Patcher ransomware. Locky, Cryptowall, and Cerber are still active; so is old-fashioned blackmail. NSA keeps the VEP. Reactions to New York State's cyber regs for banks. Observations of BugDrop, and thoughts on cyber war and attribution.

Dave Bittner: [00:00:03:14] Patcher ransomware goes after Macs, and, fair warning, it does so in a dangerously incompetent way. Locky, CryptoWall, and Cerber are also still out and about in the wild. NSA seems likely to continue its Vulnerabilities Equities Process. Industry reactions to New York State's coming cybersecurity regulations for financial institutions. A look back at RSA discussions of cyber warfare. Further developments in the study of BugDrop malware. And TruSTAR looks at Grizzly Steppe and has some thoughts on the difficulties of attribution.

Dave Bittner: [00:00:41:20] Time to take a moment to tell you about our sponsor, CyberSecJobs. If you're an information security professional seeking your next career, or your first career, you need to check out cybersecjobs.com and find your future. CyberSecJobs is a veteran owned career site and job fair company for information security professionals and students. Job seekers can create a profile, upload their resume and search and apply for thousands of jobs, and it's great for recruiters too. If you are an employer looking to source information security professionals, contact CyberSecJobs about their flexible recruitment packages designed to meet your needs. Here's one of the current hot jobs: WakeMed is looking for an information system security officer to help safeguard sensitive information. You'll find this and other great opportunities at cybersecjobs.com. That's cybersecjobs.com. And we thank CyberSecJobs for sponsoring our show.

Dave Bittner: [00:01:45:02] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, February 23rd, 2017.

Dave Bittner: [00:01:55:03] The Bratislava-based security company ESET reports that there's a new and unusually virulent strain of ransomware affecting Macs. It's called "Patcher" and it's spread by torrent files offering license crackers. It's dangerous, according to ESET, in part because it's incompetently coded: the authors left the victims with no way of recovering their files, even upon payment of ransom. They also put up an implausibly blank installation wizard. So buyer beware—be especially wary of the torrent. It seems not unlikely that whoever's behind Patcher will soon fall into the hands of the authorities—he or she is almost charmingly naïve and obvious in his or her payment instructions.

Dave Bittner: [00:02:38:19] Other, more established forms of ransomware continue to circulate: Locky, CryptoWall, and Cerber account for 90% of current infestations, according to Check Point. Crypto ransomware isn't the only form of cyber extortion out there, either: a Bitdefender study concludes that fear of reputational damage is likely to motivate a significant fraction of IT executives to pay up. Some 14% of those surveyed said they'd be willing to pony up half a million bucks if it would keep their breaches or other security issues off the front page.

Dave Bittner: [00:03:10:17] In the US, NSA appears likely to continue its Vulnerabilities Equities Process essentially unchanged. The program governs the agency's disclosure of zero-days to industry.

Dave Bittner: [00:03:22:23] Reaction to New York State's cybersecurity regulations for banks continues. The new regulations take effect on Wednesday, March 1st.

Dave Bittner: [00:03:31:09] VASCO's John Gunn told us by email that he sees the regulations as likely to drive enterprises toward biometric and risk-based authentication. His VASCO colleague, David Vergara, likes the importance the new rules place on assessing third-party risk.

Dave Bittner: [00:03:47:08] Christian Lees of InfoArmor thinks "this is an example of progressive regulation," and that there's a good chance they'll shape emerging industry standards. CipherCloud's Willy Leichter agrees: "A state the size of New York can effectively create nationwide requirements." The new rules remind him of the effect California had on the industry 15 years ago when it created a legal requirement for public notification of data breaches."

Dave Bittner: [00:04:14:17] NuData Security's Robert Capps isn't so sure Governor Cuomo's regulations will propagate nationally, but he does think they'll be a bellwether: "New York may be the first state to introduce such measures, but they most certainly won't be the last." But he also points out that some of the regulations seem redundant with respect to existing Federal laws and regulations, and he notes that New York State, while influential, lacks jurisdiction over Federally chartered institutions.

Dave Bittner: [00:04:43:19] We continue our look back at the RSA conference with some thoughts on cyber warfare, a matter of concern and policy that loomed large in San Francisco last week. There were many warnings about the coming increase in conflict in cyberspace. The term "hybrid warfare" is mostly associated with Russia, especially in its incursions into Ukraine. Hybrid warfare is an amalgam of conventional combat, special warfare, deniable insurgencies, and cyber operations (involving hacking, interference, and information operations), and it's expected by many to become the normal form of warfare in this century. Microsoft made a plea for the neutralization of the tech industry at RSA, "neutralization" in the sense that it should become a kind of virtual Switzerland, aligned with no one and taking part in nobody else's wars. Redmond also urged the adoption of a digital Geneva Convention that would protect non-combatants (like, for example, Microsoft) and for the creation of confidence-building international institutions along the lines of the International Atomic Energy Agency. Many applauded the sentiments, but few policy experts thought them likely to have much effect.

Dave Bittner: [00:05:57:02] In what may amount to an update on an ongoing instance of hybrid warfare, security company CyberX offers further descriptions of BugDrop, a complex and sophisticated cyber espionage campaign in progress against a diverse array of Ukrainian targets. The malware in use is spread by phishing; the specific vector is the familiar one of malicious macros in attached documents. Once installed, the suite of attack tools takes control of infected device's microphones and collects ambient audio; it also steals files and exfiltrates them to Dropbox. The malware is relatively quiet and unobtrusive. Its purpose appears to be reconnaissance only: there's no evidence of any destructive functionality. Beyond saying that the responsible threat actor appears to have considerable "field experience" and a great deal of money, CyberX declines to offer any attribution, and refuses the opportunity to jump to the obvious conclusion that the Russians did it.

