Ransomware, Bitcoin, underwriters, and the bandit economy. OTA provisioning could lead to subtle phishing. Alleged spammers indicted. ZAO flashes and flickers out, for now.
Dave Bittner: [00:00:03] A look at the ongoing ransomware epidemic with some speculation about its connection to the criminal economy. Over-the-air provisioning might open Android users to sophisticated phishing approaches. Alleged spammers are indicted in California. And Zao, we hardly knew ye.
Dave Bittner: [00:00:26] And now a word from our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:01:17] Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at bugcrowd.com.
Dave Bittner: [00:01:43] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, September 4, 2019.
Dave Bittner: [00:01:52] The continuing surge in ransomware attacks against U.S. local governments is drawing attention to a Russian criminal gang, StateScoop reports. CrowdStrike calls the gang WIZARD SPIDER, best known for its operation of TrickBot. The group has a sub-gang, GRIM SPIDER, which has been associated with Ryuk ransomware. The ransomware attacks continue, whether by the SPIDERs or others, and school districts remain attractive targets. Schools in Orange County, located in downstate New York on the New Jersey line, have delayed the opening of school this week as they deal with a ransomware infestation, CBS Local says. It's not known who's behind the attack, but the kiddos get a couple of extra days of summer. Not to worry, though. Should any attendance puritans or truant officers be listening, they'll probably have to make up the lost time in June, along with whatever snow days they accumulate over the winter.
Dave Bittner: [00:02:48] The proliferation of ransomware seems to be shaping a complicated bandit economy. Emsisoft thinks there's a good chance that extortionists' preference for payment in alt-coin has driven a rise in the value of bitcoin. It's a demand-side pressure. Bitcoin is attractive to extortionists, Emsisoft speculates, because it's accessible and easy to use, because it's verifiable and because it's more or less anonymous.
Dave Bittner: [00:03:15] ProPublica argued last week that insurance companies themselves contribute to this section of the criminal economy by pushing clients to pay ransom. They frame the argument harshly, suggesting that the insurance companies profit from ransomware, or as ProPublica puts it, quote, "even when public agencies and companies hit by ransomware could recover their files on their own, insurers prefer to pay the ransom. Why? The attacks are good for business," end quote. Well, perhaps, or at least ransomware attacks are no better for the cyber insurance business than car crashes are for the automobile insurance business. Sure, hearing about ransomware might motivate a town to buy cyber insurance just the way seeing a smash-up on the freeway might make rubbernecking drivers consider upping their collision coverage. We mean, heaven forfend you should find yourself in an accident, right?
Dave Bittner: [00:04:09] ProPublica's article itself suggests as much. It's not that insurers like ransomware or welcome such attacks on their customers. Rather, the insurer is in the business of limiting losses, and this is always a cost-benefit proposition. The insurer wants to make the client whole as inexpensively as possible, and paying ransom might be the cheaper for the underwriters than covering un-ransomed losses and the associated costs of remediation. But nefariously motivated or not, if you pay the ransom, you inevitably encourage more extortion. And you encourage the extortionists to increase their demands.
Dave Bittner: [00:04:46] Various people have suggested, sometimes citing unnamed FBI sources, that criminals are deliberately looking for victims who have insurance. But as BankInfoSecurity points out, other experts remain skeptical that the criminals actually look for insured targets to hit, but bandits do respond to their own market forces. The publication quotes Bill Siegel, CEO of ransomware response shop Coveware. He says, quote, "I don't think it's the way that this market works, and we very much view it as a market. These guys go after the low-hanging fruit because it's cheap and the conversion rate is high. And whether or not those victims end up having insurance is just a roll of the dice," end quote.
Dave Bittner: [00:05:28] We note that our local example of a municipal ransomware incident, Baltimore, its very self, didn't have insurance against the clobbering it took this past spring. The mayor recently said he had no idea why Charm City wasn't insured. Us too, your honor. But if insurance isn't the common denominator in the attacks on school systems, what is? We think Siegel's observation about low-hanging fruit applies. The apple is too easy to swipe from the desk.
Dave Bittner: [00:05:58] The CyberWire's Tamika Smith reached out for insights from industry experts on ransomware. She files this report.
Tamika Smith: [00:06:05] New report from AppRiver Global Security looks at a variety of cybersecurity concerns this year, from cities under siege to business email fraud. Joining the conversation to shed more light on the report is Troy Gill. He's a manager of security research at AppRiver, where he evaluates security controls and identifies potential risks.
Tamika Smith: [00:06:26] Hi, Troy. Thanks for joining the program.
Troy Gill: [00:06:27] Hey, Tamika. Thanks for having me.
Tamika Smith: [00:06:29] So this year, cities across the country have been hit with ransomware attacks. You know, your report breaks down attacks in Florida, Baltimore, North Carolina. Can you talk a little bit about the damages? And what stood out to me, really, is the amount of money that these five cities have to put out in damages.
