Patch by midnight, and reply by endorsement. Cerberus is howling; Rampant Kitten is yowling. TikTok and WeChat both get reprieves. German police want ransomware operators for homicide.
Funding for this cyber wire podcast is made possible in part by last pass. Last passes an award-winning security solution that helps millions of individuals in over seventy thousand organizations navigate their online lives easily and securely businesses can maximize productivity while still maintaining effortless strong security with last pass. Last pass can minimize risk and give your it team a breakthrough integrated single sign on password management and multi factor authentication solution. A. SCISSOR tells the feds patch zero log on by midnight tonight Sarah Surges after its source code is released rampant kitten and Iranian surveillance operation is described the US bans on we chat and tick tock were both postponed Justin Harvey from accenture marks three years since wannacry with a look at brand somewhere our own rick Howard on red and blue team operations and policing Germany are looking for ransomware tekkers on a homicide charge. From From the cyber wires studios at data try by Dave Bittner with your cyber wires summary for Monday September Twenty Twenty Twenty Late, Friday the US cybersecurity and infrastructure security agency directed all federal agencies to apply August Patch to Microsoft Windows Server Emergency Directive Twenty. Dash Four requires that mitigations of zero log on privileged. Vulnerability CV to twenty, fourteen, seventy, two, which Microsoft addressed in August be applied by midnight tonight and that all agencies report completion by midnight Wednesday. The directive applies only federal agencies under sece's oversight, which is most of them, but with certain national security exclusions. As Forbes notes if the matter is serious enough for SIS to take this action than the private sector would be wise to do the same. The release of Serra Source Code has as predicted been followed by an increase in attacks using the banking Trojan. Kaspersky. Reports. Apparently despairing of getting their reserve price in an online auction that didn't work out to their satisfaction and faced with the difficulty of maintaining the malware as the gang broke up the managers of Serra's last week released their source. Code Online. Kaspersky said quote the result has been an immediate rise in mobile application infections and attempts to steal money from consumers in Russia and across Europe as more and more cybercriminals acquire the malware for free and quote. Researchers are seeing the same sort of jump in functionality and usage. They observed when a new bes- went similarly public last year. Checkpoint describes what it seen of rampant kitten. An Iranian threat group that's been keeping tabs on that country's dissidents for six years. Rampant captain has used four windows. Info steelers an android back door that pulls two factor authentication codes from SMS messages and records the infected devices, audio surroundings, and telegram fishing pages. Rampant kitten has prospected domestic opponents, but it's taken even closer interest in certain. Dissident groups in the Iranian diaspora. US bans on transactions involving tiktok, and we chat scheduled to take effect yesterday didn't happen. Due to first eleventh-hour agreements about control over TIKTOK and second to a temporary injunction. Federal Magistrate issued to keep we chat running as it has. An outline according to the Wall Street Journal the agreement reached Saturday would give Oracle a twelve point five percent stake in the company to be called diktat global and Walmart would purchase seven point five percent of the venture. That would leave bite dance with about eighty percent of tiktok global. But as it happens by dances forty percent owned by American investors and the companies hope that this would constitute sufficient US control to allay US security fears. Oracle. Also intends to provide the new company with secure cloud service for tectonics, data and Walmart would agree to provide e commerce fulfilment payments and other services to tiktok global. The agreement that would establish tick Tock American operations as a standalone company with partial US ownership remains under evaluation and the Commerce Department says, the ban has therefore been postponed a week. The Wall Street Journal reports that a US Federal Magistrate has granted a temporary injunction stopping the government's intention of similarly stopping transactions involving we chat. A group of the APPs users filed an emergency motion seeking to block the government's plans on first amendment grounds. The government they argue has insufficient grounds for blocking their access to the Chinese made and operated APP, and that this constitutes restraint of their freedom of speech. The government has said that it intends to take no action against anyone using we chat to communicate either personal or business information. But that the APPS data collection practices represent a threat to national security. Should. One or both bands