Dave Bittner: [00:06:55:14] Their reticence is probably commendable, because attribution is indeed a messy, uncertain business. The threat intelligence company TruSTAR called us today to tell us about the results of their own adventures in attribution. They took a look at Grizzly Steppe, the report describing the Russian threat actors who made an uninvited and unwelcome appearance in the Democratic National Committee email servers last year. Those actors are generally believed to be Cozy Bear and Fancy Bear, a.k.a. the FSB and the GRU. But when TruSTAR ran it through their own analytics, they came up with some very significant overlap in infrastructure with the criminal gang Carbanak. That's not to say, as TruSTAR CEO Paul Kurtz pointed out, that the Russian intelligence organs were uninvolved—there are many good grounds for agreeing with the consensus view that they were. But it does remind us, as Kurtz put it, that "Attribution is a muddled mess when these guys start using the same infrastructure." Cozy and Fancy are quite capable of using criminal gangs, criminal gangs are quite capable of using code or infrastructure established by states, and there's also the possibility of moonlighting, or even false flags.

Dave Bittner: [00:08:08:02] So, when you're among the bears, don't be too soft or too hard, be just right.

Dave Bittner: [00:08:18:24] Time for a message from our sustaining sponsor, Cylance. Are you looking for something beyond legacy security approaches? If you are, and really who isn't, you're probably interested in something that protects you at machine speed and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence, Cylance knows malware by its DNA. Their solution scales easily and it protects your network with minimal updates, less burden on your system resources and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning. It maybe artificial intelligence but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. Cylance, artificial intelligence, real threat prevention. That's cylance.com and we thank Cylance for sponsoring our show.

Dave Bittner: [00:09:18:06] Joining me once again is Emily Wilson. She is the Director at Analysis at Terbium Labs. Emily, we see a lot of these tools, these exploits. They go through sort of an experimental phase but then they become part of the tool kit.

Emily Wilson: [00:09:38:07] They do. I think one of the things that we've seen over time is the way in which, "I'm going to hack into something and leak the data or do something nefarious" has gone from being a tool of vandalism to opportunistic or even targeted fraud and financial gain, to now we're seeing these same things play out at a state level or international level. We are moving from surprise that it's happened at all, to surprise at who was targeted next or surprised on how it's manifesting and so we have accepted that this is part of the toolbox, but if you want to sell these kinds of exploits, if you want to expose the personal information of a government agency or an intelligence agency or some sort of international body, we are no longer thinking of that as something that's outlandish or surprising. We're just surprised at who it is or surprised that it's happened to this person next.

Dave Bittner: [00:10:36:19] So, from an enterprise point of view, no longer are people saying, why would anyone be interested in my CEO?

Emily Wilson: [00:10:43:13] Right. I think that's true and I think that this idea that some attacks are opportunistic - sometimes you are the low hanging fruit, sometimes you are the house in the neighborhood who left your door unlocked - and sometimes it's targeted, sometimes it's strategic, and you are always going to fall somewhere in that range of opportunistic targets, but I think that people take for granted where they fall in the range of strategic targets as well and this is governments but it's also enterprise businesses or even medium to small size businesses. If you have customers or if you have sensitive or proprietary information you will be a target at some point.

Dave Bittner: [00:11:23:05] I might not be the big target but I may do business with someone who is a big target, so I may be the conduit into that big target.

Emily Wilson: [00:11:30:08] That is true or you may use the same vendor or the same third party service that everyone else in your industry uses and they're a target. Your exposure isn't limited just to your own systems, that's definitely an issue, but there are all of these other ways in or other places your information is being exposed or is vulnerable and you have to think beyond yourself.

Dave Bittner: [00:11:54:09] There's this popular notion, and you hear it particularly when people are marketing their services, that it's not a matter of if, it's a matter of when. Some people say, "Oh, that's just marketing" and they roll their eyes but other people say, "No, it's actually not a matter of if, it's a matter of when." We're at the stage now where there are so many reasons why people may be interested in the data you have that you can't assume that you're an uninteresting target.

Emily Wilson: [00:12:20:07] That's true. That is absolutely true and even if you have best practices, if you are early adopter of every great new thing, at some point the defenses won't be enough. Not to break out another analogy here, but you think about the fact that your house is secure against a rainstorm if you will, but every so often there's going to be a hurricane. Maybe it won't be a hurricane for you, maybe where you live it's a tornado, maybe where you live it's an earthquake, maybe someone isn't going to leak your client list but maybe there's a certain type of malware that is going to just make its way through your industry. One of the things we saw that was really interesting at the end of 2016 actually is there's an actor called the Dark Overlord who had previously been primarily working in health care and basically said "I'm bored, I'm switching to government contractors - they have good, sensitive information" and things like that happen. You may not think you are a target because you're not the thing that's popular right now or you're not the large enough company that you think you're going to be targeted but somebody somewhere at some point probably will make an effort.

Dave Bittner: [00:13:27:14] All right. Emily Wilson. Thanks for joining us.

Dave Bittner: [00:13:32:11] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can protect you from cyber attacks, head on over to cylance.com. We hope you'll check us out on Facebook, Twitter and LinkedIn and, if you'll head on over to i-Tunes and leave a review for our podcast, well that's really helpful as well. It's one of the best ways that you can help new people find our show. So thanks in advance.

Dave Bittner: [00:14:03:14] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik. Our social media editor is Jennifer Eiben, our technical editor is Chris Russell. Executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.