ANSSI considering retaliation for ransomware attack. MixCloud breached. Imminent Monitor shut down.

Dave Bittner: [00:00:03] France might go on the offensive against ransomware attackers. The U.K.'s NCSC has been helping an unnamed nuclear power company recover from cyberattack. A failed cyberattack targeted the Ohio secretary of state's website on Election Day. MixCloud confirms a data breach. The Imminent Monitor RAT is shut down by law enforcement. And a cryptocurrency exchange loses nearly $50 million. 

Dave Bittner: [00:00:33]  And now a word from our sponsor KnowBe4. End-point security, firewalls, VPNs, authentication systems - we've all got them. But do they really provide the comprehensive level of security your organization needs to keep the bad guys out? Are they giving you a false sense of security? The unfortunate reality is that each of these security layers can provide hackers with a back door right into your organization, and KnowBe4 will show you how. They've got an exclusive webinar with Kevin Mitnick, the world's most famous hacker and KnowBe4's chief hacking officer. He'll show you the three most common causes of data breaches, he'll share demos of significant vulnerabilities in common technologies, and he'll share his top tips for security defenders. Go to knowbe4.com/vulnerabilities, and register for the webinar. That's knowbe4.com/vulnerabilities. And we thank KnowBe4 for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights. 

Dave Bittner: [00:01:55]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, December 2, 2019. France's national cyber authority, ANSSI, the National Agency for Information System Security, hasn't ruled out neutralizing the threat actors responsible for the November 15 ransomware attack on a major Rouen medical center, Bloomberg reports. ANSSI has authorities and capabilities regular law enforcement agencies lack, and ANSSI is rumbling that it may be ready to use them. The attack on the university medical center in Rouen has been widely attributed to the Russian criminal gang TA505. In another ransomware incident that's hit European targets, the Dutch Broadcast Foundation says it's obtained a confidential report from the Netherlands' National Cyber Security Center, the NCSC, that warns of a ransomware campaign which has targeted more than 1,800 companies since July of 2018. The campaign deploys the LockerGoga, Ryuk and MegaCortex strains of ransomware, and many of the attacks use shared infrastructure. The NCSC believes several sophisticated criminal groups are behind the campaign and that they're working together to carry out different stages of the attacks. 

Dave Bittner: [00:03:13]  An international law enforcement operation led by the Australian Federal Police resulted in the arrests of 13 users of the Imminent Monitor remote access Trojan, Europol announced. Imminent Monitor was cheap, easy to use and effective, which made it an extremely popular criminal tool. Imminent Monitor's website was also taken down, and the malware's nearly 15,000 buyers have lost access to licensed versions of the Trojan. Bravo to the Australian Federal Police and their colleagues in Europol. 

Dave Bittner: [00:03:45]  The Telegraph reports that the U.K.'s National Cyber Security Centre has been discreetly assisting a nuclear power company with its recovery from a cyberattack it sustained earlier this year. The nature of the attack is unknown, as is the identity of the targeted company. A Nuclear Decommissioning Authority report obtained by The Telegraph simply referred to the victim as "an important business in the Nuclear Power Generating Sector." Beyond that, little is publicly known. 

Dave Bittner: [00:04:14]  In the first legally required correction notice of its kind, Facebook has labeled a user's post with, Facebook is legally required to tell you that the Singapore government says this post has false information, so says Reuters. The notice is visible only to users in Singapore itself, and it amounts to an official assertion appended to the content, not to deletion or further modification of the content itself. Singapore's law was prompted by concerns about fake news and the potential threat it poses to civil society and democratic processes. 

Dave Bittner: [00:04:49]  Ohio's Secretary of State Frank LaRose said a Russian-owned firm attempted to carry out an SQL injection attack against his office's website on November 5, Election Day. The attack was thwarted by the state's network security system. LaRose told the Columbus Dispatch that while the attempt was unsophisticated, attackers often use unsophisticated techniques to identify vulnerabilities. The Russian-owned firm that allegedly tried the SQL injection attack was unnamed, and of course, the attribution and allegation should be treated with open-minded circumspection. 