eventually go through the Chinese government has signalled that US companies are in for some rough treatment of their own. The Washington Post reports that Saturday China's commerce ministry announced plans for adding some companies to it's. Unreliable. Entities list. While the ministry didn't specify exactly who would make the list Chinese state media have for some time been calling for retaliatory bans on apple and Google. So those two probably for starters at least. The sad case last week of a woman who died when rent somewhere at a Dusseldorf University hospital acquired that she be diverted to a hospital, some thirty kilometers away and too far to give her the prompt emergency treatment she needed has prompted prosecutors in nordrhein-westfalen to open a criminal inquiry into negligent homicide against unknown persons. Reuters reports that the loss of data so interfered with hospital admissions that it was unable to take patients arriving by ambulance. It's been widely reported that should charges eventually be filed. It would be the first time a death had been linked to a cyber attack. That depends of course on how narrowly won construes the words linked to a cyber attack. Since there have certainly been deaths induced by swatting were a phone calls origins were spoofed. But it is an unfortunate reminder that for all the descent Habituation Cyberspace tends to produce in those who live and move and have their being their cyber attacks do have real consequences for real people. Security firm M soft, which has made a reputation providing decrypt to ransomware victims thinks that the Duesseldorf case ought to put an end to the payment of ransom one of the objections to paying ransom. However, much of a bargain, it might be in any particular case for any particular organization is that doing so fuels abandoned? And, encourages future attacks. The argument parallels one that's long been made against negotiating with terrorists. If payment encourages ransomware gangs, and if they're attacks growing in frequency and consequence and it's time, MC soft thinks stop feeding the beast. The meantime all we can do is offer condolences to the victim's family and friends. And to wish the German police. Hunting. Able. Now from our sponsor looking glass cyber for years, organizations have been working to keep up with threats deploying new security tools. The result is a complex and inflexible security stack. That is ineffective in today's micro segmented, borderless and distributed networks keep pace with the threats of today and prepare for the future organizations need flexible protection around their unique network ecosystems with a software based approach to unifying your security stack formerly disjointed tools can communicate with one another to disrupt and distract the adversary without revealing your defenses with this flexible approach. Security teams can easily scale their protection to fit their needs with one integrated software solution requiring no specialty hardware meet cloud shield eclipse distributed of cyber defence. Learn more at looking glass cyber dot com that's looking glass cyber dot com, and we thank looking glass cyber sponsoring our show. I'm joined again by Rick Howard he is cyber wires, chief security officer, and also our chief analysts But more importantly than either of those things, he is the host of CSO perspectives over on cyber wire pro rick. It's always great to have you back. Thanks for the plug Sir I appreciate. Of course of course You know last week, you and I. Were discussing history of pen tests we were talking about red team and blue team ops and purple teams and all that stuff This week you continue that you take it to the next level you brought in some experts to your hash table and you discuss how practitioners handle this stuff in the real world. So what kind of stuff did you find out? Yeah, you're right. So if you recall from last week, show back in the early seventies, the good guy hackers, these are white hats are ethical hackers. You know we started to use our own skills against our own systems and eventually those exercises became known as penetration tests. These were separate teams. You know they would attempt to poke holes in the technology deployed to protect the enterprise right now these weren't trying emulate any adversaries. Okay. They were just trying to find you know the unknown open windows and doors and I was surprised that you know when I did the research that and went back as far as the seventies. When I discovered though when I was talking to the Hash table experts, security experts have different ideas on how to use these teams and it's on the spectrum of activity on one end. It's sitting the team somewhere on the Internet and telling them to find a way in any way they can to on the completely opposite side of the spectrum giving the team, extremely specific parameters about what they're supposed to do and from where they're supposed to do it. Now this kind of go along for a long time in for my part I never thought that former part. You Know Kinda Willy Nilly do whatever you want was that valuable