Author: Jeff Peters

SurfWatch Labs editor and host of SurfWatch Labs Cyber Chat podcast. Focused on using threat intelligence and data visualization in order to bring cybercrime to life and help make organizations safer.

Does Your Cyber Risk Strategy Pass the Penny Test?

As cyber incidents proliferate, security experts continue to stress the importance of cyber risk strategy starting at the top of organizations. However, a recent report surveying more than 1,500 non-executive directors, C-level executives, Chief Information Officers, and Chief Information Security Officers found that some organizations still have a big knowledge gap when it comes to cyber threats.

According to The Accountability Gap: Cybersecurity & Building a Culture of Responsibility:

  1.  Only 10% of high vulnerable respondents agree that they are regularly updated about pertinent cybersecurity threats
  2. More than 90% of high vulnerable board members say they can’t interpret a cybersecurity report
  3. Only 9% of high vulnerable board members said their systems were regularly updated in response to new cyberthreats

Many of these organizations are concerned about potential cybercrime. All of them are likely doing something to combat cyber risks. But they’re not getting updated on important threats, they cannot understand the updates that do come through, and as a result they do nothing.

That led me to wonder if we’ve all gotten stuck in the same methods of looking at the same things in the same way day after day without ever taking a breath and a step back and asking, “Wait, why am I doing this?”

The Penny Test

There was a fascinating story on the news awhile back about people getting wrongfully convicted based on faulty eyewitness testimony.

In fact, according to the Innocence Project, “Eyewitness misidentification is the single greatest cause of wrongful convictions nationwide, playing a role in 72% of convictions overturned through DNA testing.”

However, the point wasn’t that eyewitnesses are being careless or that they are just plain ignorant, it’s that without having the whole picture — the complete context of the situation — it’s natural to make a simple mistake that can cost a person decades of his or her life.

To illustrate, let’s do a variation of the Penny Test using a six person “lineup” to see if you can identify the “real” penny.

Which penny is correct?

If you’re like most people, you’ll eliminate a few possibilities, narrowing it down to a couple of choices. Then, over time — and along with other factors that may reinforce your decision — you grow more certain that, yes, that penny you’ve chosen is definitely the right one.

But here’s the problem with the story I’ve given you: it’s incomplete. I failed to mention the possibility that the correct version of the penny might not be there at all.

That’s one of the problems with the human mind, it wants to pick something, and it’s one of the many problems that can arise from eyewitness identification.

All of the pennies were wrong.

Cybersecurity Blind Spots

That lack of context can also be a real problem when it comes to managing cyber risk. Without having the whole picture, it’s natural to invest in the wrong areas or to make a mistake that leaves an organization vulnerable to cyber-attack.

This is what many of the recent studies and surveys have been reinforcing. The IT team is wasting their time elbows deep in low-level data and investigating red flags, never having a chance to think about or act on a high-level strategy. Executives don’t even know what aspects of their company are at risk, so they’re fumbling around in the dark and relying on vendors for the answers.

The problem with that? They’re biased.

Just as the cops in the world of traditional crime may lead a subject towards a certain perpetrator (“We thought it may have been number three too.”), a vendor may lead you towards their biases — regardless of the true risk profile and needs of your business.

When you’re assessing cyber risk, remember that one option is always “none of the above.” The answer might be something else entirely.

Understanding Complete Context

Many organizations have these cyber blind spots. For example, most organizations don’t assess the security of third-party partners or their supply chain, yet we’ve seen dozens of data breaches that begin from these very avenues.

If relevant cyber threat information is available, it often doesn’t make its way to those with the ability to actually make changes. And if it does get passed along, those executives may be unable to interpret the technical language of the threats. And if they do know and understand the threats, it may end up that those threats are no longer as relevant; there may be newer, more pressing cyber risks.

That’s why nearly every cybersecurity best practice guide or cyber risk management program beings with the same thing: context. Clear away as many of those blinds spots as possible.

Remember the Penny Test. Just because you are doing something doesn’t mean it’s the best use of resources. The real threat might still be out there, and without having complete context around your cyber risks, you may miss it.