Troy Gill: [00:06:47] Yeah, certainly. You know, this is something that we had kind of predicted in our 2018 end-of-the-year report. We saw the, you know, great potential for a big uptick in this type of activity. You know, we've seen that play out in the first half of 2019.
Troy Gill: [00:07:01] Very popular now are local government municipalities targeted with ransomware. You know, it wasn't that long ago that we saw the city of Atlanta crippled by ransomware. They even had issues with 911 calls for a while. Of course, very disruptive, very damaging. And like any ransomware attack, the attackers have encrypted the files, and they want a ransom paid to release them.
Troy Gill: [00:07:24] So in Atlanta's case, they took the approach - and I applaud them for doing this, and I applaud their resolve - of not paying the ransom, which is great. But, you know, on the flipside of that, their cost of remediation and recovery time was much, much greater had they just paid the ransom, right? So I believe the costs were in at least the tens of millions of dollars, maybe around 30, but, you know, a huge expense, whereas I believe the ransom demands were in the hundreds of thousand range.
Tamika Smith: [00:07:56] In the case of paying the ransom, do they actually get their information back, or do the cybercriminals just take off?
Troy Gill: [00:08:02] Yeah, it's a very high rate of - I forget the percentage - I believe it was high 90s - of you actually do receive the decryption keys. You know, so their business model is based on encrypting your files. They don't really take your files, typically. They just - they're still sitting right there. They're just useless to you because there's, you know, no chance of you, in most cases, decrypting them without the key. So their business model is based on believing that you are going to get access to your files if you pay that ransom. Otherwise, you know, kind of the word's going to get out that, you know, paying the ransom is pointless, and less people are going to do it.
Tamika Smith: [00:08:41] How would you advise local governments across the country to start preparing for this, because it doesn't seem like it's going anywhere anytime soon?
Troy Gill: [00:08:50] Making the budgeting decision to maybe spend some money upfront on hiring the right people and getting them in the right places to start remediating these type of risks is certainly the right approach. I mean, it's the long-term approach versus taking the short-term approach of, you know, maybe if we just bury our head in the sand and hope for the best, you know, maybe we can get by a little while longer without this happening to us, right? So that's certainly the correct long-term approach.
Troy Gill: [00:09:17] And then, you know, in the case of ransomware, once those people are in place, you know, I think there are budgeting concerns. But having the right backup strategy, making sure these files that are getting locked are actually backed up somewhere, is just a huge night-and-day difference for how much leverage the attacker has over you in one of these attacks if you're able to recover your files on your own. But, you know, it really empowers the target here to be less vulnerable to these type of attacks.
Troy Gill: [00:09:44] I would say, you know, don't try to do it yourself. You know, there are resources to go to to find, you know, best practices and those sort of things. And that's great. And you can try to do that with your existing staffing and technology. But I think, you know, probably hiring the right consultant would probably be the best first step, right? So get the consultant in there. Kind of let them get a lay of the land - where are your assets, you know, what is the most important data, where is it all located? And then from there, they can help you develop a plan on hardening your defenses against attacks, right? What happens in step one is going to determine where your step two and three end up going.
Dave Bittner: [00:10:25] That's our own Tamika Smith speaking with Troy Gill from AppRiver.
Dave Bittner: [00:10:30] Security firm CheckPoint warns that Android devices could be hit by an advanced phishing technique that exploits the over-the-air provisioning carriers use to bring new phones onboard. The weakly authenticated SMS messages are readily spoofed. CheckPoint notes that the industry standard for over-the-air provisioning, Open Mobile Alliance client provisioning, offers limited authentication methods that can make it difficult for someone setting up their service to determine whether the settings a message suggests come from a legitimate network provider or from some imposter. For now, it's a CheckPoint proof of concept, but it offers mobile users something to think about.
Dave Bittner: [00:11:10] The U.S. attorney for the Southern District of California has filed charges against four employees of an email advertising company. KrebsOnSecurity says that the four accused, employed by Adconion Direct, allegedly hijacked IP addresses for use in email advertising campaigns. The prosecutors maintain that the four accused conned an internet hosting firm, Hostwinds, into routing the IP addresses on their behalf. Krebs also says that the government appears to have had Adconion's email practices under investigation since 2015, at least, and that the charges just filed may be the opening round in a wider prosecution.
Dave Bittner: [00:11:49] And finally, Infosec Magazine reports that Zao, the widely popular but at the same time vaguely repellent app that lets you put your face onto that of your favorite actor in your favorite TV show so you can imagine yourself as being, say, Barney Fife, has been kicked out of WeChat. Zao blazed and flamed out like a meteor. It was launched only Friday, blew up overnight, and now has everyone worried about privacy, deep fakes and giving someone the right to your likeness in perpetuity. But, hey, if you can imagine yourself as Gilligan or Kojak or Lovey Howell, what's the big deal about rights in perpetuity?
