Industrial firms disclose cyber incidents. US DHS to check airliner cybersecurity. RCMP security case update. Bulletproof host taken down. Gnosticplayers. Royal phish.

Dave Bittner: [00:00:01] Hello, everyone. Dave here with a quick reminder that if you are a woman and you are listening to this podcast, chances are, you should be interested in the CyberWire's 6th Annual Women in Cyber Security Reception. This year's event is Thursday, October 24, at the International Spy Museum in Washington, D.C. You can learn more by visiting the thecyberwire.com/wcs. That's thecyberwire.com/wcs. Check it out. And we hope to see you there. 

Dave Bittner: [00:00:33]  Rheinmetall and DCC have disclosed sustaining cyberattacks. The U.S. government is looking at airliner cyber vulnerabilities. Simjacker is real, but recent phones seem unaffected. An update on the RCMP data misappropriation case. German police raid a bulletproof host. Gnosticplayers may be back. And someone is sending phishing snail mail that claims the British Crown needs your help to ease the economic fallout of Brexit. 

Dave Bittner: [00:01:07]  And now a word from our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights, like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met, at bugcrowd.com. 

Dave Bittner: [00:02:24]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, September 30, 2019. In two apparently unrelated incidents, Rheinmetall and Defence Construction Canada sustained attacks on their IT infrastructure. In Rheinmetall's case, the attack, whose precise nature the company didn't specify, disrupted automotive production in Brazil, Mexico and the U.S. Defence Construction Canada has been able to maintain operations in the face of what the Ottawa Sun reports may have been a ransomware attack. 

Dave Bittner: [00:03:00]  The U.S. government is giving fresh impetus to a program that would look for cyber vulnerabilities in commercial aircraft. The program is led by the Department of Homeland Security with participation by the Departments of Transportation and Defense. DHS had acquired a used Boeing 757 airliner back in 2016 and used it to research potential vulnerabilities. The program had slowed down in the wake of controversies over the way some of the initial findings were disclosed, but DHS now intends to resume the work. The U.S. Air Force is also conducting its own complementary review of commercial aircraft cybersecurity. That research will address flight systems. Airline hacks have tended to hit reservation systems for the usual criminal reasons. The data stolen from such systems can be monetized. But this research program will look for ways in which aircraft safety and availability could be compromised. The Air Force flies some aircraft that are basically commercial models, and there's considerable overlap between military and civilian avionics, which explains the service's interest. Air Force Assistant Secretary for Acquisition Technology and Logistics Roper told The Wall Street Journal, quote, "if we don't probe first, our adversaries will. We've been a little complacent in not trying to attack all parts of the airplane," end quote. 

Dave Bittner: [00:04:22]  Researchers at SRLabs say they've developed a way of determining whether devices are vulnerable to Simjacker and similar exploits. These are the ones Adaptive Mobile recently warned about in which an attacker could pwn your phone by sending you an SMS message. They've also run their checks against a representative sample of susceptible devices. Simjacker and the related WIBattack could apparently be used against about 9% of Android and iOS devices, SRLabs concludes. That's still a lot of phones, given that there are some 7 billion phones kicking around these days. But SRLabs thinks the likelihood you'll be affected is still pretty low. And the good news is that none of the more recent models seem to be in danger. 

Dave Bittner: [00:05:06]  Anonymous sources have told the Canadian Broadcasting Corporation that the raid on Mr. Cameron Ortis' Ottawa condo turned up dozens of encrypted devices that police may not be able to break. Mr. Ortis is the RCMP intelligence director who's been arrested on charges related to alleged violations of the Information Security Act. Reporters say that he may have intended to pass sensitive information to either organized crime groups, like the Sinaloa Cartel, or to unspecified foreign governments. The CBC does note that encryption isn't illegal but that it does make the investigators' lives more difficult. They also found at least one interesting piece of paper in Mr. Ortis' quarters, a handwritten note that says, the project, which words were underlined and followed with, John Lemon's blog, "Removing Your PDF Metadata." The blog post mentioned offers a step by step guide to removing metadata from a PDF. 

Dave Bittner: [00:06:04]  The CBC says that a scan of some of Mr. Ortis' accessible devices indicated that between September 8 and 9, some 25 documents or more had been processed and sanitized to remove identifying information. The RCMP announced Mr. Ortis' arrest on September 13. So the PDFs were scrubbed less than a week before he was taken into custody. Mr. Ortis' bail hearing is set for this Friday. 