Podcast: New Attacks, Massive Leaks and Setting Data Breach Records

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 68: New Attacks, Massive Leaks and Setting Data Breach Records:

Details on more than 7 million user accounts for Minecraft community Lifeboat were compromised. A German nuclear plant discovered malware on its systems. A ransomware attack hit the Lansing Board of Water and Light. Huge amounts of data were leaked from Canadian gold-mining firm Goldcorp and the Kenya Ministry of Defense. Trending advisories include vulnerabilities in Android, increased extortion and ransomware activity, and massive dumps of user credentials being leaked from several sources. On the legal side, the New York Attorney General announced the state is on pace for a record number of data breach notices this year, a new version of PCI DSS was released, and a hacker claims to have accessed Hillary Clinton’s email server. Finally, a 10-year-old boy won a $10,000 bug bounty.

Listen to the podcast via the player below, or learn more about SurfWatch Labs podcasts on our podcast page.

Trade Secret Legislation Awaits Obama’s Signature

Organizations will soon have another avenue to seek relief from trade secret theft, as President Obama is expected to sign into law the Defend Trade Secrets Act. The bill, which gives companies the ability to pursue trade secret cases in federal courts rather than at the state level, is the latest in a string of headlines related to stolen intellectual property.

The effort is meant to help combat the growing problem of espionage, which costs the U.S. $300 billion and 2.1 million jobs each year, according to a 2013 report from the Commission on the Theft of American Intellectual Property.

2016-05-03_espionage
Many different individuals and groups have been associated with cyber-espionage so far this year, according to threat intelligence data from SurfWatch Labs.

House Judiciary Committee Chairman Bob Goodlatte (R-Va.) said the DTSA would “build on efforts over the past two years and take a significant and positive step toward improving our nation’s trade secret laws.”

The first version of DTSA was introduced in 2014, just weeks before the U.S. made waves when — for the first time ever — they filed charges against five Chinese military hackers for cyber-espionage against U.S. corporations. That 2014 indictment centered around alleged hacking and theft related to six organizations: Westinghouse, SolarWorld, U.S. Steel, Allegheny Technologies, the United Steelworkers Union, and Alcoa.

Those allegations continue to play out as U.S. Steel recently took steps to request the government prevent imports from China’s largest manufacturers due to, among other things, trade secret theft. A complaint filed on April 26 with the U.S. International Trade Commission under a section of the U.S. Tariff Act alleges those stolen trade secrets led to decades of research in creating the next generation of high-strength steel being taken and reproduced in China. 

The DTSA gives the many organizations affected by the theft of trade secrets another outlet to seek relief, and the version awaiting Obama’s signature has received widespread support (the house voted 410-2 in favor); however, the legislation is not without detractors. When the bill was first introduced two years ago, 31 law professors signed a letter opposing it, and in November 2015 they again called on Congress to reject the DTSA:

While we agree that effective legal protection for U.S. businesses’ legitimate trade secrets is important to American innovation, we believe that the DTSA — which would represent the most significant expansion of federal law in intellectual property since the Lanham Act in 1946 — will not solve the problems identified by its sponsors. Instead of addressing cyberespionage head-on, passage of the DTSA is likely to create new problems that could adversely impact domestic innovation, increase the duration and cost of trade secret litigation, and ultimately negatively affect economic growth.

The federal law does not replace current state laws, the group argued, so it will complicate rather than simplify trade secret litigation by adding a new layer of federal jurisprudence.

What this Means for Business

Most states have adopted a version of the Uniform Trade Secrets Act, which is how most trade secret disputes are currently handled. Once the DTSA is signed into law, organizations will be able to decide whether federal or state courts are more beneficial.

Although most legal experts agree that the DTSA provides a slightly broader interpretation of “trade secrets” as well as additional tools that can be used, the choice of avenue for litigation will likely need to be decided on a case by case basis.