Dave Bittner: [00:05:24]  MixCloud, the widely used music streaming service, confirmed over the weekend that it had been breached, with information on some 21 million users apparently for sale on the dark web. ZDNet reports that the data includes usernames, email addresses, hashed password strings, users' country of origin, registration dates, last login dates and IP addresses. MixCloud emphasizes in its disclosures that it does not store full pay card information. The company added that while passwords were encrypted with salted hashes, users might want to change their passwords just in case. 

Dave Bittner: [00:06:00]  The Chinese government now requires people in the country to have their faces scanned when they sign up for mobile phone plans, the BBC reports. Previously, mobile customers needed to show ID and have their photos taken when they purchased a SIM card. China's Ministry of Industry and Information Technology says facial recognition will now be used to match people's faces with their identification documents. 

Dave Bittner: [00:06:24]  South Korean cryptocurrency exchange Upbit says hackers stole $48.5 million worth of Ethereum from its Upbit Ethereum hot wallet, ZDNet reports. Upbit's owners say the exchange will cover the losses. ZDNet notes that the circumstances of the theft have led some observers to speculate that the hack may actually be part of an exit scam, but so far, there's no evidence to suggest that this was the case. 

Dave Bittner: [00:06:52]  And finally, much advice is circulating about the threats lurking in holiday shopping. USA Today offers a rogues' gallery of potentially backdoored consumer electronics, and ESET reviews safety advice for online shoppers. Be wary of gift cards and special offers received by email. Electronic greeting cards are also being used as malware vectors. Bleeping Computer describes one ongoing Thanksgiving-themed campaign. And Grinchbots are said, by NBC News, to be scalping the best online deals. It's an international problem. Computing says that about 7,000 victims of Cyber Monday credit card fraud are expected in the U.K. alone. So if shop you must, shop safely. 

Dave Bittner: [00:07:40]  And now a word from our sponsor ExtraHop - delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. Now that network detection and response is available in the public cloud, it's finally possible to close the visibility gaps inside your network. ExtraHop Reveal(x) Cloud brings cloud-native network detection and response to AWS, helping security teams spot, contain and respond to threats that have already breached the perimeter. Request your 30-day free trial of Reveal(x) Cloud today at extrahop.com/trial. That's extrahop.com/trial. And we thank ExtraHop for sponsoring our show. 

Dave Bittner: [00:08:41]  And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute - also my co-host on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: [00:08:49]  Hi, Dave. 

Dave Bittner: [00:08:51]  I want to have a conversation with you today about victim blaming. 

Joe Carrigan: [00:08:55]  Victim blaming. 

Dave Bittner: [00:08:56]  And I have to say, I don't have a complete conclusion on this, but it's something I've been thinking about. We're coming back from a holiday weekend, and this is something that crossed my mind while we were away, and I just want to get your take on it. So let's walk down this together. 

Joe Carrigan: [00:09:11]  OK. 

Dave Bittner: [00:09:11]  Here's where my line of thinking went. Let's say I put a lock on the front door of my house. 

Joe Carrigan: [00:09:17]  Right. 

Dave Bittner: [00:09:17]  I have a regular lock, and I have a deadbolt, and these are unlocked with keys, and so on and so forth. So my house is locked up. 

Joe Carrigan: [00:09:24]  Yep. 

Dave Bittner: [00:09:24]  Someone comes along and picks those locks. 

Joe Carrigan: [00:09:27]  Right. 

Dave Bittner: [00:09:27]  And they break into my house, and they steal things. 

Joe Carrigan: [00:09:29]  Yes. 

Dave Bittner: [00:09:30]  My fault? 

Joe Carrigan: [00:09:31]  No. No, I don't think that's your fault. 

Dave Bittner: [00:09:33]  Because? 

Joe Carrigan: [00:09:34]  Because somebody has made a conscious effort to get around the locks that you installed to keep people out. 