Dave Bittner: [00:06:30]  In other news of crime and punishment, police in the German land of Rhein-Pfalz have raided and shut down a bulletproof hosting data center in Traben-Trarbach, the AP reports. The action crossed both land and international boundaries with arrests near Frankfurt and other police action in the Netherlands, Luxembourg and Poland. The data center, located in a surplus NATO facility acquired by a Dutch national in 2013, is thought to have been involved in both contraband markets and in the 2016 distributed denial-of-service attack on Deutsche Telekom. Hosting contraband trading websites isn't a crime under German law, at least, provided you don't really know that's what the sites are up to, but the authorities think the people running the show at Traben-Trarbach knew perfectly well what was going on and they themselves were mobbed up. Allegedly, we hasten to add - allegedly. 

Dave Bittner: [00:07:24]  Gnosticplayers may be back. Online game company Zynga disclosed a breach on September 12, and now The Hacker News says that Gnosticplayers claims that he or she or they has counted coup against Zynga, attaining access to some 218 million Words with Friends accounts. Gnosticplayers is neither a grey hat nor a gadfly. Earlier this year, they gained notoriety for offering 747 million records culled from 24 popular sites. 

Dave Bittner: [00:07:55]  And finally, thanks to Mr. Paul Ridden of Skillweb, a firm in the U.K. that provides a range of business services. He shared an interesting little item that appeared in his mailbox with those of us who hang around LinkedIn. A snail-mail letter purporting to be from Her Majesty's household asks recipients to help Queen Elizabeth save Britain's economy from Brexit with bitcoin. Of course, if you get one of these, you'll no doubt want to hop to it because in exchange for your patriotic or nostalgic or Anglophilic gesture, you'll get your very own self a membership of the Royal Warrant Holders Association. 

Dave Bittner: [00:08:32]  We consulted our palace desk, and they tell us that Royal Warrants are actually a thing. Or, more properly, they're actually things, things by which purveyors of goods and services to the royal family might be recognized. For example, Bluebird Buses and Fortnum and Mason groceries have got the Royal Warrant. So does Schweppes - no surprises there. But so does Samsung. Thus, if Her Majesty actually listened to the CyberWire, who knows, we might qualify for a Royal Warrant. But on the other hand, the Palace desk tells us not to get our hopes up, especially inasmuch as we're only Americans - poor things - and also because the editors over the years have developed ways about them that, well, just aren't right. Alas, no one seems to have taken Her Majesty up on the call for help so we may never know if easing the pain of Brexit would earn a Royal Warrant. 

Dave Bittner: [00:09:29]  And now a word from our sponsor Edwards Performance Solutions. It's commonly accepted that cybersecurity is a business risk, not an IT problem. What may not be as commonly accepted is that cybersecurity needs to be an integral part of every business strategy and that cybersecurity can actually be an asset to your business. Achieving this outcome is a journey. The journey starts with an understanding of what information is important to the business, what business processes generate, use, store or transmit that information, and what are the rules and regulations impacting the information? The next part of the journey is understanding the risks to the business and those information assets, followed closely by establishing a governance structure to manage those business risks. This includes managing the risk to your supply chain. The journey is not an easy one and is fraught with roadblocks and obstacles. You may need a guide. Edwards Performance Solutions is ready to be your guide in this journey. Please visit their website, edwps.com, to learn more. That's edwps.com. And we thank Edwards Performance Solutions for sponsoring our show. 

Dave Bittner: [00:10:49]  And I'm pleased to be joined once again by Malek Ben Salem. She's the senior R&D manager for security at Accenture Labs. Malek, it's great to have you back. I wanted to highlight some of the work that you and your team are doing there at Accenture, your cyber threat group, highlighting some of the factors that are involved with security. What can you share with us today? 

Malek Ben Salem: [00:11:09]  Yeah. Thanks, Dave. So Accenture's iDefense group, which is our threat intelligence group, has published its annual cyber threat report. And it highlights five different threat factors that are influencing the cyber threat landscape. The first of those factors are compromising geopolitics and new threats that emerge from this information and technology evolution. So we know, obviously, disinformation has been a concern. And many entities continue to warn of cyber threats related to upcoming elections. What our analysts noted is that many of the threat factors are focusing on other types of global, political and geopolitical events, such as international summits, you know, evolving international tensions, and sporting events like the Olympics, et cetera. 

