CyberWire Daily - CISA’s happy but still wary. Election-themed criminal malspam. New ransomware goes after VMs. Why it makes no sense to trust extortionists.
Episode Date: November 5, 2020CISA declares a modest but satisfying victory for election security, but cautions that it’s not over yet. Criminal gangs are using election-themed phishbait in malspam campaigns. A new strain of ran...somware attacks virtual machines. Robert M. Lee from Dragos on the impact climate change could have on ICS security. Our guest is Kelly White of RiskRecon on healthcare organizations managing risk across extensive third party relationships. And if you wondered if the criminals who offered to securely destroy the data they stole if the victims paid the ransom, well, signs point to “no.” For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/215 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
CISA declares a modest but satisfying victory for election security, but cautions that it's not over yet.
Criminal gangs are using election-themed fish bait and mouse spam campaigns.
A new strain of ransomware attacks virtual machines.
Robert M. Lee from Dragos on the impact climate change could have on ICS security.
climate change could have on ICS security.
Our guest is Kelly White of Risk Recon on healthcare organizations managing risk across extensive third-party relationships.
And if you wondered if the criminals who offered to securely destroy the data they stole if
the victims paid the ransom, well, signs point to no.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Thursday, November 5th, 2020. Now that voting in the U.S. elections has closed,
the U.S. Cybersecurity and Infrastructure Security Agency
has announced that it detected no evidence that any foreign adversary succeeded
in either preventing citizens from voting or changing vote tallies.
CISA credits good preparation, good interagency collaboration,
and a sound whole-of-nation approach with the successful defense of the election against
foreign meddling. The voting may be over, but counting, litigation, and certification remain
in full flood. CISA expects continuing attempts to interfere with certification and, of course, to conduct malign influence
campaigns. CISA's rumor control site, cisa.gov slash rumor control, will remain a useful resource
through the coming months. Just because state adversaries didn't show up all that much on
Tuesday hasn't discouraged the criminals, of course. There's no sign of respite from criminal
scams using election-themed come-ons
to distribute mouthspam by exploiting uncertainty over the outcome of the vote.
Malwarebytes describes how the gang that runs the Qbot banking trojan
has taken a page from Emotet's playbook,
delivering its malicious emails as thread replies to make them less obvious to defenses.
Emotet, by the way, continues, BankInfo security notes,
an unwelcome renaissance after its temporary eclipse.
Qubot's payload is carried in an attached zip file
with the fishbait name ElectionInterference.
In the attachment is an Excel spreadsheet
crafted to look like a secure DocuSign file.
The marks are invited to enable macros
to decrypt the document.
Once enabled, the Cubot
Trojan calls home to its command and
control server for instructions.
It harvests and exfiltrates data
from the infected machine.
It also collects emails from the victim
that the Cubot masters can make use of
in subsequent mouse spam campaigns.
World events are the best lure, Malwarebytes concludes,
and right now such lures are likely to include election interference,
vote fraud, voter suppression, and so on.
Caveat lector and don't click,
and don't enable macros when some dodgy file of dubious provenance invites you to do so.
grows when some dodgy file of dubious provenance invites you to do so.
Bleeping Computer reports on a new strain of ransomware, Regret Locker, that's now being analyzed by several threat researchers. It's got a simple old-school way of communicating
its ransom note. No fancy Tor portal, no bombastic gasganade, just a simple email saying,
Hello friend, all your files are encrypted. If you want to restore them, please email us. Just a simple email saying, Regret Locker was first noticed in October, and it's still operating on a relatively small scale.
It will, however, bear watching for some of its advanced features.
It encrypts virtual hard drives and closes open files for encryption.
drives and closes open files for encryption. Regret Locker gets around the challenge of encrypting a large VM disk by mounting a virtual disk file and individually encrypting each file.
Coveware's third-party ransomware report describes Maze's retirement and RIAC resurgence.
It also explains why paying ransomware operators to delete stolen data is, as Krebs on Security puts it,
bonkers. The trend of ransomware stealing files and threatening to dox the victims,
in addition to simply encrypting data and rendering them unavailable, began in late 2019
and gained steam over 2020. It's now practically routine. At this point, any ransomware infestation
ought to be presumed to be a data breach as well until proven otherwise.
The reason the gangs do it is clear enough.
It gives them additional leverage over the victim.
Not just pay up or you won't regain access to your data.