Dave Bittner: [00:09:42]  But I didn't put more locks on my doors, Joe. I... 

Joe Carrigan: [00:09:44]  Right. And you didn't put, like, really good hard-to-pick locks on your door, right? 

Dave Bittner: [00:09:48]  Exactly. 

Joe Carrigan: [00:09:48]  Yeah. 

Dave Bittner: [00:09:49]  Exactly. 

Joe Carrigan: [00:09:49]  Yeah. This is - yeah, I understand what you're saying with victim blaming. 

Dave Bittner: [00:09:51]  See where I'm going with this? (Laughter). 

Joe Carrigan: [00:09:52]  Right. Yeah. 

Dave Bittner: [00:09:53]  So I guess the - in my mind, I've put a - I've done - gone to a reasonable degree of security... 

Joe Carrigan: [00:10:01]  Right. 

Dave Bittner: [00:10:01]  ...To secure my home, my family, my personal effects and so on. 

Joe Carrigan: [00:10:04]  Correct. And you've done - you've followed the advised protocol. You should have a deadbolt lock on your door, right? 

Dave Bittner: [00:10:10]  Yep. Best practices. 

Joe Carrigan: [00:10:12]  Best practices, exactly. 

Dave Bittner: [00:10:12]  My - I'm probably not going to run into any issues with my insurance company. 

Joe Carrigan: [00:10:17]  Nope. Nope. 

Dave Bittner: [00:10:17]  Because they're going to ask me, did you have locks on the door? 

Joe Carrigan: [00:10:20]  And I'm going to say, yeah, I did. There they are right there. You can look at them. 

Dave Bittner: [00:10:22]  And they're going to say, were they locked? And I'll say yes. 

Joe Carrigan: [00:10:24]  Yes, they were locked. 

Dave Bittner: [00:10:25]  Extending that to security... 

Joe Carrigan: [00:10:27]  Right. 

Dave Bittner: [00:10:27]  I wonder - because it's very easy, I think - when a breach happens, there's a lot of dog-piling. 

Joe Carrigan: [00:10:34]  There is. 

Dave Bittner: [00:10:35]  And as you and I talk about on "Hacking Humans" a lot - that we need to have empathy for the people who have fallen victim to these things. 

Joe Carrigan: [00:10:44]  That's correct, yes. 

Dave Bittner: [00:10:45]  But I guess the big question is - particularly when we're talking about large organizations - is... 

Joe Carrigan: [00:10:49]  Right. 

Dave Bittner: [00:10:50]  At what point have they put in a reasonable amount of security? How do we judge that? What's the standard for that? And who says that? Is it the insurance company who sets those standards? 

Joe Carrigan: [00:11:02]  Yeah. 

Dave Bittner: [00:11:03]  What's your take? 

Joe Carrigan: [00:11:04]  That's an excellent question, actually. You know, like when Target got breached, one of the things that everybody hounded on was that they didn't have a CISO. They didn't have someone in the position of chief information security officer. I don't want to victim blame, but when somebody doesn't have the basic best practices up - right? Like, for example, in the example, the physical example, you gave earlier, if you did not have a deadbolt on your on your front door and somebody just used a credit card to open your door, that would still be a breaking and entering; it'd still be a burglary, right? 

Dave Bittner: [00:11:38]  Yeah. Yeah. 

Joe Carrigan: [00:11:38]  But there would have been something you could have done to prevent that. 

Dave Bittner: [00:11:41]  Right. 

Joe Carrigan: [00:11:41]  Right? And having somebody with a high-level security mindset may have helped Target prevent that breach. I'm not saying it would have helped Target prevent that breach, but it may have helped them prevent it. 

Dave Bittner: [00:11:53]  Well, and I also wonder, you know, what if my house was in a very bad neighborhood? 

Joe Carrigan: [00:11:57]  Right. 

Dave Bittner: [00:11:58]  And so the best practice there might be to have more than one lock. 

Joe Carrigan: [00:12:02]  To have more than one lock, right. You have to do it - you have to do the risk assessment, right? 

