Apple told TechCrunch it was suspending grading Siri's responses by having contractors review them. Users will, in the near future, be given the choice of opting in or out of such grading. Bloomberg reports that Amazon has also given users the option of declining human review of their interactions with Alexa.
Dave Bittner: [00:11:37] Investigators are working through the digital exhaust of the El Paso and Dayton shooters and are finding the sadly familiar disinhibition and self-absorbed nihilism so often seen among those who've made the delusional ascent into a life lived online. May the victims and survivors find such peace as they can receive. Our thoughts are with them.
Dave Bittner: [00:12:04] And now a message from our sponsor ObserveIT.
Unidentified Person: [00:12:09] Great party, huh?
Dave Bittner: [00:12:11] Yeah, yeah. Great party. Could you excuse me for just a moment? Hey, you. What are you doing? What - oh, no. Looks like another insider got into our systems when we weren't looking. I am going to be in so much trouble with the boss.
Unidentified Person: [00:12:30] Did someone say trouble? I bet I can help.
Dave Bittner: [00:12:33] Who are you?
Unidentified Person: [00:12:34] To catch insider threats, you need complete visibility into risky user activity. Here - I'll show you how ObserveIT works.
Dave Bittner: [00:12:42] Wow. Now I can see what happened before, during and after the incident, and I'll be able to investigate in minutes. It used to take me days to do this.
Unidentified Person: [00:12:51] Exactly. Now, if you'll excuse me, I think there's a cocktail over there with my name on it.
Dave Bittner: [00:12:57] But wait - what's your name? Oh, well. Thanks, ObserveIT - and whoever she is. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. Get your free trial at observeit.com/cyberwire. And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Joe, great to have you back.
Joe Carrigan: [00:13:33] Hi, Dave.
Dave Bittner: [00:13:34] We had a story last week about some vulnerabilities that were discovered in a popular real-time operating system.
Joe Carrigan: [00:13:41] Yeah.
Dave Bittner: [00:13:41] Bring us up to date here.
Joe Carrigan: [00:13:43] It's from Armis Labs - has found these vulnerabilities. And they call the operating system the most popular operating system you've never heard of, right? And it's an operating system called VxWorks - what's called a real-time operating system.
Dave Bittner: [00:13:56] Right.
Joe Carrigan: [00:13:57] Meaning that they have time constraints on how fast the operating system can process the data that it's given.
Dave Bittner: [00:14:03] And this is used in what kinds of devices, typically?
Joe Carrigan: [00:14:04] It is used in a lot of different devices - industrial control and SCADA systems, medical devices. But it's also - the vulnerable part is used in some firewalls from SonicWall firewalls. The vulnerabilities are in the TCP/IP stack - right? - which is software that runs on devices to make sure that they're connected to a network.
Dave Bittner: [00:14:23] OK.
Joe Carrigan: [00:14:24] And nothing else needs to be running on these devices in order for them to be vulnerable because the vulnerabilities are in that part of the software.
Dave Bittner: [00:14:31] OK.
Joe Carrigan: [00:14:32] And these vulnerabilities are exploitable with broadcast packets. So if you can get a packet to one of these vulnerable devices, you can exploit the vulnerability. Armis Labs hasn't released any exploits. They're calling the vulnerabilities Urgent/11 because there are actually 11 urgent vulnerabilities in there. Six of them can lead to remote code execution, and the other five can perform denial of service attacks - essentially, you know, stopping something from working. The issue here is going to be updating it. So Armis has disclosed these vulnerabilities to Wind River, who makes VxWorks.
Dave Bittner: [00:15:04] Right.
Joe Carrigan: [00:15:05] And SonicWall has already issued a patch for their firewalls, and they're saying - telling everybody to patch now. The industrial control systems, they're all going to have to be patched, but the problem with these things is they're all attached to working industrial systems that they're controlling, right?
Dave Bittner: [00:15:19] Yeah. I mean, that's the thing with these - I mean, it's sort of - when you're dealing with these real-time operating systems, a lot of times they're in embedded devices that...
Joe Carrigan: [00:15:27] Right, these are specifically for embedded devices, right?
Dave Bittner: [00:15:31] So they're not going to get updated. I mean, lots of them are going to be out there sitting somewhere deep inside of something.
Joe Carrigan: [00:15:37] Wildly running away - right? - just doing what they do.
Dave Bittner: [00:15:38] You might not even know that it's there, right?
Joe Carrigan: [00:15:41] Right, exactly. You might have a configuration management issue. In order to update these devices, you're probably going to have to shut down a manufacturing line somewhere or a device. Now, in some situations, you might be able to do that. So it's not going to be as easy as patching NIF (ph) or Windows devices, right?
Dave Bittner: [00:15:56] Yeah.
Joe Carrigan: [00:15:57] And that's, you know, where the long tail of this is going to be, is what they're calling it. But there is good news. Armis has done a great thing. They've released a series of snort rules so that you can spot these things and potentially stop them before they get to where they need to go.
Dave Bittner: [00:16:10] Head them off at the pass?
Joe Carrigan: [00:16:11] Head them off at the pass, right.
Dave Bittner: [00:16:12] Right (laughter).
Joe Carrigan: [00:16:12] So you can mitigate this.
Dave Bittner: [00:16:13] Yeah.
Joe Carrigan: [00:16:15] And anybody that can mitigate it and needs to mitigate it absolutely should mitigate it. And when it comes time to patch those devices or maintain those devices, do the patch.
Dave Bittner: [00:16:23] Replace those devices.
Joe Carrigan: [00:16:25] I don't know that you need to replace them; I think you just need to update them.
Dave Bittner: [00:16:27] I'm just thinking, you know, a lot of these embedded devices, they run until they stop running, you know.
Joe Carrigan: [00:16:34] Right.
Dave Bittner: [00:16:34] And then a new one - they get replaced.
Joe Carrigan: [00:16:36] Yeah.
Dave Bittner: [00:16:37] There's - you know, they're so deep in there, they run for a decade or more.
Joe Carrigan: [00:16:39] Yeah, and these things really don't break because they don't have moving parts.
Dave Bittner: [00:16:42] Yeah.
Joe Carrigan: [00:16:42] You know, they're sitting there doing the computation, and they're very good at it. And the operating system's efficient. The hardware is efficient.
Dave Bittner: [00:16:48] Yeah.
Joe Carrigan: [00:16:48] And it just works.
Dave Bittner: [00:16:49] It's a mixed blessing, I guess.
Joe Carrigan: [00:16:51] Yeah, it is. It is.
Dave Bittner: [00:16:52] When something like this pops up, it's difficult to address because these systems are so deep within...
Joe Carrigan: [00:16:57] Right.
Dave Bittner: [00:16:58] ...The operations of organizations.
Joe Carrigan: [00:17:00] Absolutely.
Dave Bittner: [00:17:02] Good perspective, as always. Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:17:04] My pleasure, Dave.
Dave Bittner: [00:17:10] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:17:51] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.