That's often reduced to the level of a nuisance with regular effective backup.
Instead, it's now pay up and you'll not only get your data back, but you'll
be spared the economic damage and embarrassment of having your files displayed for all to see
on the internet. And recently, as seen in the case of the Finnish psychotherapeutic clinic Vastmo,
the extortionists threatened to release data of patients, or in other cases, data belonging to
customers and even customers
of customers. Third and fourth parties are at risk too. Some victims of this form of attack
have sought to reassure the third parties that they've secured their data at risk by paying the
ransom, and that the extortionists have given assurances that they've deleted all the stolen
data. One might think, on a priori grounds alone, that the word of a criminal
would amount to a foundation of sand. Still, some victims have built their hopes for recovery on
exactly such a foundation. But there's even more reason to mistrust the crook's word. Of course,
they're lying, and Coveware has the evidence to prove it. Here's the sorry track record of criminal honor broken down by ransomware
strain. Sodinokibi. Victims that paid were re-extorted weeks later with threats to post
the same data set. Mays, Sekhmet, Egregor, which are related groups, data posted on a leak site
accidentally or willfully before the client understood there was data taken. NetWalker, data posted of companies that had paid for it not to be leaked.
Nespinoza, data posted of companies that had paid for it not to be leaked.
And Conti, fake files are shown as proof of deletion.
So, better not to be hit in the first place.
But if you are, alas, paying for the extortionist's goodwill
isn't going toword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, Thank you. been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Kelly White is the co-founder and CEO of Risk Recon, a cybersecurity ratings company that
provides third-party security risk management.
He joins us with insights on healthcare organizations managing their risk across
internet-exposed assets and across extensive third-party relationships.
When you look at 12 or so industries that we do broad benchmarks of cyber risk management
performance against, healthcare has the third highest rate
of critical severity issues in their internet-facing systems. You only find higher rates
or worse cybersecurity risk performance in the sectors of government slash public administration and education. And for context, finance, no surprise,
leads everyone in the quality of their risk management program.
So what do you suppose that they need to do?
I mean, what sort of steps can they take looking forward
to be in a better place with this?
I don't think there's any shortcuts
for doing cybersecurity risk management well.
It comes from the top down,
the tone that the executive team sets
within the organization
and setting a high priority
around the importance of cybersecurity risk management,
privacy, and so forth.
And that gets instantiated in the funding
and the resources that they bring to bear
to solve that problem.
And as an organization executes on that year over year, things get better over time.
When you look at the ecosystem of health care, where you have pharmaceutical companies or hospitals, for example, engaging partners, sharing sensitive
data with them, working with healthcare tech companies and so forth. That third-party risk
management team inside the organization at these, you know, maybe call them these apex customers
that can influence and drive entire supply chains to improve their cybersecurity, it's very important that they
properly exercise that strength to drive the supply chain into the right direction.
And in this case, to improve cybersecurity. Finance has been at third-party risk management,
on average, if you look at the industry, for about 12 years. It's about half that or less for healthcare companies. So as these companies raise the
importance of cyber, good cybersecurity and cybersecurity hygiene to their supply chain
of partners, then they in turn respond and, and the bar's raised. Yeah, that's, that's an
interesting insight.
You know, I think, and we see this trend as we do these studies across different industries
in our risk surface reports,
that the larger organizations
are much better at managing cybersecurity.
Now, what can you take away from this?
And it's, again, it's consistent across fields, across industries that we study,
that as healthcare organizations are selecting partners,
they should be paying attention to the size of that organization.
Are they a brand new startup, healthcare startup company?
Or have they been more established?
And that should serve as a
very strong indicator that, you know, if it's a much smaller organization, there's going to be a
lot more work for them to do in order to address risk that no doubt will be higher there than if
they choose a more established partner. That's Kelly White from Risk Recon. ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And it's my pleasure to be joined once again by Robert M. Lee.
He is the CEO at Dragos.
Rob, it's always great to have you back. You know, looking at all these reports about the fires out in the western part of the United States
and how that has affected things like the delivery of electrical power and indeed some electrical service being disconnected because,
or whatever, shut down temporarily because of the risk of starting fires,
got me thinking about climate change and ICS security.
And is there any sort of overlap there?
And I thought I'd check in with you to see what insights you had to share.