Dave Bittner: [00:12:10]  So what are some of the other factors you're tracking? 

Malek Ben Salem: [00:12:12]  The second factor is how cybercriminals are adapting and working together, diversifying their strategies and looking more like states. So despite the high-profile, low-enforcement actions that we've seen against criminal communities and syndicates in 2018, the ability of threat factors to remain operational shows an increase in maturity and resilience of criminal networks. This has been noticed in 2019. 

Malek Ben Salem: [00:12:46]  Our analysis indicates that conventional cybercrime and financially motivated targeted attacks will continue to pose a significant threat for users and businesses. However, the criminal operations will likely continue to shift their tactics to reduce risks of detection and disruption. Another trend that our analysts have noticed was that localized underground economies continue to emerge and grow in non-English-speaking countries, such as China and Brazil. And they tend to target their domestic populations due to familiarity with their own societies and cultures. 

Malek Ben Salem: [00:13:31]  The third thing we've noticed is the selling and buying of direct access to networks for ransomware delivery rather than carrying out advanced intrusions. So there has been a marked increase in the sale of remote access to compromised networks and to commodity malware to conducting intrusions for financial gain on underground forums and marketplaces. The - grouping all of these trends, we expect that cyber criminals will work together more and more, more likes - you know, as I mentioned, more, like, in communities and syndicates and more like states. 

Dave Bittner: [00:14:13]  Yeah. It's interesting that this - to follow this trend, I think - that the availability of tools continues to expand, which seems to make it easier for these folks to cooperate and collaborate. 

Malek Ben Salem: [00:14:28]  Exactly. So the commoditization of these tools and the markets that are being created to sell and buy these tools. 

Dave Bittner: [00:14:39]  Yeah - can't help wondering if that requires more collaboration on the good guys side to... 

Malek Ben Salem: [00:14:46]  Absolutely. 

Dave Bittner: [00:14:47]  To fight this, you know? 

Malek Ben Salem: [00:14:48]  Absolutely. We definitely not - need more collaboration on the defensive side. 

Dave Bittner: [00:14:53]  Yeah. 

Malek Ben Salem: [00:14:54]  What we're noticing more recently is that some of these actors actually may have hybrid motives, whether financial, ideological or political. For instance, we've seen that some ransomware appears to have been deployed to destroy information on a target rather than to efficiently make money. An example of this is the Goga ransomware that paralyzed a Scandinavian aluminum company in March 2019. It involved a variant that made it difficult to pay the ransom, which suggests that its real target may have been the victim company's share price and not, you know, financial gain. 

Malek Ben Salem: [00:15:41]  The fourth factor is that improved ecosystem hygiene is pushing threats to the supply chain, turning friends into frenemies. So as companies are improving their, you know, security posture, they're - as they are adopting the traditional industry cyber threat countermeasures, this is making it difficult for cyber actors to target them directly. And the easier way to attack them becomes through, you know, their partners or their vendors. And then the final factor is the hardware vulnerabilities like Meltdown and Spectre that were initially discovered in early 2018. Many cloud providers have deployed countermeasures to those vulnerabilities, which consisted in slowing down the processors. 

Malek Ben Salem: [00:16:37]  However, businesses, based on their size, may decide that it makes more sense for them to own or to build on-prem clouds in order to have more control about whether those countermeasures should be deployed or not. Because we know that those updates slow down the processor. If certain companies, bigger companies, have higher workloads, they may want to consider building their own on-prem cloud instead of, you know, relying on the more conventional clouds to run their workloads. 

Dave Bittner: [00:17:19]  Now, I mean, looking at this list of five elements, I mean, is there a common thread throughout them? Is there sort of a take-home message that folks should be thinking of? 

Malek Ben Salem: [00:17:30]  The one big message is that the cyber threat landscapes continues to evolve. So companies have to be resilient and have to continue working with their cyber threat intelligence groups to update their, you know, security mitigation strategies. 

Dave Bittner: [00:17:54]  Well, Malek Ben Salem, thanks for joining us. 

Malek Ben Salem: [00:17:56]  Thank you, Dave. 

Dave Bittner: [00:18:02]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:18:14]  Don't forget to check out the "Grumpy Old Geeks" podcast where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast. 

Dave Bittner: [00:18:43]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.