“State courts may still to be a more preferable venue for many plaintiffs, as they typically provide more lenient rules for obtaining ex parte relief and a temporary restraining order,” the National Law Review noted. “Federal courts are often backlogged and may not hear a temporary restraining request immediately. By the time a temporary restraining order is issued, the critical information may be disclosed or forever gone. Thus, an expedited hearing in state court may outweigh the benefits of the federal court option provided by the DTSA.”

Trade secrets are often the most important assets for an organization, and the recent legal developments should serve as a reminder for businesses to assess the risks associated with those secrets, do their best to ensure those secrets are protected, and to have a plan in place so they can take legal recourse should those secrets get stolen.

Dark Web Insights: Misconceptions About the Dark Web

The Dark Web is often misunderstood. For the unfamiliar, it is often viewed as either a mysterious place full of technological gurus communicating via primitive interfaces or else something akin to the Wild West — a no-holds-barred free-for-all of dangerous and illicit activity. 

However, neither is the case.

The most popular marketplaces, where everything from stolen identities and credit cards to drugs and weapons are for sale, are more reminiscent of popular e-commerce sites than of the shady, backdoor dealings one may expect from criminals. Buying stolen accounts and intellectual property — as well as exploit kits, hacking-for-hire services, and the infrastructure to distribute malware is actually quite simple.

This reality runs contrary to much of the media coverage around the Dark Web. Stories such as the 2013 take down of the infamous Silk Road marketplace tend to focus on the scary aspects of “hidden” websites or scandalous details such as the Silk Road’s murder-for-hire plot — ignoring the fact that most people with an hour of free time and a few Google searches can easily find these sites and purchase illicit goods and services if desired.

In this series of blog posts, SurfWatch Labs hopes to shine on light on various aspects of the Dark Web, starting with what the Dark Web actually is — and what it isn’t.

1. Most Dark Web Markets are Customer Friendly

Those new to the Dark Web are often surprised by the level of customer service and the ease of which fraudulent goods and services can be obtained. However, this makes sense given the fact there are many competing marketplaces on the Dark Web. Customers and sellers are going to gravitate towards markets that appear the safest and have the best features.

AlphaBay is among the most popular and established Dark Web marketplaces (Nucleus Market, another popular marketplace, recently went offline). These marketplaces try to emulate the features seen on popular e-commerce sites such as Amazon or eBay.

AlphaBayMarket_edited.png
PayPal accounts for sale on AlphaBay

Some of these features include:

  1. Easy Navigation – Items are categorized into high-level categories such as fraud with subcategories like accounts, credit cards, personal information, data dumps and others.
  2. Vendor and Trust Levels – Sellers often have ratings. In the case of AlphaBay there is both a “Vendor Level,” which is based on number of sales and amount sold, and a “Trust Level,” which is based on the level of activity within the community as well as feedback from users.
  3. Feedback and Refunds – Buyers can also see feedback from customers and often have the option of returns or replacements such as credit card numbers that may no longer work due to being reported stolen.

Although these Dark Web markets tend to not be discoverable through Google and often require special software such as the Tor browser in order to access, they do want users to find and use them — so they are easy to locate, search for goods or services and make purchases.

2. They’re Concerned About Security and Trust

Most people know the old adage “there is no honor among thieves,” and these illicit markets work hard to help assuage those fears. This begins at the customer level with ratings and reviews.

AlphaBayFeedback_edited.png
Seller ratings on AlphaBay Market appear similar to the ratings on eBay. The system includes independent ratings for stealth, quality and value of the product; the total number positive, negative and neutral ratings over set periods; and text reviews from previous customers about their purchases.

These features help to establish trust when buying things like malware and stolen credit cards. Through ratings and feedback the community can collectively judge whether the items for sale can be used for legitimate fraud and attacks – or if they are just a scam.

In fact, these markets are actively trying to combat spammers and other bad actors just like e-commerce sites on the surface web. In March AlphaBay announced that they were rolling out mandatory two-factor authentication. As Motherboard’s headline ironically noted, “Some Dark Web Markets Have Better User Security than Gmail, Instagram.”