Dave Bittner: [00:12:32] And now a word from our sponsor, KnowBe4. Today's phishing attacks have evolved way beyond spray-and-pray emails that mass target victims. Instead, the bad guys have carefully researched your organization in order to set the perfect trap, and pretexting is the key. Whether it's a phone call from an attacker impersonating your IT department or what seems like an innocuous email that ends up harvesting important credentials, the perfect pretext can lead to the bad guys owning your network before you know it. Join KnowBe4 for an exclusive webinar where Kevin Mitnick, the world's most famous hacker and KnowBe4's chief hacking officer, will show you how the bad guys craft such cunning attacks. He'll dig into tactics for reconnaissance, target selection, creating a pretext and launching an attack. And more importantly, he'll tell you what you need to know to protect your organization. Kevin will also share new demonstrations that will blow your mind. Go to knowbe4.com/pretext to register for this exclusive webinar. That's knowbe4.com/pretext. And we thank KnowBe4 for sponsoring our show.
Dave Bittner: [00:13:52] And I'm pleased to be joined once again by Jonathan Katz. He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center. Jonathan, it's always great to have you back. We had a story come by on Ars Technica. This was written by Dan Goodin. And this was about researchers using Rowhammer bit flips to steal 2048-bit crypto keys. There's a lot to unpack here. What can you - what can you do to explain what's going on?
Jonathan Katz: [00:14:21] Well, let's step back a little bit and talk about Rowhammer in general. Rowhammer is an attack that's been out for a little while now. And the basic idea with that sort of attack is that you have regions of memory that are stored physically very close to each other. And this is really just a consequence of the fact that memory size is always shrinking, and so parts of memory, pieces of memory, locations of memory are always getting physically closer and closer together. And we think abstractly about these different regions of memory as not really interfering with each other. But, in fact, if you look physically at what's going on, and this is what the Rowhammer attack exploits, changes in one portion of memory can actually have a very subtle effect on nearby portions of memory.
Jonathan Katz: [00:15:05] So, basically, at a high level, what this allows an attacker to do is if they have control over, you know, one portion of memory, say memory location A, but they don't have control over memory location B, they can, nevertheless, by making a bunch of changes to memory location A, effect changes in memory location B. And, of course, you can see that that's going to be quite dangerous if memory location B is going to be holding some cryptographic information.
Dave Bittner: [00:15:30] And that's how they go about stealing the keys then.
Jonathan Katz: [00:15:33] Right. So what's new in this attack is that previous Rowhammer-based exploits just violated integrity. So, basically, they allowed the attacker to modify the key and thereby mess things up for some cryptographic computation that was being performed. And what the researchers have now shown is that they can use that information to actually now learn the key itself.
Jonathan Katz: [00:15:53] And this is quite complex, actually. But the idea here seems to be that these changes that the attacker can induce in portions of memory that they don't control are really quite subtle. And so, for example - I'm simplifying things a little bit, but they - the researchers show that if you have the attacker making changes to some memory location B, and you have, let's say, a 1 0 versus a 1 1, the changes that the attacker will induce are going to be different. And so you can imagine that this is going to allow the attacker to effectively probe whether or not you have a 1 1 there or 1 0.
Jonathan Katz: [00:16:29] And gradually over time, they can learn certain bits of information about that portion of memory, which may contain a key. And then they can further use existing algorithms to then bootstrap from the little bit of information they can learn to eventually recover the entire key.
Dave Bittner: [00:16:44] Now, on the hardware side of things, there are different types of DRAM chips, and some of them are ECC RAM, which is error-correcting code RAM. Does that offer an advantage here?
Jonathan Katz: [00:16:57] So you would think that it would, and you would think that if you had an error-correcting code being applied to the memory, then any changes that the attacker would induce in the memory would be caught by the error-correcting code and then automatically corrected in the background, resulting in no net gain for the attacker. And one of the interesting things in this piece of research is that the researchers showed, actually, how they were able to circumvent that and they were able to learn information, even in the presence of these error-correcting codes.
Jonathan Katz: [00:17:21] And the basic idea there was that they relied on certain timing information. You could imagine, for example, that if the code is finding no error, then when it uses that piece of information, it'll do so faster than if it has to correct an error before using the information. And so using that subtle bit of a difference in timing, they're able to figure out whether an error occurred or not and then, like, you know, keep going and exploit it and eventually extract the entire key.
Jonathan Katz: [00:17:46] It's quite an involved process. And to be honest, I'm not sure if it represents an attack that would be easier than other modes of attack that adversaries are trying. But nevertheless, it's really very amazing at a fundamental level to just kind of get at, you know, the raw physical memory and exploit that for such an attack.
Dave Bittner: [00:18:04] Yeah, all right. Well, Jonathan Katz, thanks for joining us.
Jonathan Katz: [00:18:08] Thank you.
Dave Bittner: [00:18:13] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:18:26] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.