right because you know can pin test find their way in. Of course, they can. Okay that's where they get paid to do. So I was talking to. Rick. doting about this, he is the sea. So for Carolina complete health and before he was a so he ran a commercial pen testing and his clients would ask them to see if the pen test team could get into the client's network and so this is what they would tell them. So when I was a consultant I would often have customers who call and say, Hey, can penetration tests and you can get in and aren't always them save your money? Yes, we can. There's no question of attitude. It's like if you have a specific reason that you want us to focus on or you just update it system or even you monitoring or you want to test the way that these controls are acting, that would be something. But if it's just a general can get in yes, we can always get in I. Think his point is that pen tester activities should not be free for alls. Okay. They should be highly tailored to test something specific like you know a newly deployed as three bucket or a change in firewall settings or even newly deployed server farm or something like that. Yeah Laid Kinda reminds me of like I. Don't know if I were testing the security of my home. If I were to go to a pro if I were go to a locksmith and say, could you get into my house? Well, of course, locksmiths going to be able to put it into my house right but I suppose that's different than saying, Hey, I want to bring someone to make sure my alarm system is functioning the way I expected his or that I that I am turning it on their correct way when I go to bed at night you know those right right? Right? Right. That's really interesting. Well, last week, we ended on a bit of a cliffhanger end. Up in the air. If red team and blue team ops were considered, an essential function has has there been any clarity in the meantime. Have you made up your mind I? Think I finally have. On the fence and I don't think that red team blue team operations are essential. They're kind of expensive to do and I definitely will not pull that lever I if I was beginning to set up a new INFOSEC programme, that's not the first to move. But if I mature and I put in these other strategies and we've talked about them on this show, right the resilience and zero trust and intrusion kill chains and being able to assess risk in your organization. If you can get all that stuff going, it's relatively mature. Then the next Leber you might pull is red team blue team operations, and so they're not essential to your embassy program. I will say though that the training opportunity by doing those are pretty decent. You put a brand new sock analysts hunting down red team in real time There's some real live training going on there. So there may be some benefit there, but again, maybe not essential to any INFOSEC, programme? All right, well check out perspectives that is over on cyber wire pro on our website the cyber wire dot com check it out Rick Howard. Thanks for joining us. Thank you sir. And now a word from our sponsor extra hob securing modern business with cloud native. Network. protection. Response. The massive shift to remote work has turned the reality of work on its head with cloud and multi cloud adoption comprehensive visibility is more important than ever. But in order to protect your business, you need more than unified visibility you need intelligence response workflows so teams can collaborate. And Act Quickly Extra hop helps organizations like wizards of the Coast Tech threats up to ninety five percent faster as John crease senior it engineer puts it quote extra hop is helping US accelerate cloud adoption by ensuring our workloads our secure. See how it works in the full product demo free and no forms required at extra hop dot com slash cyber that's extra hop dot com slash cyber, and we thank extra for sponsoring our show. And joining me once again as Justin Harvey he's the global incident response leader at accenture Justin. It's always great to have you back and we recently passed the third anniversary of wannacry. I wanted to check in with you on some of the things that you've been tracking when it comes to ransomware and how it's evolved over the past three years. Sure. The third anniversary of wannacry was just last month and I've gotta say wannacry was a pivotal moment in cybersecurity history not because of of some of the damage that it created, we've seen damage for ten fifteen twenty years. What really was surprising was that wannacry was going to be the first of many type of destructive attacks. Now, in my experience I define ransomware as destructive our because there's really there's really no difference with destructive. You don't have a means to get your data and with ransomware you may have a means if you're willing to take that risk and so with wannacry creating so much damage three years ago it really started a cascading of events in ramping up ransomware. I believe that adversaries solve this as as an opening for them to exploit victims and get a big payday. And we've seen since then ransomware has sort of expanded their