“We now enforce mandatory 2FA (two-factor authentication) for all vendors,” read the AlphaBay announcement. “This is part of an increasing effort to stop phishing on the marketplace. We recommend that everyone uses 2FA for more security.”

In addition, many markets try to avoid coming to the attention of law enforcement. Following the November 2015 terrorist attacks in Paris, which killed 130 people, Nucleus Market posted this message on its homepage:

Nucleaus_Weapons.png
Message posted on Nucleus Market stating they would now longer allow the sale of weapons.

The decision came just a week after the shootings and news reports that the guns used in the attacks may have been acquired from the Dark Web. Likewise, although child pornography is prevalent on the Dark Web, most of the markets do not sell it alongside the drugs, counterfeit goods and other illegal stolen items because that would attract unwanted attention to them and their user base.

Some Dark Web markets combat the the influx of law enforcement and researchers by requiring a referral in order to gain access. Others only show items that are for sale to established users or require authorization from the seller to view details about the product. This can make it harder for agents posing as “new customers” to monitor activity, and it helps to increase the trust factor around those marketplaces and forums.

3. No, the Dark Web is Not That Massive

In the summer of 2015, two researchers set an automated scanning tool loose on the Tor Network in an effort to find vulnerabilities on Dark Web sites. After just three hours the scan was over and they’d uncovered a little more than 7,000 sites.

A more recent effort to index the Dark Web put that number at close to 30,000 sites — a sizeable amount, but still far less than the massive underground world many have described.

As Wired wrote last year, the number of people on the Dark Web is quite small:

The Tor Project claims that only 1.5 percent of overall traffic on its anonymity network is to do with hidden sites, and that 2 million people per day use Tor in total. In short, the number of people visiting the dark web is a fraction of overall Tor users, the majority of whom are likely just using it to protect their regular browsing habits. Not only are dark web visitors a drop in the bucket of Tor users, they are a spec of dust in the galaxy of total Internet users.

4. It’s a Valuable Source of Threat Intelligence

The Dark Web is a valuable place to gather threat intelligence. SurfWatch Labs threat intelligence analysts proved that recently when they uncovered a breach into web hosting provider Invision Power Services.

That’s not to say everyone should jump on the Dark Web and poke around. It is easy to stumble across illegal things such as child pornography, and without the proper precautions companies or individuals may end up infecting their computers or putting themselves on the radar of cybercriminal groups — making themselves a potential target. However, what better way is there to understand the current threat landscape and the motivations of these malicious actors than to see for yourself what they are talking about, what they are selling, and if your company — or anyone in your supply chain — is being mentioned.

The Dark Web isn’t the cybersecurity cure-all that some companies make it out to be, but it is a significant part of a complete threat intelligence operation. Without visibility into these markets and the active threats they contain, your organization is operating at a disadvantage.

Podcast: DDoS Attacks Return, QuickTime Support Ends and a Massive Trade Secret Verdict

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 67: DDoS Attacks Return, QuickTime Support Ends and a Massive Trade Secret Verdict:

The Lizard Squad is back with DDoS attacks against gaming company Blizzard. The Janet education network was also hit with more DDoS attacks. More stolen W-2 and personal information was used to file fraudulent tax returns, this time affecting employees of Baltimore City and the Catholic Archdiocese of Denver. On the advisory front there were more WordPress warnings, scary new ransomware, and the end of support for QuickTime for Windows. Legal stories included a jury awarding electronic medical record company Epic Systems $940 million in damages, Microsoft suing the federal government, and breach-related class action lawsuits moving forward against several organizations. Plus, a judge told Ashley Madison users they cannot remain anonymous.

Listen to the podcast via the player below, or learn more about SurfWatch Labs podcasts on our podcast page.

Talking PowerShell and Stealth Attacks with Carbon Black’s Rico Valdez

Malicious actors are increasingly using legitimate tools such as PowerShell in order to lessen their digital footprint and evade detection, and the use of such ubiquitous and legitimate technology can be a problem for organizations when it comes to defending against those threats.

That’s according to Carbon Black senior security researcher Rico Valdez, who joined us for this week’s Cyber Chat podcast to discuss recent research on PowerShell, including a new report examining more than 1,100 security investigations in 2015.