Sure. So it's a really good and kind of provocative question in the sense that I don't think we have
a lot of experience with it as a community, but it's a good kind of forward thinking,
what's going to happen kind of question. And my take on it is the changing views of our global climate
and the support of climate science that we just obviously have to make changes
is changing the way that companies operate.
And it's highly changing the energy portfolio
and the diverse nature of that portfolio.
As an example, we've seen way more natural gas in the United States
than fossil fuels historically. I'm just moving forward from trying to change that portfolio.
But it also relates to the underpinnings of the technology itself, where we're starting to see more diversified energy resources and distributed energy resources.
We're starting to see bigger discussions for storage and different ways to do storage around the electric system instead of maybe just one larger electric system
and then the distribution of it.
We're starting to see oil and gas companies explicitly come out
and say we are going to start investing heavily in renewables.
Okay, so we know all of that is taking place.
Well, what's the impact?
Well, you're moving away from these much larger,
almost castle and moat style, you know, protecting of the industrial control environments
to much more highly, you know, diversified and smaller sites.
And that complexity in some ways benefits the defenders at first
of, yeah, we've got a much more complex system.
It'd be harder for adversaries to figure out.
But once adversaries figure it out,
there's also a hyper scalability that then comes
when we're deploying a lot of kind of cookie cutter styled industrial control environments.
You know, one wind turbine is fairly similar to another.
control networks and kind of the digital transformation that is taking place around them is pushing an access to them and a scalability to them that adversaries can take advantage of
pretty quickly. And so the necessity for doing things like OT-specific cybersecurity then gets
really mission critical, even more so than before. And as a result of climate change and the discussions around it,
you're going to see a massively increased attack service
and you're going to see a massively increased
capability by the adversary, if you will,
to understand those systems.
And I guess I'll maybe make that a little bit more tangible.
If I want to go out and buy a GE Simplicity SCADA system
for a high-power, high-energy site,
it's going to cost me hundreds of thousands of dollars, potentially,
to get everything set up and configured, done correctly.
Then I've got to have the expertise to do it.
Then I've got to develop the expertise to learn how to attack it.
Then there's operations to support it.
There's so much that goes into it.
If I've got decently available, smaller form factor, cheaper control systems deployed at a renewable site,
and I've got a thousand of those sites around the world that I could potentially target and learn from
before ever going after any of my intended targets,
and they might all be connected up through VPNs or cloud resources or similar,
we start getting into a different era for what the adversaries can do.
we start getting into a different era for what the adversaries can do.
Is there a factor here of the fact that change can lead to uncertainty?
I'm thinking, you know, you probably have decades of experience with institutional knowledge. I'm thinking particularly on the OT side of folks knowing how to run coal-fired power plants or natural gas, those sorts of
things that have been around for decades. As we transition to emerging technologies,
does not having that institutional knowledge around, is that a risk itself?
Absolutely. One of the greatest defenses we have in industrial environments is system expertise.
And so the adversaries have to gain it, and the defenders should already have it.
We start changing out the components, start having an over-reliance on original equipment manufacturers and vendors more so than internal staff.
You lose that expertise.
And then whatever the adversaries gain in expertise is automatically more than you have,
which makes it harder to identify the attacks,
harder to be resilient against them,
harder to really just even think about the scenarios
that you might want to defend against.
So in no way trying to be doom and gloom,
but the validation of your statement,
the plant of the future, if you will,
has a lot more automation,
a lot more cloud resources and analytics, a lot more connectivity, and a lot less
people. And in some ways, that's the direction we've got to go. And in some ways,
that's actually really, really good. There's going to be secondary and tertiary benefits of that
that are really wonderful for companies and communities alike, creating higher-paying jobs
for the actual maintenance required for those. But to your
point, as you take that expertise out,
you've got to compensate with something
to reduce the risk as it relates to security.
So I usually talk about OT security to CEOs and boards
explicitly on the discussion of compensating controls.
That this thing isn't new because the threats are new.
The reality is the threats have been around,
but now they are getting more sophisticated and aggressive on this topic.
But your changing landscape is especially new.
It's not an ITOT convergence discussion.
It's kind of a digital transformation and cyber threat kind of convergence, if you will.
And that is driving a necessity to have those compensating controls. Hmm. All right. Well, Robert M. Lee, thanks for joining us.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed. Just follow your nose.
It always knows.
Listen for us on your Alexa smart speaker, too.
your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and
technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett
Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.