scope of operations to include exfiltrated data to kind of turn up the heat on the folks at the ransoming. That's exactly right. We at accenture are seeing a lot of cases, and in fact, since the pandemic started in early March, we have seen over a fifty percent increase in ransomware cases and many of them are following the same incident life cycle. It's the adversaries that are doing a quick fish to get in get a landing spot. Quickly escalate privileges and they're installing a persistence mechanism like cobalt strike. Now, cobalt strike is an interesting tool because it is a commercially available tool out there. Primarily, it's it is intended for use by red teams and. Friendly. Teams but cobalt strike. Has Been adopted by many adversaries out there even nation states as a remote access, Trojan so these adversaries are getting in they are installing cobol strike, and then they're just kinda listening for a while they're mapping the environment, their understanding who's who and where the goods are, and then of course, once they find the goods, they are encrypting them in place as well as stealing credentials and other data. So they've kind of got a bird in the hand and the bird in the hand is they're stealing the data first and then extorting. So if they don't get their extortion money boom, they already probably monetize the first set of data that exfiltrated. In the time since wannacry has your playbook grown more sophisticated when you're called out to help an organization WHO's dealing with ransomware have things changed over the past couple of years yes. We have moved from being a primarily an investigation team that's heavily focused on understanding the WHO, the, what the why, and then moving toward expulsion, and then transformation we've moved from that model to quickly triage and help recover and environment because before the the cases that we were running both cyber criminal and nation state, it was really a bug hunt you have an adversary they are hidden in the environment and they are. Patent. acidly stealing intellectual property and exfiltration, and what we're seeing now is something different. We're seeing a an adversary get in be quiet extra trait that I set of data. Then of course, they're doing the extortion but through this extortion, they're also taking out the entire enterprise they're taking down active directory they're taking on applications and databases and things that are necessary. To create revenue or or or to fulfill the obligation of the enterprise. So for us, we are seeing more and more of that, and it's less about well who done it, and how do we get them at in the environment to how fast can we restore services? It's interesting to me that you know I remember it felt like we we might see a shift away from ransomware toward crypto mining for a little while but that really didn't play out the crypto mining kind of ran out of steam. I think that with these crypto mine our adversaries I think there were primarily looking to make a quick buck off of. The new types of cryptocurrencies out there. But I think that they're having a hard time monetize these quasi unofficial. Currencies out there. So it's very difficult for them to make money and if you're already. In an environment you already has administrative access why not just put in ransomware rather than to a mining expedition. Now, clearly, mining is less destructive but it can also take down in environment as we've seen with the fear of our clients over the last two to three years. Alright well, Justin Harvey thanks for joining us. They. Able. Thanks to all of our sponsors for making the cyber wire possible especially are supporting sponsor proof points observed the leading people centric insider threat management solution learn more at observed dot com. And that's the cyber wire. For links to all of today's stories, check out our daily briefing at the cyber wire, dot com, and for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field sign up for cyber pro will save you time keep you informed and it'll pick you up when you're feeling down. Listen for us on your Alexa Smart Speaker to. Don't forget to check out the grumpy old GEEKS podcast where I contribute to a regular segment called security ha I joined Jason and Brian on their show for a lively discussion of the latest security news every week, you can find grumpy geeks where all the fine podcasts are listed and check out the recorded future podcast, which I also host subject. There is security intelligence. Every week we talked to interesting people about timely cybersecurity topics that sad recorded future. Dot Com slash podcast. The cyber wire podcast is proudly produced in Maryland the startup studios of data tribe with their co building the next generation of cybersecurity teams and technologies are amazing. Cyber wire team is Elliott peltzman route precaut- Stefan very healthy bond tim. No Dr Joe Kerrigan Herald -Tario Been Yellen Nick Veliky Tina Johnson and it Mo- Chris. Russell John Patrick Jennifer Ivan Rick Howard Peter Kilby and I'm Dave Pfiffner. Thanks for listening. See you back here. Tomorrow.