Windows PowerShell is an automation platform and scripting language that Microsoft describes as “providing a massive set of built-in functionality for taking control of your Windows environments.”

The legitimate use along with the built-in functionality makes it a perfect tool for attackers to exploit.

“It used to be the kind of thing where only really sophisticated adversaries would use it, but it’s gotten to the point now where it’s being incorporated in a lot of commodity malware,” Valdez said. “It’s another way to stay under the radar and try to remain undetected.”

Utilizing PowerShell fits into the overall trend of attackers avoiding dropping a lot of tools onto a system; instead, they utilize what’s already there in order to further their goals.

“Monitoring it can be very tricky,” Valdez said. “I don’t think it’s very well understood even by the larger SOCs (security operations centers). Its one of those things that’s a little bit further down on the list for a lot of these organizations to really dig into.”

How are criminals using PowerShell?

When looking at the data from a variety of Incident Response and MSSP partners, 38% of confirmed cyber incidents used PowerShell. This included all industries and multiple attack campaigns.

04-21-2016_CarbonBlack_PowerShell
PowerShell is used for a variety of malicious purposes, according to Carbon Black’s report.

“It’s quite powerful in that it can pretty much touch any part of the system, and if you’re running it with the right privileges it can pretty much do anything on the system,” Valdez said.

For example, last month a new family of ransomware was discovered dubbed “PowerWare.” PowerWare uses the popular technique of duping users via phishing messages containing a macro-enabled Microsoft Word document. The malicious macros then use PowerShell to further the attack.

Eighty-seven percent of the attacks leveraging PowerShell  were commodity malware attacks such as ransomware, click fraud, fake antivirus, and others. Only 13% were described as “advanced” attacks.

This technique is a good example of how attacks tend to evolve, Valdez said. First they’re discovered by sophisticated actors and used in targeted attacks. Then — if they work well — they become mainstream.

“This is a real risk in your environment and you need to be aware of it, because, again, most people aren’t watching it, monitoring it, anything like that.”

Listen to the full conversation with Carbon Black’s Rico Valdez for more about PowerShell and how organizations can protect themselves.

About the Podcast
A new ransomware was recently discovered dubbed PowerWare, which targets organizations via Microsoft Word and PowerShell, and just last week Carbon Black released a report looking at how PowerShell is being utilized for malicious intent. They wrote in the report that “the discovery of using PowerShell in attacks such as PowerWare is part of a larger, worrisome trend when it comes to PowerShell.”

On today’s Cyber Chat we talk with Carbon Black senior security researcher Rico Valdez about the company’s recent findings and how cybercriminals are increasingly using PowerShell to remain under the radar while targeting organizations.

 

Podcast: Big Breaches, Badlock Revealed and More Class-Action Updates

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 66: Big Breaches, Badlock Revealed and More Class-Action Updates:

A hacking group leaked data from the Philippines’ Commission on Elections, which impacts 55 million registered voters. National Childbirth Trust announced a breach affecting 15,000 new and expecting parents. Several more W-2 related breaches made headlines. An FDIC employee accidentally walked out with 44,000 customers’ information. CoinWallet announced plans to shut down its services following a cyber incident. On the advisory front, the details of the Badlock bug were finally revealed, there was a new evolution in Locky ransomware, more phishing attacks were discovered, malvertising hit Dutch websites, and Windows XP, which has not had support for two years, is still being widely used. The week also saw legal developments regarding Mossack Fonseca, Sony Pictures, Wendy’s, and more. Finally, four radio stations found themselves broadcasting some strange content after being hacked.

Listen to the podcast via the player below, or learn more about SurfWatch Labs podcasts on our podcast page.

Talking Cyber-Terrorism and ISIS with Morgan Wright

U.S. Cyber Command has its “first wartime assignment” in the fight against ISIS, Secretary of Defense Ashton Cater told an audience at the Center for Strategic and International Studies last Tuesday. That cyber fight includes techniques to disrupt the group’s ability to communicate, organize and finance its operations.