Dave Bittner: [00:12:06]  And is the internet a bad neighborhood? 

Joe Carrigan: [00:12:10]  The internet is a terrible neighborhood. 

0:12:11:(LAUGHTER) 

Dave Bittner: [00:12:12]  Right. Right. So... 

Joe Carrigan: [00:12:14]  It's awful, Dave. 

Dave Bittner: [00:12:15]  Yeah, it's the worst. 

Joe Carrigan: [00:12:16]  Right. 

Dave Bittner: [00:12:16]  It's the worst. Right. So I think what you're nailing is that it's a risk assess - nothing is 100% secure. It's impossible. 

Joe Carrigan: [00:12:26]  Correct. Correct. 

Dave Bittner: [00:12:27]  And so as an organization, the people who are in charge of making these decisions - how are we going to spend our money on security? - they have to make a risk assessment. 

Joe Carrigan: [00:12:36]  They do, and they have to deal with a finite level of funds. They don't have unlimited money. 

Dave Bittner: [00:12:41]  And I guess part of what I'm wondering about is this impulse that I think a lot of folks have to kind of dogpile and to point out everything that an organization did wrong. 

Joe Carrigan: [00:12:54]  Right. 

Dave Bittner: [00:12:55]  You know, if your neighbor's house got broken into, don't be that guy who goes down and says, well, why didn't you have two deadbolts? 

Joe Carrigan: [00:13:00]  Right (laughter). 

Dave Bittner: [00:13:01]  You know, like... 

Joe Carrigan: [00:13:02]  That would have made it a lot harder for them to pick your deadbolt. 

Dave Bittner: [00:13:04]  (Laughter) Right. Right. See where I'm going with this? 

Joe Carrigan: [00:13:06]  Yeah. I do. I - it's a good point, too. 

Dave Bittner: [00:13:08]  Yeah. 

Joe Carrigan: [00:13:08]  It's - but, you know, sometimes these things are just so egregious you can't help but blame them for some things. 

Dave Bittner: [00:13:15]  You know, but also, there's the situation where I guess if I had a - and we're stretching this metaphor to its breaking point, right? 

Joe Carrigan: [00:13:22]  Right. 

Dave Bittner: [00:13:22]  If I had a deadbolt and a lock, but I kept the key under the front mat (laughter). 

Joe Carrigan: [00:13:26]  Right. Right. Yeah, that's a good analogy. 

Dave Bittner: [00:13:29]  Right. Like, that's - you know, that's like storing your passwords in plain text. 

Joe Carrigan: [00:13:33]  Right, on a Post-It note... 

Dave Bittner: [00:13:34]  Yeah. Right. 

Joe Carrigan: [00:13:35]  ...Right by your computer. 

Dave Bittner: [00:13:35]  Right. Right. 

Joe Carrigan: [00:13:36]  Or reusing a password, actually. 

Dave Bittner: [00:13:37]  Yeah. Yeah. 

Joe Carrigan: [00:13:39]  You know? It's a lot like that. If somebody gets breached because they're reusing passwords, even a regular person, I say that, you know, the reason you got breached was because you reuse passwords. You know, the reason you got hacked and owned is because your password for your email account is the same as your Facebook account and the same as your Amazon account. Well, guess what? Somebody ordered something on your Amazon account and verified it through your email, and that's why we tell you - don't reuse passwords. 

Dave Bittner: [00:14:02]  Yeah. 

Joe Carrigan: [00:14:02]  Right? So, yeah, I don't know. I think at some point in time, you have to say to the user or to the victim of these crimes, you bear a certain amount of responsibility in protecting yourself, particularly on the internet because, as you said, it's a very bad neighborhood. 

Dave Bittner: [00:14:18]  (Laughter) Right. Right. Well, thank you for puzzling through it with me. I knew we'd have a very interesting conversation about it. Joe Carrigan, thanks for joining us. 

Joe Carrigan: [00:14:27]  It was my pleasure, Dave. 

Dave Bittner: [00:14:32]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:14:45]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.