On the same day, head of U.S. Cyber Command Admiral Michael Rogers told the Senate Armed Services Committee that among his biggest fears are the possibility of groups like ISIS manipulating electronic data records, impacting critical infrastructure such as the electrical grid or air traffic control systems, and using cyber tools “as a weapons system.”

The week’s news capped off a period of increasing discussion around cyberwarfare and cyber-terrorism.

It’s an issue that organizations need to be aware of, said cybersecurity and counter-terrorism expert Morgan Wright, who discussed the topic on this week’s Cyber Chat podcast.

“It is a different animal,” Wright said. “Companies really need to understand the implication of the difference between just cybercrime and cyber-terrorism because it will make a difference in how you respond.”

The Cyber-Terrorism Threat

The December 2015 cyber-attack in Ukraine, which affected electricity for 225,000 customers, was unique in that it’s the first confirmed attack to take down a power grid. In addition, just last month the U.S. officially charged an Iranian with access to a computer control system for New York’s Bowman Avenue Dam. Luckily, a gate on the dam had been disconnected for maintenance issues; otherwise, the hacker could have operated and manipulated the gate, authorities said.

Wright agreed with other experts that the BlackEnergy malware used in the Ukraine attack is a bigger issue than other often-cited critical infrastructure threats such as Stuxnet.

“It’s in this country, and we talk about it but we don’t really take it seriously,” Wright said. “[BlackEnergy] could actually be a terrorist — a cyber-terrorism — type of tactic. … Let’s say that a group like Al-Qaeda or ISIS gets ahold of this and they decide they want to take out part of our power grid.”

But it’s not just critical infrastructure operators who need to be concerned about cyber-terrorism, he added. Organizations, particularly those with ties to often-targeted states such as Israel, need to be aware of those risks.

Businesses need to examine their geopolitical footprint, Wright said. Where are you operating, what types of things may be impacted if you are targeted by some of these organizations, and how can you better prepare to defend against those potential threats?

The Researchers Who Cried Wolf?

There have been a few headline-grabbing events tied to cyberwar and cyber-terrorism, but when compared to traditional cybercrime events, the former threat can appear rather sparse.

When asked about fatigue or backlash from researchers warning of these types of threats, Wright attributed the problem to lack of imagination.

“Plots can take years to develop,” he said. “What I tell people is that just because you can’t imagine it happening right now doesn’t mean it’s not being worked on — it’s not being plotted for.”

As an example he highlighted the recent cybersecurity issues facing the automobile industry. Years before, he said people accused him of fear mongering for bringing up those very issues.

“Now the entire automotive industry is up in arms,” he said.”Guess what? Three years ago they couldn’t imagine that happening, and for 15 years the automotive industry did absolutely nothing.”

In the end though, although cyber-terrorism motivations may be different from cybercrime, the defense is similar.

“You still respond to it. You still prepare. Only later do the motivations really make a difference in terms of what could we have done detect this or prevent this.”

Listen to the full conversation with Morgan Wright for more about cyber-terrorism, the threat of groups like ISIS and his cybersecurity “rules of the road”:

About the Podcast
In an interview last week, U.S. Secretary of Defense Ashton Carter confirmed he had given U.S. Cyber Command its first wartime assignment and that the team would start launching online attacks against ISIS. The announcement comes after several months of news and debate about the issue of cyber-terrorism.

On today’s cyber chat we talk with cyber-terrorism expert Morgan Wright, who has nearly two decades in state and local law enforcement and has previously taken on roles such as a senior advisor for the U.S. State Department Anti-terrorism Assistance Program. We talk about the threat of cyber-terrorism, recent attacks against critical infrastructure, and how groups such as ISIS are impacting the cyber threat landscape.

Talking MedStar, Ransomware and Healthcare with Arbor Networks’ Dan Holden

On Monday, March 28, MedStar Health was hit with a variant of ransomware known as Samas or “samsam.” The healthcare provider, which operates 10 hospitals and employs more than 30,000 people, quickly shut down all system interfaces. Communicating and scheduling became difficult. Staff reverted to paper records. Some patients had to be turned away.

Thus began a week of national attention as news outlets documented frustrated patients and employees, and a debate ensued around potential security flaws within MedStar.

“The issue with ransomware is of course now you’re talking about not availability, you’re talking about the data,” said Dan Holden, Director of Arbor Networks’ Security Engineering and Response Team, on our recent Cyber Chat podcast. “It is so critical, especially to these recent attacks — these hospitals. They can’t do anything without patient data or without documentation.”

Although MedStar was able to restore services without paying the 45-bitcoin ransom (around $19,000), the wide-reaching impact on business operations can make the decision to pay ransoms difficult for many providers, Holden said.

“It just puts them in an impossible situation,” he said. “In some cases you have to pay it because you simply are not able to recover any other way.”

Warnings About Samas and JBoss

Everything could have been avoided with a simple patch to update vulnerabilities found in a JBoss application server, according to the Associated Press. MedStar refuted the AP’s assertions that it ignored multiple urgent warnings dating back to 2007; however, the AP stands by its reporting.

The FBI warned of Samas, the very ransomware that appears to have hit MedStar, on March 25 — just days before the healthcare provider’s systems were impacted. The bureau first alerted organizations to Samas on February 18.

As Reuters reported,  “The FBI said that investigators have since found that hackers are using a software tool dubbed JexBoss to automate discovery of vulnerable JBOSS systems and launch attacks, allowing them to remotely install ransomware on computers across the network.”

A Decade of Ransomware

Holden said ransomware attacks have risen considerably in 2016, a point echoed by SurfWatch Labs as well as an FBI agent at a recent talk.

“It’s likely,” the agent said, “that this will be the decade of ransomware.”

So far in 2016, the healthcare sector has been a major focus of that trend.

“What we’re seeing is the attackers chasing the soft underbelly if you will of the various verticals,” Holden said. “There’s a big, big difference between a Fortune 100 company and everyone else in their ability to defend themselves and respond. And that’s certainly the situation these hospitals are in. It’s going to take some time for them to properly defend and be able to respond to these things.”

Part of the issue is that the ransomware threat is different than other types of cyber threats organizations have spent years defending against.

“The investment model is potentially a little bit different there,” Holden said. “That’s why perhaps it’s so interesting right now.”

He added: “Detecting doesn’t get you anything. You either have to prevent or you have to respond. The moment you’ve detected it, it’s already too late.”

Listen to the full conversation with Arbor Networks’ Dan Holden about ransomware in the healthcare sector below:

About the Podcast
Last week MedStar Health, which operates 10 hospitals and more than 250 outpatient medical centers in the Washington region, suffered a ransomware attack that disrupted their operations and put them front in center in the fight against cybercrime.

On Friday we spoke with Dan Holden, Director of ASERT, Arbor’s Security Engineering and Response Team. We chatted about how healthcare organizations are being impacted by ransomware, where that threat is headed, and how organizations can keep themselves safe.

Podcast: Panama Papers, Never-Ending Ransomware and New Cyber Legislation

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 65: Panama Papers, Never-Ending Ransomware and New Cyber Legislation:

This week saw a massive leak of 11.5 million documents from Panamanian law firm Mossack Fonseca, and that information is impacting politicians, business leaders and entertainers across the world. Among the week’s other trending cybercrime events were Turkish Citizens having their personal information posted online, more hospitals being hit with ransomware, another likely breach at Trump Hotel Collection, and vBulletin Forums being hacked. On the advisory front, new ransomware variants and WordPress attacks continue to make headlines along with a proof-of-concept Firefox extension vulnerability dubbed “extension reuse attack.” Legal developments include pending draft legislation on encryption, an amendment to Tennessee’s data breach notification law, and data breach lawsuit updates from Lamps Plus, Anthem and Intuit. Also, Microsoft discovered that teaching a bot to talk like a Millennial may not be such a good idea.

Listen to the podcast via the player below, or learn more about SurfWatch Labs podcasts on our podcast page.